Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2
NarwhalRAT is a sophisticated Python-based remote access trojan (RAT) used by the APT37 threat actor targeting Korean users. It is delivered via spear phishing emails disguised as Microsoft security alerts, using LNK files in ZIP archives and BAT-based obfuscation. The malware supports keylogging, screen capture, microphone recording, and USB data collection. It uses a dual command-and-control (C2) infrastructure combining Korean relay servers and the pCloud API as a dead-drop resolver. NarwhalRAT employs anti-VM techniques, encrypted configuration files, persistence via scheduled tasks, and in-memory execution to evade detection. It is manually controlled with selective function activation through C2 commands. No affected software versions or patches are specified.
AI Analysis
Technical Summary
NarwhalRAT is a Python-based RAT attributed to APT37, targeting Korean users through spear phishing emails that mimic Microsoft security alerts. The infection chain involves LNK files embedded in ZIP archives and BAT script obfuscation, leading to multi-stage loaders that deploy the RAT. The malware features capabilities including keylogging, screen capture, microphone recording, and USB data theft. It uses a dual C2 infrastructure with Korean relay servers (daehoat.com, novel21.co.kr) and the pCloud API as a dead-drop resolver for command and control. The malware creates encrypted configuration files, implements anti-VM detection, and maintains persistence via scheduled tasks. It executes code in memory to avoid file-based detection and operates under manual control with selective activation of features via C2 commands. Indicators include multiple domains and IP addresses linked to the infrastructure. There are no known patches or fixes as this is malware rather than a software vulnerability.
Potential Impact
The malware enables attackers to perform extensive espionage activities including capturing keystrokes, screenshots, audio recordings, and exfiltrating data from USB devices. It establishes persistent access and evades detection through anti-VM techniques and in-memory execution. The dual C2 infrastructure and dead-drop resolver increase operational resilience and stealth. This compromises confidentiality and privacy of targeted users, primarily in Korea.
Mitigation Recommendations
No official patches or fixes exist as this is malware. Defenders should focus on user awareness to recognize spear phishing attempts, especially those impersonating Microsoft alerts. Network monitoring for the identified C2 domains and IP addresses can help detect and block communications. Endpoint detection solutions should be tuned to identify LNK file abuse, BAT script obfuscation, and suspicious scheduled tasks. Employing anti-malware tools capable of detecting in-memory execution and behavioral anomalies is recommended. Since the malware uses manual control, timely detection can prevent further malicious activity.
Indicators of Compromise
- domain: crwellfood.com
- ip: 211.239.157.126
- ip: 218.150.78.198
- domain: fe01.co.kr
- hash: 3715092aa00f380cefe8b4d2eddb7d08
- hash: 7cef19f9c4480adac0cd4702ff98f46c
- hash: 7eb9cee1f696727752169f25cf79a338
- hash: b6b0602310bb2d4360c52685119aac1b
- ip: 121.254.222.10
- ip: 121.254.222.80
- ip: 218.150.78.231
- ip: 61.100.9.206
- url: http://www.novel21.co.kr/data/editor/2110/index.php
- domain: novel21.co.kr
- domain: webhostingkorea.com
- domain: www.novel21.co.kr
Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2
Description
NarwhalRAT is a sophisticated Python-based remote access trojan (RAT) used by the APT37 threat actor targeting Korean users. It is delivered via spear phishing emails disguised as Microsoft security alerts, using LNK files in ZIP archives and BAT-based obfuscation. The malware supports keylogging, screen capture, microphone recording, and USB data collection. It uses a dual command-and-control (C2) infrastructure combining Korean relay servers and the pCloud API as a dead-drop resolver. NarwhalRAT employs anti-VM techniques, encrypted configuration files, persistence via scheduled tasks, and in-memory execution to evade detection. It is manually controlled with selective function activation through C2 commands. No affected software versions or patches are specified.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
NarwhalRAT is a Python-based RAT attributed to APT37, targeting Korean users through spear phishing emails that mimic Microsoft security alerts. The infection chain involves LNK files embedded in ZIP archives and BAT script obfuscation, leading to multi-stage loaders that deploy the RAT. The malware features capabilities including keylogging, screen capture, microphone recording, and USB data theft. It uses a dual C2 infrastructure with Korean relay servers (daehoat.com, novel21.co.kr) and the pCloud API as a dead-drop resolver for command and control. The malware creates encrypted configuration files, implements anti-VM detection, and maintains persistence via scheduled tasks. It executes code in memory to avoid file-based detection and operates under manual control with selective activation of features via C2 commands. Indicators include multiple domains and IP addresses linked to the infrastructure. There are no known patches or fixes as this is malware rather than a software vulnerability.
Potential Impact
The malware enables attackers to perform extensive espionage activities including capturing keystrokes, screenshots, audio recordings, and exfiltrating data from USB devices. It establishes persistent access and evades detection through anti-VM techniques and in-memory execution. The dual C2 infrastructure and dead-drop resolver increase operational resilience and stealth. This compromises confidentiality and privacy of targeted users, primarily in Korea.
Mitigation Recommendations
No official patches or fixes exist as this is malware. Defenders should focus on user awareness to recognize spear phishing attempts, especially those impersonating Microsoft alerts. Network monitoring for the identified C2 domains and IP addresses can help detect and block communications. Endpoint detection solutions should be tuned to identify LNK file abuse, BAT script obfuscation, and suspicious scheduled tasks. Employing anti-malware tools capable of detecting in-memory execution and behavioral anomalies is recommended. Since the malware uses manual control, timely detection can prevent further malicious activity.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.genians.co.kr/en/blog/threat_intelligence/narwhalrat"]
- Adversary
- APT37
- Pulse Id
- 6a30130ad416e33ebf9e9417
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaincrwellfood.com | — | |
domainfe01.co.kr | — | |
domainnovel21.co.kr | — | |
domainwebhostingkorea.com | — | |
domainwww.novel21.co.kr | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip211.239.157.126 | — | |
ip218.150.78.198 | — | |
ip121.254.222.10 | — | |
ip121.254.222.80 | — | |
ip218.150.78.231 | — | |
ip61.100.9.206 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash3715092aa00f380cefe8b4d2eddb7d08 | — | |
hash7cef19f9c4480adac0cd4702ff98f46c | — | |
hash7eb9cee1f696727752169f25cf79a338 | — | |
hashb6b0602310bb2d4360c52685119aac1b | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://www.novel21.co.kr/data/editor/2110/index.php | — |
Threat ID: 6a3036a80b89be6888612aac
Added to database: 6/15/2026, 5:30:16 PM
Last enriched: 6/15/2026, 5:45:27 PM
Last updated: 6/15/2026, 6:39:16 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.