ScarCruft (APT37) delivers NarwhalRAT behind fake Microsoft OTP "security alert" lures

Genians Security Center attributed a new campaign to ScarCruft / APT37 (North Korea nexus) deploying a previously-undocumented RAT it calls NarwhalRAT (Genians, 2026-06-16). The lure is a spearphishing email impersonating a Microsoft multi-factor authentication / OTP security alert; the attached ZIP carries a Windows shortcut (LNK) that launches PowerShell with -ExecutionPolicy Bypass to pull a batch loader, which establishes persistence via a scheduled task running on a one-minute interval (T1053.005). The payload is a compiled-Python binary loading obfuscated bytecode and providing keylogging (T1056.001), screenshot and audio capture, USB collection and remote command execution; C2 resilience comes from a pCloud dead-drop resolver (T1102.001) that hands out current relay addresses, defeating static domain/IP blocking (The Hacker News, 2026-06-17).

Why it matters to us: APT37 targets government, diplomatic, policy-research and Korean-diaspora organisations, including in Europe. The behavioural chain is hunt-friendly without IOCs: alert on schtasks.exe creating tasks under an unusual Microsoft…-style name from a non-installer parent, on LNK→PowerShell -ExecutionPolicy Bypass execution trees, and on compiled-Python process images making outbound calls to consumer cloud-storage APIs. Treat the cloud dead-drop pattern as the durable detection surface — blocking one relay does not break C2.