NarwhalRAT
NarwhalRAT is a compiled Python-based remote access trojan/backdoor used by ScarCruft, also known as APT37, a North Korean state-sponsored threat group. Reported campaigns primarily targeted Korean users via spear-phishing emails impersonating Microsoft Account security notifications and warning about suspicious one-time password activity. The lure delivered a ZIP archive containing a malicious LNK file that launched a multi-stage infection chain using obfuscated commands, PowerShell execution-policy bypass, batch scripts, and legitimate Windows tools such as curl. The chain downloaded an official embedded Python package, renamed the Python executable to "userscreen.exe," and used files including config.cat and AccountConfig.cat to load the main payload largely in memory. NarwhalRAT establishes persistence through Windows Task Scheduler using task names designed to resemble legitimate Microsoft tasks, including "MicrosoftUserInterfacePicturesUpdateTackMachine" and "MicrosoftMusicLibrariesPackageTaskMachine." The malware uses AES-128-encrypted configuration, Python ctypes to call Windows APIs, dynamic executable memory allocation, and anti-VM checks for VMware, VirtualBox, and Parallels Desktop. Its command-and-control architecture uses Korean relay infrastructure and the pCloud API as a dead-drop resolver, with reported relay domains including daehoat[.]com, novel21[.]co[.]kr, fe01[.]co[.]kr, and webhostingkorea[.]com. Observed capabilities include keylogging, screenshot capture, microphone/audio recording, active-window collection, USB data collection, file upload/download, remote command execution, and C2 switching. Stolen data is stored in a hidden directory named "naverwhale," intended to masquerade as the Naver Whale browser, before exfiltration to attacker-controlled servers.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
victims unknowingly download the APT37 NarwhalRAT malware. This Python backdoor then executes directly in the system’s memory.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Attackers use sophisticated spear-phishing techniques to infiltrate systems. They disguise their emails as Microsoft account security advisories... The message urges users to download an attached advisory. Unfortunately, this attachment is a malicious ZIP archive.
Execution
6 techniques
Execution
Also, the malware establishes persistence through the Windows Task Scheduler. It mimics a legitimate Microsoft user interface task.
It performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution.
The initial LNK file uses clever tricks. It obfuscates internal command lines by manipulating environment variables. Next, it bypasses the standard PowerShell execution policy.
Upon execution, the LNK file initiates a multi-stage infection chain using batch scripts to download and install NarwhalRAT.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
6 techniques
Stealth
The initial LNK file uses clever tricks. It obfuscates internal command lines by manipulating environment variables.
The malware renames the Python executable to “userscreen.exe” to avoid suspicion... It names this directory “naverwhale” to blend in smoothly.
The script then abuses legitimate Windows binaries. For example, it copies the built-in curl utility to download additional payloads.
It performs an Anti-VM function designed to detect virtual environments. If the malware detects a virtual machine, it terminates immediately.
Credential Access
1 technique
Credential Access
Discovery
4 techniques
Discovery
The Python-based malware is equipped to... upload directory contents ...
The Python-based malware is equipped to... gather data from USB media ...
Collection
5 techniques
Collection
It performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution.
It performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution.
It performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution.
Command and Control
3 techniques
Command and Control
Then, it uses this token to communicate with pCloud. This approach blends malicious traffic with regular cloud service usage.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A compiled Python-based backdoor/RAT used in spear-phishing campaigns targeting Korean users. It executes filelessly in memory, uses AES-128-encrypted configuration, establishes persistence via Windows Task Scheduler, communicates through a dual C2 structure using a Korean relay server and the pCloud API as a dead-drop resolver, and steals data via keylogging, screen capture, USB data collection, and remote command execution while employing anti-VM checks.
A remote access trojan delivered via spear-phishing ZIP/LNK infection chains. It establishes persistence via a scheduled task, loads its payload into memory, logs keystrokes, captures screenshots, records audio, exfiltrates data from USB drives, and executes commands from a C2 server.
Python-based remote access trojan delivered via spear-phishing ZIP/LNK chains. It uses multi-stage loaders, scheduled-task persistence, in-memory execution, multiple C2 channels including Korean relay websites and the pCloud API, and can log keystrokes, capture screenshots, record audio, upload directory contents, collect active window details, gather data from USB media, execute C2 commands, and switch C2 servers.
A compiled Python-based remote access trojan/backdoor targeting Korean users. It is delivered via spear-phishing with a malicious LNK inside a ZIP, abuses PowerShell and curl.exe, installs persistence via a scheduled task, performs VM checks, and supports screen capture, keylogging, microphone recording, file upload/download, USB collection, remote command execution, and C2 configuration changes.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.