- North Korean hacking group ScarCruft (APT37) is using spear-phishing emails disguised as Microsoft security alerts to deploy a new malware called NarwhalRAT.
- The Python-based malware can log keystrokes, capture screenshots and audio, steal data from USB drives, and execute remote commands from its operators.
- The campaign marks a tactical shift for the group, which had previously relied on the RokRAT malware family for similar operations.
The North Korean state-sponsored hacking group ScarCruft was observed in June 2026 using deceptive Microsoft Account security notifications to distribute a sophisticated new remote access trojan. According to a report by the Genians Security Center, the spear-phishing emails impersonated alerts about abnormal one-time password generation, urging recipients to open a malicious attachment to protect their accounts.
The attachment contained a ZIP archive with a deceptive LNK file. Once executed, this file initiated a multi-stage infection chain that downloaded and installed NarwhalRAT in memory to avoid disk artifacts.
The Python-based malware possesses extensive surveillance capabilities. It can log keystrokes, capture high-resolution screenshots, record ambient audio, and gather data from connected USB media.
Attackers also equipped it to execute commands from a command-and-control server and even switch between C2 channels. Interestingly, the malware stages stolen data in a hidden directory named to mimic the South Korean Naver Whale browser.
The campaign’s infrastructure leverages Korean websites as primary communication relays. Furthermore, analysis revealed the malware uses the legitimate pCloud storage API as a secondary, stealthy C2 channel, functioning as a dead drop resolver.
This activity represents a notable evolution for ScarCruft. The deployment of NarwhalRAT signifies a departure from their exclusive use of the RokRAT malware family in previous operations.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
