Fake Microsoft alerts used to deliver NarwhalRAT by APT37

Colleagues, please note: a new APT37 phishing campaign has been observed.
— Attackers spoof Microsoft Account alerts and attach a ZIP containing an LNK file.
— The LNK triggers a multi-stage chain: batch scripts, legitimate Python, a CAT file, then NarwhalRAT download.
— Persistence via scheduled tasks; execution occurs in memory without disk artifacts.
— RAT capabilities: keylogging, screenshots, audio recording, file and USB data theft, C2 switching (pCloud, Korean sites).
Why it matters: the blend of social engineering and a complex in-memory loader increases corporate compromise risk.
How is your organization defending against such chains?
#cybersecurity #phishing #APT37 #malware


Latest comments
No comments yet.