Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2

A sophisticated Python-based RAT targeting Korean users through spear phishing emails disguised as Microsoft security alerts. The attack chain employs LNK files embedded in ZIP archives, BAT-based obfuscation, and multi-stage loaders culminating in NarwhalRAT deployment. This advanced malware features keylogging, screen capture, microphone recording, and USB data collection capabilities. It utilizes a dual C2 infrastructure combining Korean relay servers (daehoat.com, novel21.co.kr) with pCloud API as a dead-drop resolver. The malware creates encrypted configuration files, implements anti-VM techniques, and establishes persistence through scheduled tasks. It operates as a manually-controlled RAT with selective function activation via C2 commands, employing in-memory execution to evade file-based detection.

Pulse ID: 6a30130ad416e33ebf9e9417
Pulse Link: https://otx.alienvault.com/pulse/6a30130ad416e33ebf9e9417
Pulse Author: AlienVault
Created: 2026-06-15 14:58:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #Cloud #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #Microsoft #OTX #OpenThreatExchange #Phishing #Python #RAT #SpearPhishing #Troll #USB #ZIP #bot #pCloud #AlienVault

Fighting Spyware: An Update

WhatsApp successfully identified and disrupted spear phishing attempts linked to NSO Group, a spyware firm blacklisted by the US government. The company is requesting the court to hold NSO in contempt for violating a permanent injunction that prohibited them from targeting WhatsApp and its users. The attacks involved social engineering attempts to trick users into clicking malicious links, as well as creating test accounts and groups on the platform. WhatsApp emphasizes that spyware represents a national security threat and is supporting the Spyware Accountability Initiative through significant contributions. The company continues to protect users through end-to-end encryption and encourages reporting suspicious activity while maintaining updated applications and devices.

Pulse ID: 6a27bbb7afe6bcf1ce69967b
Pulse Link: https://otx.alienvault.com/pulse/6a27bbb7afe6bcf1ce69967b
Pulse Author: AlienVault
Created: 2026-06-09 07:07:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Encryption #Government #InfoSec #OTX #OpenThreatExchange #Phishing #SocialEngineering #SpearPhishing #SpyWare #WhatsApp #bot #AlienVault

WhatsApp Disrupts NSO Group's Spearphishing Campaign

WhatsApp has successfully shut down a sneaky phishing campaign by notorious spyware firm NSO Group, which tried to trick users into clicking malicious links to spy on them. The messaging giant is now asking a US court to hold NSO Group accountable for violating a ban on targeting users.

https://osintsights.com/whatsapp-disrupts-nso-groups-spearphishing-campaign?utm_source=mastodon&utm_medium=social

#NsoGroup #Whatsapp #Spearphishing #Spyware #SocialEngineering

Meta Disrupts NSO Group's WhatsApp Phishing Campaign

Meta detected and blocked a sneaky WhatsApp phishing campaign linked to NSO Group, where attackers tried to trick people into clicking malicious links that led to external websites. The company also filed a contempt order against NSO for allegedly violating a court injunction by targeting WhatsApp users.

https://osintsights.com/meta-disrupts-nso-groups-whatsapp-phishing-campaign?utm_source=mastodon&utm_medium=social

#WhatsappPhishing #NsoGroup #SpearPhishing #Meta #1clickPhishing

🚨 NEWS: Phishing Avanzato: Spear Phishing, Whaling e Business Email Compromise — Guida Operativa

Ecco i punti chiave in breve:
💡 Ti arriva una mail dal tuo CFO. Urgente. Chiede un bonifico immediato per un fornitore che non ricordi. L'indirizzo è quello giusto, il nome è quello giusto, il tono è quello giusto. Lo fai. Poi...

🚀 LINK: https://meteoraweb.com/sicurezza-informatica/phishing-avanzato-spear-phishing-whaling-e-business-email-compromise-guida-operativa

#sPF #dKIM #dMARC #ingegneriaSociale #spearPhishing

SideCopy Targets Afghan Finance Ministry with Xeno RAT Malware

Seqrite Labs researchers uncovered a sneaky malware attack, dubbed Operation XENOFISCAL, where the Pakistan-aligned SideCopy group targeted Afghanistan's Ministry of Finance and government officials with a cleverly crafted phishing lure written in Pashto. The attack used Xeno RAT Malware, delivered through a ZIP archive with a malicious…

https://osintsights.com/sidecopy-targets-afghan-finance-ministry-with-xeno-rat-malware?utm_source=mastodon&utm_medium=social

#XenoRatMalware #Sidecopy #Afghanistan #FinanceSector #SpearPhishing

Operation Dragon Weave: Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2

A sophisticated cyber-espionage campaign attributed to China-linked actors targets officials and citizens in Czech Republic and Taiwan through spearphishing attacks. The operation deploys malicious ZIP archives containing dual infection paths that ultimately deliver AZUREVEIL, an Adaptix C2 agent. The campaign uniquely leverages Microsoft Azure Blob Storage as a dead-drop command-and-control channel, bypassing traditional C2 infrastructure. A multi-stage infection chain employs RUSTCLOAK, a Rust-based loader implementing triple-layer encryption using modified RC4, Base64, and SM4-CBC algorithms. The final payload supports 36 post-exploitation commands including Beacon Object File execution in memory, file system manipulation, process control, network pivoting, and data exfiltration. Lure documents impersonate official communications from Taiwanese research institutions and Czech Social Security Administration, demonstrating targeted social engineering tailored to each region.

Pulse ID: 6a19acf8d896b3c89d4bab6f
Pulse Link: https://otx.alienvault.com/pulse/6a19acf8d896b3c89d4bab6f
Pulse Author: AlienVault
Created: 2026-05-29 15:12:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #China #Cloud #CyberSecurity #Encryption #Espionage #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #RAT #Rust #SocialEngineering #SpearPhishing #ZIP #bot #cyberespionage #AlienVault

Operation Dragon Weave: l’APT cinese usa Azure Blob Storage come C2 per colpire Repubblica Ceca e Taiwan

https://insicurezzadigitale.com/operation-dragon-weave-lapt-cinese-usa-azure-blob-storage-come-c2-per-colpire-repubblica-ceca-e-taiwan/

Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan

SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, which executes mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure. The multi-stage chain deploys obfuscated JavaScript, establishes registry-based persistence mimicking Microsoft Edge, and ultimately delivers XenoRAT 1.8.7 beaconing to bulletproof Bulgarian hosting. The campaign demonstrates precise knowledge of target administrative context, using Dari and Pashto decoy documents listing provincial finance officials with direct contact information. Infrastructure analysis reveals deliberate staging within Afghan government IP space and C2 infrastructure overlapping with previous SideCopy operations.

Pulse ID: 6a196f2fd88de848b913e4da
Pulse Link: https://otx.alienvault.com/pulse/6a196f2fd88de848b913e4da
Pulse Author: AlienVault
Created: 2026-05-29 10:49:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Afghanistan #Bulgaria #CyberSecurity #Edge #Education #Government #InfoSec #Java #JavaScript #LNK #Microsoft #MicrosoftEdge #Mimic #OTX #OpenThreatExchange #Pakistan #Phishing #RAT #SideCopy #SpearPhishing #TransparentTribe #bot #AlienVault

Russia-Linked GREYVIBE Exploits AI in Ukraine Cyberattacks

Discover how the Russia-linked group GREYVIBE is using AI to launch sophisticated cyberattacks on Ukraine, leveraging tactics like spear-phishing emails and fake websites to spread malware. WithSecure researchers have tracked GREYVIBE's activities back to August 2025, revealing a pattern of attacks targeting Ukraine's…

https://osintsights.com/russia-linked-greyvibe-exploits-ai-in-ukraine-cyberattacks?utm_source=mastodon&utm_medium=social

#RussialinkedGreyvibe #UkraineCyberattacks #NationState #MalwareOperations #Spearphishing