Skip to content

ScarCruft Spreads NarwhalRAT via Fake Microsoft Security Alerts

In a nutshell: ScarCruft uses fake Microsoft security alerts to distribute NarwhalRAT, a Python-based malware that operates in memory and communicates with command-and-control servers via compromised websites and pCloud APIs.

The North Korean hacker group ScarCruft (APT37) is conducting spear-phishing campaigns with fake Microsoft security alarms to distribute new malware called NarwhalRAT, which operates entirely in memory and enables keystroke logging, screenshot and audio recording.

ScarCruft sent fake emails posing as Microsoft account security alerts. These emails report abnormal activity in one-time password (OTP) generation and instruct the target to change their password. The attachment is not an HWP document as claimed, but a ZIP archive containing a malicious LNK file. This creates artificial urgency and exploits trust in what appears to be legitimate Microsoft communication.

Upon execution of the LNK file, a multi-stage infection chain begins: batch scripts download the Python executable from the official website as well as a Windows security catalog file (CAT). The malware establishes a scheduled task named “MicrosoftUserInterfacePicturesUpdateTackMachine” that executes the CAT file. This loads the actual malware directly into memory and executes it there – no suspicious files are created on disk, making detection more difficult. The name NarwhalRAT derives from the storage directory “naverwhale” in the AppData folder, a name that imitates the South Korean browser Naver Whale.

NarwhalRAT is Python-based and features extensive spying capabilities: keystroke logging, high-resolution screenshot creation, audio recording via microphone, and extraction of USB media. The malware also captures active windows and system directory states. These capabilities represent a shift from RokRAT, which was previously attributed exclusively to this group.

For communication with command-and-control servers, NarwhalRAT uses Korean websites such as daehoat.com and novel21.co.kr as primary C2 relays. In parallel, the malware implements communication based on the pCloud API: pCloud-specific routines were identified in the code that process the parameters folderid and auth. This indicates that ScarCruft is using the legitimate cloud service as a secondary C2 channel in the form of a dead-drop resolver.


Source: www.it-daily.net · Published June 18, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: