APT37 used Microsoft-themed spear phishing to deliver a ZIP archive containing a malicious LNK file that launched a PowerShell and batch-based infection chain. The chain installed an official embedded Python runtime, executed compiled Python bytecode disguised as .cat files, and ultimately loaded NarwhalRAT in memory through Python ctypes. NarwhalRAT targets Korean user environments, creates a hidden naverwhale working directory, persists through a scheduled task, and supports keylogging, screen capture, microphone recording, USB data staging, file transfer, and remote command execution. The malware uses Korean relay servers plus the pCloud API as a dead-drop resolver to maintain flexible multi-channel C2 communication.