Fake Microsoft Alerts Used to Deploy North Korean NarwhalRAT Malware

1. Executive summary

North Korea-aligned threat actor ScarCruft (MITRE G0067, also tracked as APT37) is conducting a spear-phishing campaign against targets using emails that impersonate Microsoft Account security alerts. The lure falsely claims "abnormal activity" tied to repeated one-time-password generation and urges the recipient to change their password; the attached archive is a ZIP containing a malicious Windows shortcut (LNK) rather than the expected document. Execution triggers a multi-stage chain that drops a Python-based remote access trojan dubbed NarwhalRAT, which stages data under %APPDATA%\naverwhale and uses Korean websites plus the pCloud cloud-storage API for command-and-control. The activity is notable as a departure from the group's prior RokRAT tooling. Bottom line for EMEA financial services: any user receiving a "Microsoft Account security alert" with an attached ZIP/LNK should be treated as a potential targeted-intrusion attempt, and any confirmed execution must be triaged as an ICT-related incident under DORA.

2. Regulatory framing

Article	Trigger (the fact in this item)	Practical impact
DORA Art. 17: ICT-related incident management process	Confirmed execution of the LNK → NarwhalRAT chain constitutes an ICT-related incident requiring documented handling.	Activate the documented incident-management process; preserve evidence, assign incident owner, run playbooks.
DORA Art. 18: classification of ICT-related incidents and cyber threats	NarwhalRAT provides keystroke logging, screen/audio capture, USB data theft and remote command execution — a high-impact cyber threat requiring classification.	Classify against the firm's ICT-incident taxonomy; tag severity and impact dimensions (confidentiality, integrity, availability).
DORA Art. 19: reporting of major ICT-related incidents to competent authorities	A confirmed intrusion with data-exfiltration capability against an in-scope financial entity meets the criteria for a major ICT-related incident.	Prepare initial, intermediate and final reports within the prescribed windows to the competent authority.
DORA Art. 28: ICT third-party risk — general principles	The malware abuses a legitimate third-party cloud service (pCloud) as a C2 dead-drop resolver, and uses a legitimately downloaded Python interpreter as part of the loader.	Re-assess third-party risk treatment covering cloud-storage abuse and use of signed/legitimate binaries in attacker tradecraft.
DORA Art. 29: preliminary assessment of ICT concentration risk	Reliance on pCloud (or any single cloud-storage provider) as a covert channel creates a concentration risk if the channel is blocked or monitored.	Document the concentration risk and identify alternative or compensating controls.
DORA Art. 30: key contractual provisions with ICT third-party providers	Use of pCloud as a covert C2 channel engages contractual notification and right-to-audit provisions with that provider.	Trigger contractual clauses (notification, audit, suspension) with the cloud-storage provider as required.
NIS2 Art. 21(2)(d): supply chain security measures	The chain abuses a legitimate, signed Python interpreter and a Windows CAT file as part of the loader — a supply-chain-style abuse of trusted components.	Apply supply-chain security measures: allow-listing of interpreters, integrity checks on signed binaries, monitoring of CAT file usage.
NIS2 Art. 23: incident reporting obligations	A confirmed intrusion against an in-scope entity triggers early-warning / incident-notification timelines.	Submit early warning within the early-warning window; follow with incident notification and final report.
UK NIS 2018: UK Network and Information Systems Regulations — OES/RDSP duties	UK OES/RDSP entities receiving and acting on the lure must treat the event under their incident-handling duties.	Notify the relevant UK competent authority where the incident meets the UK NIS thresholds.

3. Technical analysis & attack chain

Spear-phishing delivery. Target receives an email impersonating a Microsoft Account security alert. The body fabricates "abnormal activity" tied to repeated one-time-password generation and pressures the recipient to change their password, framing the message as a phishing alert from a third party.
Malicious attachment. The email references an "attached advisory"; the attachment is a ZIP archive containing a Windows shortcut (.LNK) file rather than the expected Hangul Word Processor (HWP) document.
LNK execution. Launching the LNK triggers a multi-stage infection chain that uses intermediary batch scripts to download additional stages.
Stage download. The batch script downloads the legitimate Python interpreter from the official Python website and a Windows security catalog (CAT) file from the attacker-controlled infrastructure.
Persistence via scheduled task. A scheduled task is created to launch the CAT file, which fetches and runs the main payload in memory, leaving no artifacts on disk. Observed task name: MicrosoftUserInterfacePicturesUpdateTackMachine. A second, related chain uses the task name MicrosoftMusicLibrariesPackageTaskMachine.
In-memory NarwhalRAT execution. The compiled Python script is executed in memory, delivering the NarwhalRAT RAT.
C2 communications. The implant communicates with primary relays daehoat[.]com and novel21[.]co.kr (Korean websites) and uses the pCloud cloud-storage API as a secondary C2 channel, processing folderid and auth parameters as a dead-drop resolver.
Data staging and exfiltration. Harvested data is staged under %APPDATA%\naverwhale (masquerading as the Naver Whale browser) before exfiltration.

Technical specifics

Initial access vector: Spear-phishing email with ZIP archive containing LNK shortcut. No CVE exploitation is described in the source material; the LNK is the user-executed artefact.
Loader mechanism: LNK → obfuscated batch script (downloaded from remote C2) → legitimate Python interpreter + Windows CAT file → in-memory compiled Python script.
Persistence: Scheduled task (names above) launching the CAT file, which performs in-memory payload execution to avoid on-disk artefacts.
Malware capabilities (NarwhalRAT):
Keystroke logging
Screenshot capture (with high-resolution support)
Ambient audio recording
Active window detail collection
USB media data collection
Directory listing and upload
Remote command execution from C2
C2 server switching (multi-C2 operational framework)
Staging path: %APPDATA%\naverwhale (evasion by masquerading as the Naver Whale browser).
C2 infrastructure:
Primary relays: daehoat[.]com, novel21[.]co.kr (Korean websites abused as relays)
Secondary C2: pCloud cloud-storage API using folderid and auth parameters as a dead-drop resolver
Tradecraft notes:
Marked departure from RokRAT, which was previously exclusively attributed to the group.
The activity shares multiple similarities with prior Python-based ScarCruft operations, including ZIP+LNK delivery, batch-script staging, and similar scheduled-task naming conventions.
Use of a legitimate, signed Python interpreter and a Windows CAT file is a "living-off-trusted-components" approach that complicates signature-based detection.

Unconfirmed / single-sourced: All technical detail above is sourced to Genians Security Center (GSC) reporting summarised by The Hacker News. No CVE, no MITRE ATT&CK technique IDs, and no additional IOCs beyond those listed in §5 are present in the source material.

4. Mitigation & containment

P1 — within 24 hours

Block known C2 at the perimeter. Deny egress to daehoat[.]com and novel21[.]co.kr at the web proxy, DNS sinkhole, and firewall. Block direct API calls to pCloud endpoints that match the folderid/auth parameter pattern from non-business contexts.
Hunt for the scheduled task. Search endpoints for scheduled tasks named MicrosoftUserInterfacePicturesUpdateTackMachine and MicrosoftMusicLibrariesPackageTaskMachine. Disable and delete any matches; collect the associated task XML for forensics.
Hunt for the staging directory. Search for the existence of %APPDATA%\naverwhale and any files beneath it. Quarantine, preserve, and image before deletion.
Email containment. Search mailboxes for messages matching the lure pattern ("abnormal activity", "one-time password", "change your password") with ZIP attachments containing LNK files. Recall or quarantine matching messages across the tenant.
Process and parent-child review. Investigate any cmd.exe/powershell.exe/python.exe spawned from explorer.exe or winword.exe following LNK execution; correlate with outbound connections to the IOCs above.

P2 — within 72 hours

Restrict Python interpreter abuse. Where Python is not a business requirement, apply AppLocker / WDAC policies to block python.exe and pythonw.exe execution from user-writable paths and from %APPDATA%. Where Python is required, allow-list the canonical install path and hash.
Block LNK execution from email-sourced archives. Extend mail-flow and endpoint policy to block execution of .lnk files delivered inside ZIP archives; force extraction to a controlled quarantine.
Credential rotation. Force password resets and revoke active sessions for any user who opened the lure or executed the attachment; rotate any credentials, API keys, or tokens present on affected hosts.
Cloud-storage abuse review. Review pCloud (and equivalent consumer cloud) usage from corporate endpoints; restrict to sanctioned corporate tenants only.

P3 — within 7 days

User awareness reinforcement. Push a targeted phishing-awareness nudge to all staff covering the "Microsoft Account security alert" lure and the ZIP+LNK pattern.
Detection tuning. Roll out the YARA and Sigma rules in §6 across EDR/SIEM coverage.
Third-party risk review. Re-assess DORA Art. 28/29/30 treatment of consumer cloud-storage providers and of any reliance on Python interpreters outside the standard software inventory.

5. Indicators of compromise

Type	Value	Confidence	Source
domain	`daehoat[.]com`	High	The Hacker News / GSC
domain	`novel21[.]co.kr`	High	The Hacker News / GSC
url-pattern	pCloud API endpoints using `folderid` and `auth` parameters as dead-drop resolver	Medium	The Hacker News / GSC
filepath	`%APPDATA%\naverwhale`	High	The Hacker News / GSC
scheduled-task	`MicrosoftUserInterfacePicturesUpdateTackMachine`	High	The Hacker News / GSC
scheduled-task	`MicrosoftMusicLibrariesPackageTaskMachine`	High	The Hacker News / GSC
file-pattern	ZIP archive containing `.lnk` shortcut delivered as "Microsoft Account security alert" attachment	High	The Hacker News / GSC

domain  daehoat[.]com
domain  novel21[.]co.kr
url-pattern  pCloud API endpoints using folderid and auth parameters as dead-drop resolver
filepath  %APPDATA%\naverwhale
scheduled-task  MicrosoftUserInterfacePicturesUpdateTackMachine
scheduled-task  MicrosoftMusicLibrariesPackageTaskMachine
file-pattern  ZIP archive containing .lnk shortcut delivered as Microsoft Account security alert attachment

6. Detection

rule AT_NarwhalRAT_Loader_2026_06_16
{
    meta:
        author = "Adverse Trace"
        date = "2026-06-16"
        description = "Strings associated with the ScarCruft (APT37) NarwhalRAT loader and persistence mechanism"
        reference = "https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html"

    strings:
        $staging_path = "naverwhale" ascii nocase
        $c2_a         = "daehoat" ascii nocase
        $c2_b         = "novel21" ascii nocase
        $c2_c         = "novel21.co.kr" ascii nocase
        $task_a       = "MicrosoftUserInterfacePicturesUpdateTackMachine" ascii nocase
        $task_b       = "MicrosoftMusicLibrariesPackageTaskMachine" ascii nocase
        $pcloud_a     = "folderid" ascii nocase
        $pcloud_b     = "auth" ascii nocase

    condition:
        any of ($staging_path, $c2_a, $c2_b, $c2_c, $task_a, $task_b) or
        (2 of ($pcloud_a, $pcloud_b) and any of ($staging_path, $c2_a, $c2_b, $c2_c))
}

title: NarwhalRAT Persistence via Suspicious Scheduled Task Names
id: AT-2026-06-16-107-01
status: experimental
description: >
    Detects creation of scheduled tasks matching the naming convention used by
    ScarCruft (APT37) NarwhalRAT and related Python-based chains.
author: Adverse Trace
date: 2026-06-16
references:

    - https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html
logsource:
    product: windows
    service: security
detection:
    selection_task_names:
        EventID: 4698
        TaskName|contains:

            - "MicrosoftUserInterfacePicturesUpdateTackMachine"
            - "MicrosoftMusicLibrariesPackageTaskMachine"
    condition: selection_task_names
falsepositives:

    - Unknown
level: high

Threat actor context

APT37 · G0067 · aka InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. …

7. Sources

The Hacker News — Fake Microsoft Alerts Used to Deploy North Korean NarwhalRAT Malware — https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html — 2026-06-16
Genians Security Center (GSC) reporting as referenced in the above article

8. Adverse Trace position

Severity is assessed as High for any in-scope EMEA financial-services entity that has confirmed execution: the implant provides keystroke logging, screen and audio capture, USB data theft and remote command execution, with multi-C2 resilience and a legitimate-cloud dead-drop channel that complicates takedown. Attribution to ScarCruft / APT37 (MITRE G0067) is consistent with the tradecraft but rests on a single research source; treat as high-confidence but not absolute. Next steps: (1) push the P1 containment actions across the client base, (2) deploy the YARA and Sigma rules in §6 to EDR/SIEM, (3) stand up a DORA / NIS2 reporting decision tree for any confirmed execution, and (4) brief client security teams on the "Microsoft Account security alert + ZIP + LNK" lure pattern ahead of any likely follow-on waves.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.