Hackers Use Microsoft Account Security Alert Lures to Deliver NarwhalRAT Malware
An ongoing threat campaign distributing an advanced Python-based malware named NarwhalRAT, which initiates through targeted spear-phishing emails masquerading as urgent security notifications from the official Microsoft Account Team.
These deceptive messages warn recipients of abnormal one-time password generation and urge them to review an attached security advisory.
Analysts from IntCyberDigest note that this social engineering tactic successfully creates a false sense of urgency, pressuring victims into executing the malicious attachment without careful inspection.
Rather than a legitimate document, the attachment is a compressed archive containing a malicious shortcut file disguised as the promised advisory.
Once the victim interacts with the shortcut, it triggers a multi-stage infection process carefully engineered to evade traditional security defenses.
The internal commands in the shortcut file are heavily obfuscated using environment-variable substring substitution, effectively hiding the actual execution flow from static analysis tools.

Microsoft Alert Spreads NarwhalRAT
After establishing a permanent foothold, NarwhalRAT connects to a sophisticated command-and-control network to receive direct instructions and exfiltrate stolen data.
The malware uses compromised regional websites as its primary communication relays. However, it also features a highly resilient secondary channel that exploits the legitimate pCloud storage service.
This secondary channel functions as a dead-drop resolver, allowing the threat actors to hide their actual server addresses within the cloud platform.

Threat intelligence teams at IntCyberDigest report that abusing trusted cloud infrastructure provides a reliable fallback mechanism, ensuring the attackers maintain network control even if their primary communication servers are discovered and neutralized.
NarwhalRAT is heavily customized for targeted espionage, featuring extensive capabilities such as persistent keylogging, continuous screen capturing, background microphone recording, and stealthy USB data theft.
The malware specifically filters its data collection to target only active windows, explicitly excluding background system processes and messenger applications like KakaoTalk to reduce unnecessary data noise.
It also creates a hidden working directory named after a popular regional web browser, strongly suggesting a focus on specific victim demographics.
Researchers at Genians Security Center state that this campaign shares massive technical overlap with previous operations linked to the North Korean state-sponsored hacking group APT37, mirroring tactics seen in a deepfake impersonation campaign from earlier this year.
Security firm watchTowr advises organizations to monitor for abnormal memory usage originating from the Python runtime to effectively combat these stealthy intrusions.
Indicators of Compromise
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.