A North Korean-linked hacking group previously known for using generative AI-powered deepfakes to impersonate government officials and target South Korean security and North Korea-focused professionals has launched a new malware campaign disguised as security alerts from Microsoft’s account protection team.
The attack reportedly deploys a remote access trojan (RAT) capable of keylogging, screen capture, USB file collection and remote command execution.
According to the Genian Security Center, the North Korean-linked threat group APT37 recently conducted phishing attacks targeting South Korean users through emails masquerading as Microsoft account security notifications.
The campaign used spear-phishing emails with the subject line, “[Urgent] Security Inspection Notice Regarding Repeated One-Time Password (OTP) Generation.”
Attackers displayed the sender name as “Microsoft Account Team” to make the messages appear legitimate. However, the actual sending domain was not owned by Microsoft.
The email claimed that abnormal activity involving repeated generation of one-time authentication codes had been detected on the recipient’s Microsoft account. Recipients were instructed to review an attached security notice for additional details and recommended actions.
The attachment appeared to be a Hangul Word Processor (HWP) document but was in fact a compressed ZIP archive containing malicious files.
When executed, the attachment initiated a multi-stage infection process that ultimately installed NarwhalRAT, a remote access trojan capable of keylogging, screen capture, USB file collection and remote command execution.
The malware allows attackers to selectively activate functions including keystroke monitoring, screen capture, microphone recording and extraction of files from connected USB devices.
Researchers said the attack shares numerous characteristics with a deepfake-based government official impersonation campaign disclosed last month. Similarities were identified in the attack methodology, malware architecture and lure documents.
APT37, the group believed to be behind the campaign, is widely suspected of operating on behalf of North Korea’s intelligence apparatus. The organization has historically conducted cyber espionage and counterintelligence operations targeting individuals and organizations involved in North Korea-related affairs.
Unlike the previous campaign, which primarily targeted North Korea researchers, human rights activists, journalists and military or security personnel, investigators found no evidence that this operation focused on a specific profession or sector. Genian assessed the campaign as targeting a broader pool of South Korean users.
The company said defending against such attacks requires more than traditional malware detection. Security teams should monitor behavioral indicators throughout the attack chain, including execution of Windows shortcut (LNK) files, PowerShell activity and the creation of scheduled tasks.
Genian noted that the lure document used in the latest campaign contained the same recorded document author information as the material used in the earlier deepfake impersonation operation. Researchers also found substantial similarities in document structure and formatting.
“The final document author information matched that of the lure documents used in the deepfake government-official impersonation campaign disclosed last month, and the document structure was also highly similar,” Genian said. “Because the attacks appear to originate from the same threat cluster, users should avoid opening suspicious attachments and organizations should strengthen behavior-based detection capabilities.”
North Korea has increasingly incorporated generative AI and deepfake technologies into cyber operations, rapidly advancing the sophistication of its hacking techniques.
According to the 2025 annual report published by South Korea’s National Cyber Security Center, North Korean cyber actors stole more than $1.4 billion worth of cryptocurrency and other digital assets worldwide last year, marking a record haul.
A recent report from cybersecurity firm Kaspersky also found evidence that the North Korean hacking group Kimsuky used large language models (LLMs) to assist in writing code embedded in a backdoor malware tool. Kimsuky is one of North Korea’s best-known cyber espionage groups targeting South Korea.
