APT37-linked operators used Microsoft account security-themed spear phishing against Korean users to deliver NarwhalRAT through a ZIP-contained malicious LNK, obfuscated BAT scripts, copied curl execution, and a Python embedded runtime. The malware chain downloads Python bytecode disguised as .cat files, decrypts a PE payload, and runs it in memory through Python ctypes with Anti-VM checks and scheduled-task persistence. NarwhalRAT stages data under a hidden %APPDATA%\naverwhale directory, supports keylogging, screenshots, microphone recording, USB collection, file transfer, remote command execution, and dynamic C2 reconfiguration. Its infrastructure combines Korean relay sites such as daehoat.com and novel21.co.kr with pCloud API-based dead-drop resolver behavior, and Genians ties the TTPs closely to prior APT37 Python backdoor activity.