216.73.216.86

Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2

· Published 15/06/2026 16:58 · Modified 15/06/2026 17:46

Export JSON

Essential information

Published
15/06/2026 16:58
Modified
15/06/2026 17:46
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
anti-vm dead-drop-resolver korean-targeting lnk-obfuscation narwhalrat pcloud python-backdoor rokrat spear-phishing
Tags
2026-06-15 anti-vm dead drop resolver korean targeting lnk-obfuscation narwhalrat pcloud python backdoor rokrat spear-phishing
Related entities
12 indicators, 12 observables, 1 intrusion sets (apt), 19 techniques (mitre), 2 malware, 4 others

Description

A sophisticated Python-based RAT targeting Korean users through spear phishing emails disguised as Microsoft security alerts. The attack chain employs LNK files embedded in ZIP archives, BAT-based obfuscation, and multi-stage loaders culminating in deployment. This advanced malware features keylogging, screen capture, microphone recording, and USB data collection capabilities. It utilizes a dual C2 infrastructure combining Korean relay servers (daehoat.com, novel21.co.kr) with API as a dead-drop resolver. The malware creates encrypted configuration files, implements techniques, and establishes persistence through scheduled tasks. It operates as a manually-controlled RAT with selective function activation via C2 commands, employing in-memory execution to evade file-based detection.

External references