Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2
Contents
◈ Key Findings
- Initial access was performed through spear phishing disguised as messages from the Microsoft account team and cybersecurity advisories.
- Malicious LNK files were used to induce the installation of NarwhalRAT based on compiled Python script.
- Performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution.
- The actor operated a dual C2 structure that used a Korean relay server and the pCloud API as a dead-drop Resolver.
- EDR policies need to be strengthened to detect chained abuse activities based on LNK and PowerShell.
1. Overview
Genians Security Center recently confirmed the continued distribution of compiled Python-based malware. This threat shows strong similarities to the attack scenario and TTPs identified in the report "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", published on May 11, 2026.
This attack was carried out through a spear phishing email titled "[Urgent] Security Check Notice Regarding Repeated One-Time Password (OTP) …
- Initial access was performed through spear phishing disguised as messages from the Microsoft account team and cybersecurity advisories.
- Malicious LNK files were used to induce the installation of NarwhalRAT based on compiled Python script.
- Performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution.
- The actor operated a dual C2 structure that used a Korean relay server and the pCloud API as a dead-drop Resolver.
- EDR policies need to be strengthened to detect chained abuse activities based on LNK and PowerShell.
1. Overview
Genians Security Center recently confirmed the continued distribution of compiled Python-based malware. This threat shows strong similarities to the attack scenario and TTPs identified in the report "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", published on May 11, 2026.
This attack was carried out through a spear phishing email titled "[Urgent] Security Check Notice Regarding Repeated One-Time Password (OTP) …
IoC
http://webhostingkorea.com
http://61.100.9.206
http://218.150.78.198
http://www.novel21.co.kr/data/editor/2110/index.php
http://121.254.222.80
http://novel21.co.kr
http://211.239.157.126
http://www.daehoat.com/wp-content/uploads/2017/02/member.php
http://121.254.222.10
http://crwellfood.com
http://fe01.co.kr
http://218.150.78.231
http://api.pcloud.com
http://daehoat.com
211.239.157.126
218.150.78.231
218.150.78.198
121.254.222.10
61.100.9.206
121.254.222.80
b6b0602310bb2d4360c52685119aac1b
7cef19f9c4480adac0cd4702ff98f46c
3715092aa00f380cefe8b4d2eddb7d08
7eb9cee1f696727752169f25cf79a338
http://61.100.9.206
http://218.150.78.198
http://www.novel21.co.kr/data/editor/2110/index.php
http://121.254.222.80
http://novel21.co.kr
http://211.239.157.126
http://www.daehoat.com/wp-content/uploads/2017/02/member.php
http://121.254.222.10
http://crwellfood.com
http://fe01.co.kr
http://218.150.78.231
http://api.pcloud.com
http://daehoat.com
211.239.157.126
218.150.78.231
218.150.78.198
121.254.222.10
61.100.9.206
121.254.222.80
b6b0602310bb2d4360c52685119aac1b
7cef19f9c4480adac0cd4702ff98f46c
3715092aa00f380cefe8b4d2eddb7d08
7eb9cee1f696727752169f25cf79a338