Bright Nexus

Published on June 16, 2026

ScarCruft (APT37) Uses Fake Microsoft Alerts to Deploy NarwhalRAT Malware

Severity
Medium

How?

The attack begins with a spear-phishing email that impersonates a Microsoft Account security alert and warns the recipient of suspicious activity and potential OTP abuse. The message is crafted to induce concern over account compromise and encourages the victim to take immediate action, such as changing their password or reviewing an attached advisory. Although the email references an advisory document, the attachment is not a legitimate document but instead a ZIP archive containing a malicious LNK file.

When the LNK file is executed, it initiates a multi-stage infection chain that uses batch scripts to download additional components. These include the NarwhalRAT malware, a legitimate Python executable retrieved from the official website, and a Windows security catalog (CAT) file. Persistence is established through a scheduled task, which is configured to execute the CAT file responsible for loading the main payload into memory, allowing execution without leaving significant artifacts on disk.

Figure 1: Attack Flow

Impact?

NarwhalRAT is a Python-based malware capable of extensive malicious activity once deployed. It can log keystrokes, capture screenshots (including high-resolution images), record ambient audio, upload directory content, collect information about active windows, and gather data from connected USB devices. It also supports remote command execution through a command-and-control (C2) server and can switch between multiple C2 servers for continued operation.

The malware stages collected data in a hidden directory located at %APPDATA%\naverwhale, which is designed to resemble the legitimate Naver Whale web browser developed by Naver Corporation, helping it evade detection. The malware also uses scheduled tasks with names such as “MicrosoftUserInterfacePicturesUpdateTackMachine” and “MicrosoftMusicLibrariesPackageTaskMachine” to maintain persistence on infected systems.

Recommendation

Organizations are advised to strengthen email security controls to detect and block spear-phishing messages impersonating trusted services such as Microsoft. Users should be trained to avoid opening unexpected attachments, especially ZIP files containing shortcut (LNK) files.

Security teams should monitor for unusual execution of LNK files, batch scripts, and Python-based payloads. It is also recommended to review scheduled tasks for suspicious entries resembling legitimate system update or media-related processes.

Network monitoring should include detection of unusual outbound communication to unknown domains and unauthorized use of cloud storage services such as pCloud for command-and-control activity. Endpoint detection systems should be configured to identify in-memory execution behavior and multi-stage loader activity.

Conclusion

The ScarCruft (APT37) campaign demonstrates an advanced spear-phishing operation that uses fake Microsoft security alerts to deliver NarwhalRAT malware through a multi-stage infection chain. By combining social engineering, disguised attachments, and cloud-based command-and-control infrastructure, the attackers are able to maintain stealthy and persistent access to victim systems. This highlights the continued evolution of state-sponsored malware delivery techniques and the importance of strong user awareness and endpoint monitoring.

Source

https://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.html
https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html