ScarCruft Switches to NarwhalRAT with Microsoft OTP Lures and pCloud Dead Drops

The campaign begins with spear-phishing emails impersonating Microsoft security notifications about repeated OTP generation. Recipients open a ZIP containing an LNK that runs obfuscated batch scripts fetching Python from official sources plus a CAT file. Persistence occurs via scheduled tasks named MicrosoftUserInterfacePicturesUpdateTackMachine, enabling the RAT to log keystrokes, capture high-resolution screenshots, record audio, and exfiltrate USB contents without disk artifacts. Genians identified matching infrastructure patterns from earlier ScarCruft Python operations that used ticket and event lures. Primary C2 relays sit on Korean domains daehoat.com and novel21.co.kr while pCloud folderid and auth parameters serve as dead-drop resolvers. This multi-C2 design and scheduled task naming convention directly parallel prior chains, indicating iterative refinement rather than new tooling. The shift from RokRAT to NarwhalRAT shows APT37 prioritizing stealthy Python loaders over custom binaries. In-memory execution and legitimate cloud services reduce forensic traces, complicating attribution reliant on malware signatures alone. Targets remain South Korean entities, with the Naver Whale directory name suggesting regional focus and possible collection priorities. Future activity will likely expand pCloud usage to evade takedowns. Independent monitoring of Korean-hosted relays combined with scheduled task telemetry offers the clearest detection path ahead of broader deployment.