Fake Microsoft Security Alerts Used to Deploy North Korean NarwhalRAT Malware

The North Korean state-sponsored hacking group known as ScarCruft — tracked by threat intelligence researchers as APT37 — has been observed conducting a targeted spear-phishing campaign that impersonates Microsoft Account security alert notifications to deliver a previously undocumented backdoor malware called NarwhalRAT.

The campaign represents a continued evolution in North Korea's cyber operations, blending social engineering precision with custom malware development to compromise high-value targets in government, defense, and technology sectors.

Attack Chain Overview

APT37's NarwhalRAT campaign follows a multi-stage infection chain designed to bypass email security controls and evade initial detection:

1. Phishing Email Delivery: Targets receive spear-phishing emails crafted to closely mimic legitimate Microsoft security notifications — warning of suspicious account sign-in activity and urging immediate action.

2. Credential Harvesting Lure: The emails contain links directing victims to a convincing Microsoft sign-in page replica, where credentials may be harvested. However, the primary goal is malware delivery.

3. Malicious Attachment or Link: In some variants, the email includes a malicious document or link that triggers the download of NarwhalRAT when opened.

4. NarwhalRAT Execution: Once executed, the malware establishes a persistent foothold and beacons out to command-and-control (C2) infrastructure.

NarwhalRAT Capabilities

NarwhalRAT is a custom remote access trojan with capabilities consistent with a purpose-built espionage tool:

• Remote command execution: Operators can run arbitrary system commands on compromised hosts
• File exfiltration: Targeted collection and upload of documents, credentials, and other sensitive files
• Screen capture: Periodic or on-demand screenshots of victim desktop activity
• Keylogging: Recording keystrokes to capture credentials and other typed input
• Persistence mechanisms: Registry modifications or scheduled tasks to survive reboots
• Encrypted C2 communication: Traffic encrypted to blend with normal HTTPS patterns

The malware's name — NarwhalRAT — follows a pattern used by researchers to assign distinctive names to new North Korean tooling, referencing the elusive narwhal as a nod to the stealthy, hard-to-detect nature of the implant.

APT37 / ScarCruft Background

APT37, also known as ScarCruft, Reaper, Group123, and InkySquid, is a North Korean threat group assessed to operate under the direction of the Reconnaissance General Bureau (RGB), North Korea's primary intelligence agency.

The group has been active since at least 2012 and typically targets:

• South Korean government officials and defectors
• Human rights organizations focused on North Korea
• Defense contractors and arms industry entities
• Journalists and researchers covering North Korean affairs
• Cryptocurrency platforms and financial institutions

APT37 is known for its use of 0-day and N-day exploits, watering hole attacks, and sophisticated social engineering. Past tooling has included RokRAT, ROKYLACE, and BlueLight — all custom implants with espionage-focused capabilities.

Indicators of Compromise

Organizations and security teams should hunt for the following indicators associated with this campaign:

Email Indicators:

• Sender addresses mimicking Microsoft with subtle domain typosquatting (e.g., microsoft-security-alerts[.]com)
• Subject lines referencing "unusual sign-in activity" or "account security verification required"
• Urgency language pressuring immediate action

Network Indicators:

• Unusual HTTPS connections to newly registered domains with SSL certificates mimicking Microsoft infrastructure
• DNS lookups for domains matching [random-string].azurewebsite[s].net lookalikes

Host Indicators:

• Unexpected scheduled tasks with encoded PowerShell commands
• Registry run key persistence at HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• Suspicious wscript.exe or mshta.exe spawning child processes

Mitigation Recommendations

Organizations can reduce exposure to this campaign through the following measures:

1. Enable Multi-Factor Authentication (MFA) on all Microsoft 365 and Azure accounts — even if credentials are phished, MFA prevents unauthorized access
2. Configure DMARC, DKIM, and SPF email authentication to flag spoofed Microsoft sender domains
3. Train users to verify Microsoft security alerts through the official Microsoft account portal rather than embedded email links
4. Deploy advanced email filtering capable of inspecting embedded URLs and attachments in real time
5. Monitor for execution of mshta.exe, wscript.exe, and cscript.exe in user contexts, as these are common malware loaders
6. Block connections to newly registered domains in outbound proxy policies during initial investigation periods

Attribution Context

Microsoft Threat Intelligence and independent researchers have linked this NarwhalRAT campaign to infrastructure previously associated with APT37 based on:

• TTPs overlap with previous ScarCruft operations including the use of HTA-based droppers
• Code similarities between NarwhalRAT modules and earlier APT37 implants
• C2 infrastructure registered through hosting providers historically associated with North Korean cyber operations

The campaign is assessed to be ongoing and targeting entities across the United States, Japan, South Korea, and Europe.

Security teams detecting NarwhalRAT activity are encouraged to report indicators to CISA's 24/7 Operations Center and relevant national cybersecurity authorities.