The malware displays a normal document while installing itself in the background
From the shadows of a long-standing geopolitical divide, operatives linked to North Korea are reaching into South Korean inboxes with the borrowed face of Microsoft — a reminder that in the digital age, trust itself has become a weapon. Security researchers have identified a campaign by APT37 deploying a capable remote access tool called NarwhalRAT, one that hides inside false urgency and familiar software names to take root in its victims' machines. The attack is less a feat of technical wizardry than a study in human psychology: the well-timed alarm, the reasonable-seeming request, the moment of hesitation that becomes an open door.
- Emails impersonating Microsoft's account security team are landing in South Korean inboxes, engineered to provoke panic and prompt a single, consequential click.
- What appears to be a routine Hangul document is in fact a shortcut file that silently installs NarwhalRAT the moment it is opened — the infection complete before suspicion can form.
- Once inside a system, NarwhalRAT operates across more than thirty functions: logging keystrokes, capturing screens, recording audio, and staging stolen data for quiet exfiltration.
- The malware camouflages itself using the names of beloved South Korean platforms — Naver Whale and KakaoTalk — turning the familiarity of local digital life into cover for surveillance.
- Researchers at Genians have attributed the campaign to APT37 based on structural fingerprints matching prior North Korean operations, but warn that the most decisive defense remains a human one: pause before you click.
A hacking campaign tied to North Korea is moving through South Korean inboxes with quiet precision, using emails that impersonate Microsoft to deliver a malware strain researchers are calling NarwhalRAT. Security firm Genians identified the threat on June 15, tracing it to APT37 — a group with documented ties to Pyongyang.
The emails arrive as account security alerts, warning that one-time passwords have been repeatedly generated for a Microsoft account. The sender appears to be the Microsoft Account Team, but the domain behind it is not Microsoft's. Recipients are urged to open an attached security notice. The attachment looks like a Hangul document — familiar, unthreatening. It is not. It is a shortcut file that, when opened, displays a decoy document while silently installing malware in the background.
NarwhalRAT is a remote access tool of real capability. It logs keystrokes, captures screenshots, records microphone audio, harvests files from connected USB devices, and executes remote commands. Stolen data is staged locally before being transmitted to the attackers — a patient, methodical approach to exfiltration.
What distinguishes this campaign is how carefully it was built for its audience. After installation, the malware creates a folder named 'naverwhale' — borrowing the name of a widely used South Korean browser — to make its presence look routine. Its code also contains logic specific to KakaoTalk, the country's dominant messaging app. The attackers have studied their targets and dressed their tool accordingly.
Researchers emphasize that no technical defense is more reliable than the moment of human judgment when a suspicious email arrives. Verifying the sender through an official channel — before opening any attachment — remains the most effective barrier against an infection that, once begun, is already complete.
A hacking campaign attributed to North Korea-linked operatives is actively spreading malware across South Korea through a deceptively simple vector: emails that look like they come from Microsoft. Security researchers at Genians identified the threat on June 15, tracking a malware strain called NarwhalRAT that arrives in inboxes posing as urgent account security alerts.
The emails claim that one-time password codes have been repeatedly generated for a Microsoft account—a scenario designed to trigger alarm. The sender line reads "Microsoft Account Team," but the actual domain sending the message is not Microsoft's. The message urges recipients to review an attached security notice, a request that feels reasonable in the moment of panic. When someone downloads and extracts that attachment, they see what appears to be a Hangul document—the writing system used in Korean. It looks harmless. Opening it seems safe.
What actually happens is far more invasive. The attachment is a shortcut file masquerading as a document. When executed, it displays a normal-looking file on screen while simultaneously installing malware in the background. By the time the user realizes something is wrong, the infection is already complete. Genians attributes this campaign to APT37, a hacking group with documented ties to North Korea, based on similarities to a Python-based backdoor operation the group disclosed last year. The structural patterns match: the way the malicious shortcut is constructed, how batch files are obfuscated, and the persistence mechanism using Windows task schedulers all align with APT37's known methods.
NarwhalRAT itself is a remote access tool of considerable sophistication. Once installed, it can perform more than thirty distinct functions on an infected computer. It logs keystrokes, captures screenshots, records audio through the microphone, collects files from USB storage devices, and executes commands sent remotely by the attacker. Data gathered from the victim's machine is temporarily stored in a working directory before being transmitted externally—a staging area that allows the attackers to siphon information at their convenience.
What makes this campaign particularly targeted is the care taken to blend in with South Korean digital life. After installation, NarwhalRAT creates a folder named "naverwhale" inside the infected system. Naver Whale is a widely used browser in South Korea, and the folder name is designed to make the malware's presence appear legitimate to anyone browsing their computer's file structure. The malware's internal code also contains specific logic for handling windows related to KakaoTalk, the dominant messaging application in the country. These details suggest the attackers have studied their target audience and built their tool to evade detection by mimicking trusted local software.
Security researchers stress that the most effective defense remains human vigilance. Users should verify the authenticity of any email claiming to be from trusted organizations—Microsoft, major portal operators, financial institutions—before opening attachments. A second verification step, whether that means visiting the official website directly or calling a known phone number, can stop an infection before it starts. The sophistication of the malware itself matters less than the moment of decision when an email arrives and a user must choose whether to click.
Notable Quotes
The malicious shortcut file structure, batch file obfuscation techniques and persistence methods using task schedulers were found to be similar to APT37's known operations— Genians security researchers
The Hearth Conversation Another angle on the story
Why would North Korean hackers specifically target South Korean users with this particular malware?
Because South Korea is a high-value target with advanced infrastructure, significant financial assets, and deep technical expertise. Stealing credentials, surveillance data, or intellectual property from South Korean individuals and organizations has real economic and intelligence value.
The malware creates a folder called "naverwhale" after installation. That's oddly specific. What does that accomplish?
It's camouflage. If someone opens their file explorer and sees a folder named after a legitimate browser they use, they're less likely to question it or delete it. The attacker is betting on the victim never looking closely at what's on their own system.
Can someone remove this malware once it's installed?
Theoretically yes, but by then the damage is done. The attacker has already logged keystrokes, captured screenshots, recorded audio. They have what they came for. Removal is almost secondary to the breach itself.
Why use a fake Microsoft email instead of some other pretext?
Microsoft is universally trusted. Security alerts from Microsoft feel urgent and legitimate. People don't question them the way they might question an email from an unknown sender. It's the most effective social engineering vector available.
What's the connection to the Python-based backdoor from last year?
Same group, same playbook. APT37 has a signature way of building malware and deploying it. Once you see that signature twice, you can be confident about attribution. It's like recognizing a criminal's handwriting.