Windows Targeted with Rust Backdoor and Python Loader

Sept. 8, 2025, 3:34 p.m.

Description

APT37, a North Korean threat actor, has been observed using new tactics and tools in recent campaigns. They have deployed a Rust-based backdoor named Rustonotto, alongside the existing PowerShell-based Chinotto malware and FadeStealer. The group utilizes Windows shortcut files and help files as initial infection vectors. Their sophisticated attack chain includes spear phishing, Compiled HTML Help file delivery, and Transactional NTFS for stealthy code injection. The threat actor employs a single command-and-control server to orchestrate all components of their malware arsenal. FadeStealer, a surveillance tool, is capable of logging keystrokes, capturing screenshots and audio, tracking devices, and exfiltrating data through password-protected RAR archives.

External References

https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader
https://otx.alienvault.com/pulse/68beeb2264c6088bd05c00a3
Tags
surveillance
data exfiltration
spear phishing
code injection
2025-09-08
chinotto
fadestealer
rust backdoor
rustonotto

Date

  • Created: Sept. 8, 2025, 2:41 p.m.
  • Published: Sept. 8, 2025, 2:41 p.m.
  • Modified: Sept. 8, 2025, 3:34 p.m.

Indicators

  • b91bc5bc74dc056c1286dcbc8f41c09b19e52450b62857d36f454cedab860c55
Download all indicators here!

Attack Patterns

  • FadeStealer
  • Rustonotto
  • Chinotto
  • APT37

Additional Informations

  • Government