Frequent readers of this blog won’t find this new. But some of you will which is why I am covering it. For years fake Microsoft alerts have popped up via surfing around. But what makes this campaign unique is that these fake popups have been used to deliver North Korean-linked NarwhalRAT. This is another reminder that attackers don’t always need sophisticated exploits to compromise organizations. Increasingly, threat actors are succeeding by impersonating trusted brands, security notifications, and software providers to manipulate user behavior and bypass traditional defenses. The malware itself is only part of the story. The real challenge is that users are being asked to make security decisions in environments where legitimate and malicious prompts can look nearly identical.
Cybernews for example has details:
The infection begins with a spear phishing email pretending to be an urgent security alert from the “Microsoft Account Team.”
The message warns the recipient about suspicious one-time password activity and directs them to open an attached advisory document. In reality, the attachment is a ZIP archive hiding a malicious LNK shortcut file, not a real document.
Analysts at Genians Security Center said in a report shared with Cyber Security News (CSN) that this threat bears strong similarities to a Python-based backdoor campaign documented in May 2026.
Researchers named the malware NarwhalRAT, drawing on the string “naverwhale” found inside its code, believed to be an attempt to masquerade as Naver Whale, a popular browser in South Korea.
The malware primarily targets Korean users, and its behavioral structure confirms this. NarwhalRAT uses “naverwhale” as its working directory name and assigns Hidden and System file attributes to the created folder to stay out of plain sight.
It also handles KakaoTalk-related window identifiers separately during data collection, strongly pointing to Korean targeting.
The threat actor operated a dual command-and-control structure using a Korean relay server alongside the pCloud API as a Dead-drop Resolver. This lets the attacker change the actual C2 address without touching the malware, and helps traffic blend with normal web activity, making detection harder.
Yagub Rahimov, CEO, Polygraf AI
“It’s interesting to see what NarwhalRAT tells us about where APT37 is focusing on. This group was almost entirely on RokRAT, it was their signature, basically the thing analysts used to point to them. Moving to a new Python-based RAT helped them break that signature – it helps them to look like someone else.
Everything else in this campaign is built around being invisible, not getting in clever. All the attempts like, the LNK chain, the fileless in-memory execution or the Python runtime taken from the official site – none of it is interesting on its own. APT37 has been running using similar playbook for over a year. What’s interesting is the attention to details. Wiped timestamps, a staging directory named to impersonate Naver Whale, persistence through a scheduled task with a name designed to blend into legitimate Windows entries. Every decision was trying not to trip anything that watches disk or signatures. There’s nothing for traditional antivirus to grab onto because almost nothing touches the disk in a recognizable form.
A fake Microsoft account security alert warning about OTP abuse is almost perfectly designed, it uses the victim’s own security awareness against them. The more trained someone is to take account-security warnings seriously, the more likely they are to open the attachment. That’s what this attack relies on. Every technical layer can be defeated by detection eventually, but the entry point is a human being doing what they’ve been told is the responsible thing. That’s where the chain actually breaks.”
While this is targeting Korean’s, you can expect it to target you next. Thus if your charged with defending your organization from threats, consider yourself warned.
Related
This entry was posted on June 16, 2026 at 3:07 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Fake Microsoft alerts show attackers are exploiting trust, not vulnerabilities
Frequent readers of this blog won’t find this new. But some of you will which is why I am covering it. For years fake Microsoft alerts have popped up via surfing around. But what makes this campaign unique is that these fake popups have been used to deliver North Korean-linked NarwhalRAT. This is another reminder that attackers don’t always need sophisticated exploits to compromise organizations. Increasingly, threat actors are succeeding by impersonating trusted brands, security notifications, and software providers to manipulate user behavior and bypass traditional defenses. The malware itself is only part of the story. The real challenge is that users are being asked to make security decisions in environments where legitimate and malicious prompts can look nearly identical.
Cybernews for example has details:
The infection begins with a spear phishing email pretending to be an urgent security alert from the “Microsoft Account Team.”
The message warns the recipient about suspicious one-time password activity and directs them to open an attached advisory document. In reality, the attachment is a ZIP archive hiding a malicious LNK shortcut file, not a real document.
Analysts at Genians Security Center said in a report shared with Cyber Security News (CSN) that this threat bears strong similarities to a Python-based backdoor campaign documented in May 2026.
Researchers named the malware NarwhalRAT, drawing on the string “naverwhale” found inside its code, believed to be an attempt to masquerade as Naver Whale, a popular browser in South Korea.
The malware primarily targets Korean users, and its behavioral structure confirms this. NarwhalRAT uses “naverwhale” as its working directory name and assigns Hidden and System file attributes to the created folder to stay out of plain sight.
It also handles KakaoTalk-related window identifiers separately during data collection, strongly pointing to Korean targeting.
The threat actor operated a dual command-and-control structure using a Korean relay server alongside the pCloud API as a Dead-drop Resolver. This lets the attacker change the actual C2 address without touching the malware, and helps traffic blend with normal web activity, making detection harder.
Yagub Rahimov, CEO, Polygraf AI
“It’s interesting to see what NarwhalRAT tells us about where APT37 is focusing on. This group was almost entirely on RokRAT, it was their signature, basically the thing analysts used to point to them. Moving to a new Python-based RAT helped them break that signature – it helps them to look like someone else.
Everything else in this campaign is built around being invisible, not getting in clever. All the attempts like, the LNK chain, the fileless in-memory execution or the Python runtime taken from the official site – none of it is interesting on its own. APT37 has been running using similar playbook for over a year. What’s interesting is the attention to details. Wiped timestamps, a staging directory named to impersonate Naver Whale, persistence through a scheduled task with a name designed to blend into legitimate Windows entries. Every decision was trying not to trip anything that watches disk or signatures. There’s nothing for traditional antivirus to grab onto because almost nothing touches the disk in a recognizable form.
A fake Microsoft account security alert warning about OTP abuse is almost perfectly designed, it uses the victim’s own security awareness against them. The more trained someone is to take account-security warnings seriously, the more likely they are to open the attachment. That’s what this attack relies on. Every technical layer can be defeated by detection eventually, but the entry point is a human being doing what they’ve been told is the responsible thing. That’s where the chain actually breaks.”
While this is targeting Korean’s, you can expect it to target you next. Thus if your charged with defending your organization from threats, consider yourself warned.
Share this:
Like this:
Related
This entry was posted on June 16, 2026 at 3:07 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.