IntroductionAPT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima) is a North Korean-aligned threat actor active since at least 2012. APT37 primarily targets South Korean individuals connected to the North Korean regime or involved in human rights activism, leveraging custom malware and adopting emerging technologies.In recent campaigns, APT37 utilizes a single command-and-control (C2) server to orchestrate all components of their malware arsenal, including a Rust-based backdoor that ThreatLabz dubbed Rustonotto (also known as CHILLYCHINO), a PowerShell-based malware known as Chinotto, and FadeStealer. Rustonotto is a newly identified backdoor in use since June 2025. Chinotto is a well-documented PowerShell backdoor that has been in use since 2019. FadeStealer, first discovered in 2023, is a surveillance tool that records keystrokes, captures screenshots and audio, monitors devices and removable media, and exfiltrates data via password-protected RAR archives.In this blog post, Zscaler ThreatLabz delves into the tactics and tools used by APT37. The technical analysis explores APT37’s sophisticated tactics, including spear phishing, Compiled HTML Help (CHM) file delivery, and Transactional NTFS (TxF) for stealthy code injection.Key TakeawaysAPT37 is a North Korean-aligned threat actor active since at least 2012 that primarily targets individuals connected to the North Korean regime or involved in human rights activism.In recent campaigns, APT37 utilizes a single command-and-control (C2) server to orchestrate all components of their malware arsenal, including the Rust-based backdoor we named Rustonotto, the PowerShell-based Chinotto malware, and FadeStealer.FadeStealer, first identified in 2023, is a surveillance tool designed to log keystrokes, capture screenshots and audio, track devices and removable media, and exfiltrate data through password-protected RAR archives. FadeStealer leverages HTTP POST and Base64 encoding for communication with its command-and-control (C2) server.APT37 utilizes Windows shortcut files and Windows help files as initial infection vectors.Rustonotto, active since June 2025, is a Rust-compiled malware, representing the first known instance of APT37 leveraging Rust-based malware to target Windows systems.Using simple backdoors in the initial stage, the threat actor deployed FadeStealer via a Python-based infection chain.OverviewS2W published a comprehensive report on the same threat actor, detailing PubNub-based comm
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: