Emerging ThreatsMalware & Ransomware

ScarCruft Targets Microsoft Users with NarwhalRAT Malware

Analyst 207||Source: TheHackerNews
Concerned office worker or home user sits at desk, scrutinizing laptop screen with a wary expression.

"The attack email contained a message impersonating an MS account security alert," the Genians Security Center (GSC) said.

ScarCruft (aka APT37) and the Microsoft Account impersonation

The North Korean state-sponsored hacking group known as ScarCruft (aka APT37) has been observed sending spear-phishing messages that mimic Microsoft Account security notifications in order to deliver a remote-access trojan named NarwhalRAT. The emails claim "abnormal activity" tied to repeated generation of one‑time passwords and warn of possible OTP abuse, a lure designed to create urgency and induce recipients to open an attached advisory.

The phishing vector: ZIPs, LNKs and a fake HWP

Genians reported that the attachment was not the Hangul Word Processor (HWP) document the email implied, but rather a ZIP archive containing a malicious LNK file. When the LNK is launched it starts a multi-stage infection chain: intermediary batch scripts are fetched and executed, and those scripts download both a legitimate Python executable from the official website and a Windows security catalog (CAT) file before installing the malicious payload.

NarwhalRAT: capabilities, staging and persistence

Once deployed, the Python-based NarwhalRAT performs a wide range of data-collection and remote-control functions. Genians listed its capabilities as logging keystrokes; capturing screenshots, including high‑resolution images; recording ambient audio; uploading directory contents; collecting active window details; gathering data from USB media; executing commands from a command‑and‑control (C2) server; and switching between C2 servers.

The malware stages harvested information in the hidden directory "%APPDATA%\\naverwhale" — a name intended to masquerade as Naver Whale, a web browser developed by Naver Corporation. Persistence is achieved by creating a scheduled task. The task launches a CAT file that is responsible for fetching and running the main payload in memory, "without leaving any artifacts on disk," Genians said.

C2 infrastructure: Korean sites and pCloud as a dead‑drop resolver

Genians noted NarwhalRAT uses a multi‑C2 operational framework. From a C2 infrastructure perspective, the malware "uses Korean websites, including 'daehoat[.]com' and 'novel21[.]co.kr,' as primary communication relays," while also implementing communication routines that use the pCloud cloud storage API. In particular, Genians identified pCloud‑specific code that processes "folderid" and "auth" parameters, indicating the malware was designed to treat a legitimate cloud service as a secondary C2 channel in the form of a dead‑drop resolver.

Technique continuity and tactical details to watch

  • Genians said the activity shares "multiple similarities" with prior Python‑based attacks by ScarCruft, including earlier campaigns that used ticket confirmations and event invitations to trick targets into opening ZIP archives containing LNK files.
  • The LNK acts as a conduit for an obfuscated batch script downloaded from a remote C2 server; that script in turn retrieves the Python binary and a CAT file, culminating in deployment of a compiled Python script capable of remote command execution and exfiltration.
  • Scheduled task naming follows a recognizable pattern. NarwhalRAT creates a scheduled task called "MicrosoftUserInterfacePicturesUpdateTackMachine," while another observed chain used "MicrosoftMusicLibrariesPackageTaskMachine."

What this means for technologists and security teams, enterprises, and end users

  • Technologists and security teams should monitor for ZIP attachments that contain LNK files, watch for scheduled tasks with the documented names, and flag processes that load CAT files and execute Python binaries in-memory. The in-memory execution and use of a legitimate cloud API as a dead‑drop resolver are specific attacker choices to track.
  • Affected enterprises and procurement leaders should note the name and staging path "%APPDATA%\\naverwhale" and the use of Korean domains 'daehoat[.]com' and 'novel21[.]co.kr' as indicators of compromise to include in detection rules and incident response playbooks.
  • End users should be wary of account‑security emails that urge immediate action and that include attachments; in this campaign the purported advisory was a ZIP file hiding a malicious LNK rather than the promised HWP document.

Genians assesses that "NarwhalRAT is an advanced RAT malware that integrates a Python‑based multi‑stage loader, an in‑memory execution structure, a multi‑C2 operational framework, and selective information collection functions." Its deployment marks a departure from RokRAT, the malware family previously exclusively attributed to ScarCruft, and underscores a move toward Python‑based, multi‑channel command and control. Whether NarwhalRAT becomes a persistent replacement in the group's toolset remains an open question tied directly to how defenders adapt to the specific techniques enumerated above.

Read the original report: https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html

Emerging ThreatsMicrosoftNation-StateNorth KoreaSpear-PhishingMalware OperationsMFAAPT37ScarcruftNarwhalrat
Related Intelligence

Continue Reading

Blurred server room background with a prominent, illuminated network switch or router in sharp focus in the foreground.

Fortinet Flaws Exposed to Active Exploitation

Critical vulnerabilities in Fortinet's FortiSandbox platform are under active attack, with multiple flaws, including CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, being exploited by hackers just 24 hours after security updates were issued.

Analyst 207
Government agency office interior with laptop, papers, and network diagram on wall.

Earth Lusca Expands Arsenal with Windows SprySOCKS Malware

Chinese threat actor Earth Lusca has upgraded its malware arsenal with Windows SprySOCKS, a sneaky tool that lets hackers secretly send commands to compromised devices, allowing them to fly under the radar. This latest move has been linked to a string of high-profile attacks on government organizations worldwide.

Analyst 207
Concerned older adult holding cash in a bank lobby with blurred ATM screen.

FBI Warns of Courier Cash Scams Fueling Crypto Investment Fraud

Beware of scammers who are using couriers to collect cash from victims, often under the guise of required investments or fines to withdraw from a fake crypto investment firm. The FBI warns that these scammers will instruct victims to hand over cash to a courier, often using verification tactics like sharing a dollar bill serial number or password to gain trust.

Analyst 207
Server room with rows of equipment and a single cPanel interface on a monitor.

CISA Warns of LiteSpeed cPanel Plugin Flaw Exploited for Root Access

A critical vulnerability in the LiteSpeed cPanel Plugin, known as CVE-2026-54420, has been flagged by CISA for its high risk of exploitation, with a CVSS score of 8.5, and federal agencies have until June 18, 2026, to apply the necessary fix. This flaw allows for privilege escalation and has been added to the Known Exploited Vulnerabilities catalog, requiring swift action to prevent potential root access attacks.

Analyst 207