← All articles

North Korea's ScarCruft uses fake Microsoft alerts to plant NarwhalRAT spyware

South Korea's Genians Security Center reports that the North Korean group ScarCruft (APT37) is sending spear-phishing emails dressed up as Microsoft Account security alerts to deliver a Python-based spy tool called NarwhalRAT. The emails warn of suspicious one-time-code activity and urge the recipient to open an attached advisory, which is actually a ZIP holding a malicious shortcut. Opening it kicks off a multi-stage, in-memory infection that leaves little on disk and gains persistence through a scheduled task. NarwhalRAT can log keystrokes, capture screenshots, record audio, and steal files from USB drives, and it disguises itself as the Korean browser Naver Whale while targeting South Korean users.

Check
Train staff to treat unexpected Microsoft account-security or OTP-alert emails with caution, verify the real sender domain, and never open attached archives or shortcut files from such messages.
Affected
Targets of North Korean espionage, with this campaign focused on South Korean users; victims are lured by fake Microsoft account-security emails carrying a ZIP with a malicious shortcut file.
Fix
Block or quarantine inbound archives containing shortcut files, enforce phishing-resistant MFA so OTP-themed lures lose value, and alert on scheduled tasks that launch scripts fetching payloads into memory.