🚨 Fake Microsoft Alerts Spreading North Korean NarwhalRAT Malware

16 June 2026 — North Korea's ScarCruft hacking group (APT37) is running a sophisticated phishing campaign that impersonates Microsoft Account security alerts to deliver dangerous malware called NarwhalRAT.

How the Scam Works

The attack starts with an email that looks like a genuine Microsoft security alert. It claims there has been "abnormal activity" on your account — repeated one-time password attempts — and urges you to change your password immediately.

But the attached "advisory" is not a document. It's a ZIP archive containing a malicious LNK file.

Once opened, the LNK file triggers a multi-stage infection chain that:

  1. Downloads a Python executable from the official Python website
  2. Installs NarwhalRAT — a full-featured remote access trojan
  3. Sets up persistence via a scheduled task so it survives reboots
  4. Runs entirely in memory, leaving no files on your disk

What NarwhalRAT Can Do

Once installed, this malware can:

  • Log every keystroke you type
  • Capture screenshots (including high-resolution images)
  • Record audio through your microphone
  • Upload files from your computer
  • Steal data from USB drives
  • Accept commands from criminal servers

The malware even hides by masquerading as Naver Whale — a legitimate South Korean web browser.

Who Is Being Targeted

ScarCruft primarily targets individuals in South Korea and organisations involved in defence, geopolitical research, and technology. However, the techniques used here can and will be adapted for UK targets.

How to Protect Yourself

  • Do not open attachments from unsolicited emails, even if they look like security alerts
  • Microsoft will never ask you to download a ZIP file to address a security issue
  • Always go directly to your Microsoft Account settings by typing account.microsoft.com into your browser — never click links in emails
  • Enable 2FA on your Microsoft account using an authenticator app, not SMS
  • Keep your antivirus software updated and run regular scans

If You Think You've Been Hit

  1. Disconnect from the internet immediately
  2. Run a full antivirus scan from a clean device
  3. Change your passwords using a different, trusted device
  4. Contact your bank if you've done any online banking on the affected device
  5. Report the incident to Action Fraud on 0300 123 2040

Source: The Hacker News / Genians Security Center