ScarCruft (APT37) is using spear-phishing emails that impersonate Microsoft Account security alerts to trick victims into opening a ZIP file that launches a malicious LNK and installs NarwhalRAT. The malware runs through a multi-stage, in-memory infection chain, collects sensitive data, and uses Korean websites plus pCloud as command-and-control channels. #ScarCruft #APT37 #NarwhalRAT #NaverWhale #pCloud
Keypoints
- ScarCruft is distributing NarwhalRAT through fake Microsoft Account security alerts.
- The attachment is a ZIP archive containing a malicious LNK file, not an HWP document.
- The infection chain uses batch scripts, Python, and a CAT file to run the payload in memory.
- NarwhalRAT can log keystrokes, capture screenshots, record audio, and collect system data.
- The malware uses Korean websites and pCloud as command-and-control infrastructure.
Read More: https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html