Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

NarwhalRAT

NarwhalRAT is a remote access trojan attributed in the provided reporting to APT37. The described campaign used spear-phishing emails disguised as messages from the Microsoft account team and cybersecurity advisories for initial access. Victims were induced to execute malicious LNK files, which triggered installation of NarwhalRAT from a compiled Python script, with the intrusion chain also involving PowerShell abuse. Reported capabilities include information theft and surveillance functions such as keylogging, screen capture, USB data collection, and remote command execution. The campaign used a dual command-and-control architecture consisting of a Korean relay server and the pCloud API as a dead-drop resolver. The reporting associates the activity with DPRK-linked operations via references to APT37 and DPRK. Targeted industries or victim sectors are not specified in the provided content. No specific file hashes, domains, IP addresses, or other concrete indicators of compromise are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT37

"MS 사칭 피싱과 Dead-drop C2 기반 APT37 NarwhalRAT 분석" published by Genians. #APT37, #LNK, #NarwhalRAT, #DPRK, #CTI

via lazarusholic blueskybsky.app
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence3

"MS 사칭 피싱과 Dead-drop C2 기반 APT37 NarwhalRAT 분석"

Execution

3 techniques
T1059Command and Scripting InterpreterEvidence1

Performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution.

T1059.001PowerShellEvidence1

EDR policies need to be strengthened to detect chained abuse activities based on LNK and PowerShell.

T1204.002Malicious FileEvidence2

Malicious LNK files were used to induce the installation of NarwhalRAT based on compiled Python script.

Persistence

1 technique
T1547.009Shortcut ModificationEvidence1

The post includes the hashtag "#LNK" alongside "Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2".

Privilege Escalation

1 technique
T1547.009Shortcut ModificationEvidence1

The post includes the hashtag "#LNK" alongside "Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2".

Credential Access

1 technique
T1056.001KeyloggingEvidence1

Performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution.

Collection

3 techniques
T1025Data from Removable MediaEvidence1

Performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution.

T1056.001KeyloggingEvidence1

Performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution.

T1113Screen CaptureEvidence1

Performed various information-stealing activities, including keylogging, screen capture, USB data collection, and remote command execution.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1

"Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2"

T1090ProxyEvidence1

The actor operated a dual C2 structure that used a Korean relay server and the pCloud API as a dead-drop Resolver.

T1102.001Dead Drop ResolverEvidence2

"MS 사칭 피싱과 Dead-drop C2 기반 APT37 NarwhalRAT 분석"

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
malware newsNews
Jun 14, 2026
Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2 - Malware News - Malware Analysis, News and Indicators

A remote access trojan based on a compiled Python script that performs information theft and surveillance functions including keylogging, screen capture, USB data collection, and remote command execution.

Read more
lazarusholic blueskyNews
Jun 14, 2026
Post by @lazarusholic.bsky.social - Bluesky

A named RAT discussed in the context of APT37 activity and dead-drop C2-based operations, apparently delivered via phishing using LNK files.

Read more
lazarusholic blueskyNews
Jun 14, 2026
Post by @lazarusholic.bsky.social - Bluesky

Remote access trojan referenced in the context of an APT37 phishing campaign using Microsoft-themed lures and dead-drop command-and-control.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.