ScarCruft NarwhalRAT spear-phishing malware activity
Malware Activity
Summary
Hide ▲
Show ▼
ScarCruft (APT37) is using spear-phishing emails that impersonate Microsoft Account security alerts to deliver NarwhalRAT, creating a multi-stage malware threat that can steal data and maintain remote control on compromised hosts. The infection chain uses a ZIP archive with a malicious LNK file to start the payload dropper flow. NarwhalRAT supports keylogging, screenshot capture, ambient audio recording, and C2 execution, giving operators broad visibility into victim systems.
Related Happenings
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
SHub Reaper macOS infostealer variant
Malware Activity
H score21
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware Activity
H score16
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
**SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware ActivityAbout this happening: **SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
Vulnerability
H score31
First: 12.02.2026 23:01
Last: 12.02.2026 23:01
Sources 1
About this happening:
**Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
VulnerabilityAbout this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
LummaStealer infection surge via CastleLoader
Malware Activity
H score33
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Timeline
-
16.06.2026 11:14 2 articles · 2h ago
ScarCruft delivers NarwhalRAT through fake Microsoft Account security alerts
Initial DisclosureScarCruft (APT37), a North Korean state-sponsored hacking group, was observed using spear-phishing messages that impersonate Microsoft Account security notifications to deliver NarwhalRAT. The lure claims abnormal activity and repeated one-time password generation to pressure the target into opening an attachment, but the attachment is a ZIP archive containing a malicious LNK file that launches a multi-stage infection chain. The chain downloads NarwhalRAT with batch scripts, retrieves a legitimate Python executable and a Windows security catalog (CAT) file, and sets scheduled-task persistence for in-memory execution. The malware can log keystrokes, capture screenshots, record ambient audio, upload directory contents, collect active window details, gather USB media data, execute C2 commands, and switch C2 servers, while using Korean websites and the pCloud cloud storage API as communication relays.
Show sources
- Fake Microsoft Alerts Used to Deploy North Korean NarwhalRAT Malware — thehackernews.com — 16.06.2026 11:14
- Fake Microsoft Alerts Used to Deploy North Korean NarwhalRAT Malware — thehackernews.com — 16.06.2026 11:14