Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2
Essential information
- Published
- 15/06/2026 16:58
- Modified
- 15/06/2026 17:46
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- anti-vm dead-drop-resolver korean-targeting lnk-obfuscation narwhalrat pcloud python-backdoor rokrat spear-phishing
- Tags
- 2026-06-15 anti-vm dead drop resolver korean targeting lnk-obfuscation narwhalrat pcloud python backdoor rokrat spear-phishing
- Related entities
- 12 indicators, 12 observables, 1 intrusion sets (apt), 19 techniques (mitre), 2 malware, 4 others
Description
A sophisticated Python-based RAT targeting Korean users through spear phishing emails disguised as Microsoft security alerts. The attack chain employs LNK files embedded in ZIP archives, BAT-based obfuscation, and multi-stage loaders culminating in NarwhalRAT deployment. This advanced malware features keylogging, screen capture, microphone recording, and USB data collection capabilities. It utilizes a dual C2 infrastructure combining Korean relay servers (daehoat.com, novel21.co.kr) with pCloud API as a dead-drop resolver. The malware creates encrypted configuration files, implements anti-VM techniques, and establishes persistence through scheduled tasks. It operates as a manually-controlled RAT with selective function activation via C2 commands, employing in-memory execution to evade file-based detection.