North Korean state-sponsored group APT37, also known as ScarCruft, deployed a newly identified malware called NarwhalRAT against South Korean targets through spear-phishing emails impersonating Microsoft Account security alerts, according to research from Genians Security Center published June 15, 2026. The campaign targets entities in South Korea’s defense industrial base, think-tank community, and cryptocurrency exchanges. Genians published YARA rules and command-and-control infrastructure indicators alongside the disclosure; Korean-language phishing lures were identified, consistent with APT37’s historical focus on Korean-speaking targets.
How APT37 Used a Fake Microsoft Security Warning to Deliver NarwhalRAT
The attack chain begins with a spear-phishing email designed to look like a legitimate Microsoft Account security notification. The email warns the recipient of “abnormal activity” involving repeated one-time password (OTP) generation, framing it as a third-party phishing attempt targeting the victim’s account. The urgency is deliberate: the recipient believes their account is already under attack and must act immediately.
Clicking the button in the email downloads a Windows executable masquerading as a Microsoft Authenticator update. The executable drops NarwhalRAT and establishes persistence via a scheduled task named MicrosoftAuthenticatorUpdateTask.
Why the Double-Deception Lure Targets Security-Aware Users Most Effectively
The social engineering mechanism in this campaign exploits the victim’s security awareness rather than circumventing it. A recipient who has received training to respond quickly to account compromise alerts is exactly the person most likely to react to a warning that their Microsoft Account is being attacked. The email presents itself as a security alert about a different threat — which means the more security-conscious the recipient, the more compelling the lure.
NarwhalRAT’s Capabilities and C2 Architecture
Once installed, NarwhalRAT establishes an encrypted command-and-control channel using a custom binary protocol over port 443. Capabilities observed by Genians include keystroke logging, screenshot capture at configurable intervals, clipboard monitoring, browser credential harvesting targeting Chrome, Edge, and Whale (a Korean-market browser), and the ability to receive and execute arbitrary shellcode. The RAT also includes a self-destruct command that overwrites its binary with null bytes and deletes its scheduled task, leaving minimal forensic artifacts.
Custom Binary Protocol on Port 443
NarwhalRAT communicates over port 443 using a custom binary protocol rather than standard HTTPS. This allows C2 traffic to blend with the large volume of legitimate TLS traffic on port 443 while remaining distinct enough from standard protocol patterns that defenders who perform deep packet inspection may be able to identify anomalies. The custom protocol is separate from the dead-drop or relay-server architectures used in some other APT37 campaigns.
APT37’s Sustained South Korean Targeting and NarwhalRAT’s Public Debut
Genians Security Center linked this campaign to APT37 based on tactics, techniques, procedures, and infrastructure overlaps with previously tracked APT37 activity. NarwhalRAT is a newly identified malware — the Genians June 15 report constitutes its first public disclosure.
APT37 historically concentrates on South Korean government officials, defense sector personnel, and organizations of strategic intelligence value to North Korea. The multi-sector targeting across defense industrial base, policy research institutions, and cryptocurrency exchanges suggests simultaneous intelligence collection and potential financial theft objectives.
South Korean organizations should add Microsoft Account security alert impersonation to phishing awareness training, block or alert on scheduled tasks named MicrosoftAuthenticatorUpdateTask, and apply the YARA rules and IOCs published by Genians to hunt for existing NarwhalRAT infections.
