Fake Microsoft Alerts Used to Deploy North Korean NarwhalRAT Malware

The North Korean state-sponsored hacking group known as ScarCruft (aka APT37) has been observed using spear-phishing messages impersonating Microsoft Account security notifications to deliver malware called NarwhalRAT. "The attack email contained a message impersonating an MS account security alert," the Genians Security Center (GSC) said. "It was designed to create concern over possible

According to the report, the North Korean state-sponsored group ScarCruft (APT37) is delivering a new remote access trojan called NarwhalRAT via spear‑phishing emails that impersonate urgent Microsoft Account security alerts and abnormal OTP activity.[6][1][2] The malware provides extensive espionage and takeover capabilities, including keylogging, screen capture, microphone recording, USB data theft, and remote command execution once victims open a malicious shortcut file disguised as a security notice.[1][2][3] While the campaign as described does not specifically abuse AI models, it represents a mature state-backed intrusion set that could readily incorporate AI (e.g., for phishing content optimization, targeting, or automated data triage) to increase effectiveness. CyberSE.AI analysis: organizations should treat APT37 as a high-tier adversary and use AI CISO Advisory to integrate these TTPs into enterprise threat models and email/security policies, and Continuous AI Red Teaming to simulate similar phishing and post-compromise behaviors against any AI-enabled workflows before such actors begin to actively exploit them.