A sophisticated cyber threat campaign is currently distributing NarwhalRAT, an advanced Python-based malware, through targeted spear-phishing emails. These emails mimic urgent security notifications from Microsoft’s official account team, warning recipients about unusual one-time password activities. The attached “security advisory” is, in fact, a malicious shortcut file within a compressed archive. Once opened, it initiates a multi-stage infection process designed to bypass conventional security systems. The shortcut file’s commands are heavily obfuscated, making detection difficult. After establishing a foothold, NarwhalRAT connects to a command-and-control network to receive instructions and exfiltrate data. It primarily uses compromised regional websites for communication but also employs pCloud storage as a secondary channel. This channel acts as a dead-drop resolver, concealing the attackers’ true server locations. NarwhalRAT is optimized for espionage, capable of keylogging, screen capturing, microphone recording, and USB data theft, while specifically targeting active windows. The malware’s tactics resemble those used by the North Korean hacking group APT37. Security experts recommend monitoring unusual memory usage from the Python runtime to combat these stealthy attacks.
How Are Hackers Using Microsoft Alerts to Spread NarwhalRAT Malware?
