NarwhalRAT Malware Uses PowerShell and Python Loader


Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT

A sophisticated malware campaign is targeting Korean users through phishing emails, malicious shortcut files, PowerShell abuse, and a Python-based loader chain.

The campaign deploys a remote access trojan known as NarwhalRAT.

The infection begins with a spear phishing email that pretends to come from the “Microsoft Account Team.”

The message warns the recipient about suspicious one-time password activity and urges them to open an attached advisory document.

In reality, the attachment is a ZIP archive containing a malicious LNK shortcut file.

Once opened, the shortcut launches a layered infection chain that uses built-in Windows tools and a Python payload to install the malware while blending into normal system behavior.

For enterprises, this campaign is a strong reminder that modern malware often succeeds by combining ordinary tools with deceptive packaging.

What Happened:

Threat actors are using phishing emails, LNK files, PowerShell, curl, batch scripts, and Python components to deliver NarwhalRAT.

The malicious email is designed to look like an urgent account security warning.

The attached ZIP archive contains a shortcut file disguised as a security advisory document.

When the victim opens the LNK file, hidden command logic begins executing.

The LNK file uses CMD environment variable substring substitution to rebuild commands at runtime.

This helps obscure strings such as PowerShell and curl from static detection.

After deobfuscation, the shortcut launches PowerShell with execution policy bypassed.

It then uses a copied curl.exe binary to download additional files from a relay server.

One downloaded file is a decoy HWP document, opened to keep the victim unsuspecting.

The other is a batch script that performs the next-stage installation.

Why This Issue Is Critical:

This issue is critical because the attack chain abuses tools and behaviors that may appear normal inside Windows environments.

PowerShell is commonly used for administration.

curl is built into modern Windows environments and is often allowed.

Python packages may look like developer or software installation activity.

Scheduled tasks are legitimate persistence mechanisms.

Attackers combine these trusted elements to reduce suspicion and bypass weaker controls.

This is why detection cannot rely only on blocking unknown binaries.

Security teams need behavioral visibility into how scripts, shortcuts, interpreters, and scheduled tasks interact.

NarwhalRAT is especially concerning because it provides remote access capabilities that can support surveillance, data theft, command execution, and long-term compromise.

How the NarwhalRAT Loader Works:

The infection chain uses multiple stages to reduce visibility.

First, the phishing email delivers a ZIP archive.

Inside the archive is a malicious LNK file.

When clicked, the shortcut uses obfuscated command logic to reconstruct execution commands at runtime.

PowerShell is launched with execution policy bypassed.

A copied curl.exe utility is used to download payload components.

The attack then opens a decoy HWP document to distract the victim.

At the same time, a batch script continues the installation process in a hidden window.

The batch script downloads the official Python embedded package, making the activity resemble a normal software setup.

Pythonw.exe is renamed to usersscreen.exe to suppress any visible console window.

A file named config.cat is used as the backdoor loader.

Although the .cat extension resembles a Windows security catalog file, the file is actually compiled Python bytecode.

Persistence and Evasion:

The malware uses persistence techniques designed to look legitimate.

It creates a scheduled task named MicrosoftUserInterfacePicturesUpdateTackMachine.

The task runs at one-minute intervals.

The name is crafted to look similar to a legitimate Microsoft-related system task.

This can make casual administrative review less effective.

NarwhalRAT also creates working directories that reference naverwhale, likely to masquerade as Naver Whale, a popular browser in South Korea.

The created folder is assigned Hidden and System attributes to stay out of plain sight.

The malware also checks for virtual machine environments such as VMware, VirtualBox, and Parallels Desktop.

That anti-analysis behavior helps the malware avoid sandboxes and researcher environments.

NarwhalRAT Capabilities:

Once executed, NarwhalRAT behaves as a full-featured remote access trojan.

Its command system reportedly uses more than 30 prefixes to control different functions.

The malware can support multiple attacker objectives.

  • Screen capture
  • Keylogging
  • Microphone recording
  • File upload
  • File download
  • USB data collection
  • Remote command execution
  • C2 configuration changes
  • Environment checking
  • Anti-virtual machine behavior
  • Data staging before transmission

These capabilities make NarwhalRAT more than a simple downloader.

It can give attackers ongoing control, surveillance capability, and data access on infected systems.

Command-and-Control Communication:

NarwhalRAT uses a dual command-and-control structure.

The malware connects to Korean relay infrastructure while also using pCloud as a dead-drop resolver.

A dead-drop resolver allows attackers to change the real command-and-control address without modifying the malware directly.

This helps the operation remain flexible.

It also makes detection harder because cloud service traffic may blend into normal network activity.

The campaign’s use of Korean relay servers, Naver Whale references, and KakaoTalk-related collection logic strongly suggests Korean targeting.

This matters for defenders because regional targeting often influences phishing themes, decoy documents, application references, and language choices.

How the Attack Chain Could Work:

A realistic attack path may follow this pattern.

  • A phishing email impersonates the Microsoft Account Team
  • The message warns about suspicious one-time password activity
  • The user opens an attached ZIP archive
  • A malicious LNK shortcut file is launched
  • Obfuscated CMD logic reconstructs execution commands
  • PowerShell runs with execution policy bypassed
  • curl.exe downloads a decoy document and a second-stage batch script
  • The decoy HWP document opens to distract the victim
  • The batch script installs a Python embedded package
  • Pythonw.exe is renamed to usersscreen.exe for silent execution
  • Compiled Python bytecode executes as the backdoor loader
  • A scheduled task is created for persistence
  • NarwhalRAT establishes command-and-control communication
  • The attacker gains remote access and surveillance capability

This attack chain shows how ordinary Windows components can be chained together into a stealthy compromise path.

Why This Incident Matters for Cybersecurity:

This incident reinforces a major cybersecurity reality.

Attackers do not always need custom malware at every stage.

They can use legitimate system tools, cloud services, renamed binaries, shortcut files, and scripting engines to build effective infection chains.

That is why security teams must monitor behavior, not only file reputation.

A malicious LNK file, PowerShell execution policy bypass, curl download activity, hidden Python execution, and scheduled task persistence should create a high-confidence detection pattern when observed together.

The campaign also shows how phishing remains a primary delivery method.

A convincing security-themed email can still lead users to open attachments, especially when the message claims urgent account activity.

Common Risks Highlighted:

This NarwhalRAT campaign highlights several common enterprise weaknesses.

  • Users opening ZIP attachments from phishing emails
  • LNK shortcut files allowed inside email attachments
  • Weak controls around PowerShell execution
  • Limited visibility into curl.exe download activity
  • Python interpreters allowed without application control
  • Scheduled task creation not monitored
  • Hidden directories ignored during endpoint review
  • Cloud service traffic trusted by default
  • Inadequate detection of renamed binaries
  • Limited correlation between email, endpoint, and network events

These weaknesses can allow a phishing email to become a full remote access compromise.

Potential Impact:

The potential impact of NarwhalRAT infection can be severe.

  • Remote attacker access
  • Credential theft through keylogging
  • Screen capture
  • Audio surveillance through microphone recording
  • File theft
  • USB data collection
  • Command execution
  • Persistence through scheduled tasks
  • Data staging and exfiltration
  • Follow-on malware deployment
  • Internal reconnaissance
  • Long-term endpoint compromise

The impact depends on the privileges of the infected user, the sensitivity of the endpoint, and what internal systems the machine can access.

If the victim has access to business systems, cloud portals, financial platforms, or administrative tools, the compromise can become much larger than one device.

What Organisations Should Do Now:

Organizations should strengthen controls around shortcut files, scripting engines, and suspicious living-off-the-land behavior.

  • Block or quarantine LNK files delivered through email attachments
  • Inspect ZIP archives containing shortcut files
  • Restrict PowerShell execution where possible
  • Alert on PowerShell execution policy bypass
  • Monitor curl.exe usage from unusual parent processes
  • Detect script downloads from untrusted domains
  • Monitor Python embedded package deployment on non-developer systems
  • Detect renamed Pythonw.exe execution
  • Alert on suspicious scheduled task creation
  • Review hidden and system-attributed directories in public user paths
  • Monitor pCloud and unusual cloud storage API usage
  • Correlate email attachment activity with endpoint execution events

Security teams should prioritize behavioral detections across the full chain.

Any single step may look normal.

Together, the sequence is highly suspicious.

Detection and Monitoring Strategies:

Security teams should build detections around the NarwhalRAT attack pattern.

  • LNK file execution from extracted ZIP archives
  • CMD substring substitution used for command obfuscation
  • PowerShell launched from shortcut files
  • PowerShell execution policy bypass
  • curl.exe launched by PowerShell or CMD from user directories
  • Downloaded batch scripts running in hidden windows
  • Python embedded package installation on ordinary user endpoints
  • Pythonw.exe renamed to unusual filenames
  • .cat files executed as payload components
  • Scheduled task creation with Microsoft-like misspelled names
  • One-minute scheduled task intervals
  • Hidden directories created under public user paths
  • Connections to unusual Korean relay infrastructure
  • pCloud API usage by unknown processes

Detection should focus on relationships between processes.

A shortcut launching PowerShell, PowerShell launching curl, curl downloading scripts, and Python executing hidden payloads should trigger immediate investigation.

The Role of Incident Response Planning:

Incident response teams should prepare for phishing-driven RAT infections that use legitimate tools.

If NarwhalRAT activity is suspected, responders should isolate the endpoint, preserve volatile evidence, collect scheduled task details, review PowerShell history, inspect downloaded files, and analyze process execution chains.

They should also review outbound network connections, cloud service activity, file access, keystroke logs, screen capture artifacts, and persistence locations.

Credential reset may be required if keylogging occurred.

If the infected user had access to business applications or privileged systems, responders should review account activity, session history, and internal access logs.

A RAT infection should be treated as both endpoint compromise and potential identity compromise.

Penetration Testing Insight:

From a penetration testing perspective, this campaign shows why endpoint detection must be tested against realistic multi-stage chains.

Testing should not stop at whether a malicious binary is detected.

Security teams should validate whether their controls can detect the behavior that leads to execution.

  • Test LNK delivery controls
  • Validate archive inspection for shortcut files
  • Review PowerShell restrictions and logging
  • Test detection for execution policy bypass
  • Validate curl.exe monitoring
  • Assess application control for Python on non-developer endpoints
  • Test scheduled task creation alerts
  • Review cloud storage traffic visibility
  • Simulate process chains from phishing attachment to payload execution
  • Validate response procedures for RAT infections

Modern penetration testing should show whether defenders can detect the full chain before the attacker gains stable remote access.

Expert Insight:

James Knight, Senior Principal at Digital Warfare, said:

“NarwhalRAT shows why defenders need behavioral detection across the entire infection chain. A shortcut file, PowerShell, curl, Python, and scheduled tasks may each appear legitimate in isolation, but together they can become a complete remote access compromise path.”

What Security Leaders Should Prioritize:

Security leaders should treat this campaign as a warning about living-off-the-land malware delivery.

The immediate priority is improving detection for LNK, PowerShell, curl, Python, and scheduled task abuse.

The broader priority is reducing the ability of phishing attachments to launch trusted tools without scrutiny.

Leaders should ask direct questions.

Can our email gateway detect LNK files inside ZIP archives?

Can we block PowerShell execution policy bypass?

Can we detect curl downloads from shortcut-launched commands?

Do we know where Python is allowed?

Can we identify suspicious scheduled tasks quickly?

Can we correlate phishing emails with endpoint execution?

If teams cannot answer those questions quickly, the organization has an endpoint detection visibility gap.

Call to Action:

Organizations should not assume endpoint protection will stop every phishing-driven malware chain automatically.

Validate email filtering, restrict shortcut execution, monitor PowerShell and curl abuse, control Python execution, and confirm that suspicious scheduled tasks cannot give attackers persistent remote access.

Comments

Post a Comment

Popular posts from this blog

Signed, Trusted, Exploited: Inside the ScreenConnect Breach Playbook

Signed, Trusted, Exploited: Inside the ScreenConnect Breach Playbook A trusted remote access tool turned Trojan: today’s news reveals how attackers have hijacked ScreenConnect (now ConnectWise Control), weaponizing its legitimacy to bypass defenses and sustain access. As an independent blogger and penetration tester , this twist-from trusted utility to clandestine threat vector-highlights an urgent shift: defenders must now regard established tools as potential weapons, and our penetration testing methodologies must evolve accordingly. Attack Vector: Weaponized RMM Software Threat actors are misusing ScreenConnect installers-often digitally signed and trusted-to establish persistent access, using methods like Authenticode stuffing to embed malicious configuration while preserving legitimate signatures. Technical Abuse: CHAINVERB Downloader In several campaigns, the CHAINVERB backdoor leverages signed ScreenConnect binaries. It hides C2 instructions inside certificate fields, en...
Read more

Breaking the Chain of Trust: The Hybrid Exchange Escalation Threat

Breaking the Chain of Trust: The Hybrid Exchange Escalation Threat It starts quietly an unnoticed foothold on an Exchange server, stolen admin credentials, and a trust link to the cloud turned into a weapon. From there, it’s a clean pivot into Exchange Online , data harvested, persistence set, and the intruder disappears into normal traffic. As a  part time  penetration tester and independent blogger , I see CVE-2025-53786 as more than a flaw it’s a blueprint for abusing identity and trust. This high-severity vulnerability in hybrid Exchange lets on-prem admins escalate to the cloud with limited log visibility . The August 2025 Security Updates patch it, but with 28,000+ servers still exposed, the window remains open. CISA’s Emergency Directive 25-02 demands immediate action from federal agencies. Everyone else should take the hint attackers certainly will. The Vulnerability in One Paragraph In classic hybrid deployments, on-prem Exchange and Exchange Online could share i...
Read more

The Quiet Epidemic: How Lumma Built a Global Infostealer Network

The Quiet Epidemic: How Lumma Built a Global Infostealer Network  The quietest breaches are the ones that bleed you dry . Lumma Stealer didn’t disrupt. It infiltrated leaving no ransom note, only stolen passwords and persistent access. In 2025, over 2,300 Lumma-controlled domains were taken down in a global operation. But Lumma’s infrastructure quickly reassembled. For red teams, it’s not the takedown that matters  it’s how fast the threat returned  As an independent blogger and part-time penetration tester , I see Lumma not just as a threat, but as a blueprint for real-world attack simulation . Its infection chain stealthy delivery, in-memory payloads, modular design is exactly what red teams should be studying . Infection Chain Anatomy: From Fake CAPTCHA to Memory-Only Payload Lumma’s infection begins with deceptive tactics: fake CAPTCHA lures or cloned websites prompt users to copy/paste PowerShell commands into Run prompts via mshta.exe, often hidden behind obfusca...
Read more