🚨 Fake Microsoft Alerts Spreading North Korean NarwhalRAT Malware
16 June 2026 — North Korea's ScarCruft hacking group (APT37) is running a sophisticated phishing campaign that impersonates Microsoft Account security alerts to deliver dangerous malware called NarwhalRAT.
How the Scam Works
The attack starts with an email that looks like a genuine Microsoft security alert. It claims there has been "abnormal activity" on your account — repeated one-time password attempts — and urges you to change your password immediately.
But the attached "advisory" is not a document. It's a ZIP archive containing a malicious LNK file.
Once opened, the LNK file triggers a multi-stage infection chain that:
- Downloads a Python executable from the official Python website
- Installs NarwhalRAT — a full-featured remote access trojan
- Sets up persistence via a scheduled task so it survives reboots
- Runs entirely in memory, leaving no files on your disk
What NarwhalRAT Can Do
Once installed, this malware can:
- Log every keystroke you type
- Capture screenshots (including high-resolution images)
- Record audio through your microphone
- Upload files from your computer
- Steal data from USB drives
- Accept commands from criminal servers
The malware even hides by masquerading as Naver Whale — a legitimate South Korean web browser.
Who Is Being Targeted
ScarCruft primarily targets individuals in South Korea and organisations involved in defence, geopolitical research, and technology. However, the techniques used here can and will be adapted for UK targets.
How to Protect Yourself
- Do not open attachments from unsolicited emails, even if they look like security alerts
- Microsoft will never ask you to download a ZIP file to address a security issue
- Always go directly to your Microsoft Account settings by typing
account.microsoft.cominto your browser — never click links in emails - Enable 2FA on your Microsoft account using an authenticator app, not SMS
- Keep your antivirus software updated and run regular scans
If You Think You've Been Hit
- Disconnect from the internet immediately
- Run a full antivirus scan from a clean device
- Change your passwords using a different, trusted device
- Contact your bank if you've done any online banking on the affected device
- Report the incident to Action Fraud on 0300 123 2040
Source: The Hacker News / Genians Security Center