Follow on X RSS Feed

Windows under threat from Rustonotto Rust backdoor and Python loader operated by APT37

Cybersec Sentinel

2 min read
Windows under threat from Rustonotto Rust backdoor and Python loader operated by APT37

Threat Group – APT37 (ScarCruft / Ruby Sleet / Velvet Chollima)
Threat Type – Backdoor / Surveillance
Exploited Vulnerabilities – Spear-phishing via malicious Windows shortcut (LNK) and CHM help file vectors
Malware Used – Rustonotto (Rust-based backdoor), Chinotto (PowerShell), FadeStealer (Python-based stealer)
Threat Score – 5.5 🟠 Elevated
Justification – Combines multiple stages: stealthy Rust backdoor, multi-stage infection chain, rolling capabilities. It can execute commands, exfiltrate data, and is part of a toolset with surveillance/stealer modules that require proactive containment and monitoring.
Last Threat Observation – September 8, 2025

Overview

A novel campaign by North Korean-aligned APT37, active since at least 2012, has introduced a Rust-based backdoor named Rustonotto, alongside PowerShell loader Chinotto and data stealer FadeStealer. The infection chain begins with spear-phishing attachments, delivering malware via malicious Windows shortcut files or CHM help files, enabling stealth and persistence on Windows systems .

Key Details

Delivery Method

  • Initial compromise via Windows shortcut (LNK) or CHM help file with embedded PowerShell script (Chinotto) Security Boulevard.
  • Chinotto extracts and drops Rustonotto (backdoor binary) and triggers FadeStealer via Python loader.

Target

Primarily Windows users connected to the North Korean regime or human rights activism in South Korea.

Functions

  • Execute Windows commands via Rustonotto.
  • Exfiltrate command output via HTTP to C2 with “R=” parameter.
  • Chinotto facilitates payload drop and persistence via scheduled tasks.
  • FadeStealer logs keystrokes, captures screenshots/audio, monitors removable media, archives, and exfiltrates data via HTTP POST with Base64 encoding .

Obfuscation

  • Use of Rust to complicate reverse-engineering.
  • Stealthy multi-stage chain: LNK/CHM vectors, scheduled tasks, TxF process Doppelgänging.

Attack Vectors

  • Spear-phishing with LNK or CHM attachments.
  • Process Doppelgänging via Python loader using NTFS Transactional files for stealthy injection.

Known Indicators of Compromise (IoCs)

FileHash-MD5

  • 04b5e068e6f0079c2c205a42df8a3a84
  • 3d6b999d65c775c1d27c8efa615ee520
  • 4caa44930e5587a0c9914bda9d240acc
  • 77a70e87429c4e552649235a9a2cf11a
  • 7967156e138a66f3ee1bfce81836d8d0
  • 89986806a298ffd6367cf43f36136311
  • b9900bef33c6cc9911a5cd7eeda8e093
  • d2b34b8bfafd6b17b1cf931bb3fdd3db

FileHash-SHA1

  • 670d4251e9c2438f70796dde747febe45aae1e19

FileHash-SHA256

  • b91bc5bc74dc056c1286dcbc8f41c09b19e52450b62857d36f454cedab860c55

Other observed artifacts: awonder.dat, tele.conf, tele.dat, etc., and decoy document in Hangul Word Processor (HWP) .

Mitigation and Prevention

User Awareness

  • Educate users on risks of opening attachments, especially LNK or CHM files.

Email Filtering

  • Block LNK and CHM attachments from untrusted sources; enforce sandbox analysis.

Antivirus Protection

  • Update signatures to detect Chinotto, Rustonotto, and FadeStealer.

Two-Factor Authentication (2FA)

  • Protect accounts from lateral control even if initial compromise occurs.

Log Monitoring

  • Monitor for unusual scheduled tasks (e.g., “MicrosoftUpdate”), command execution anomalies, outgoing HTTP POST patterns with Base64 payloads.

Regular Updates

  • Patch systems and software to minimize attack surface.

Risk Assessment

Given the multi-stage nature, Rust-compiled stealth, surveillance data theft, and reliance on modern evasion techniques, APT37’s Rustonotto campaign should be rated 5.5 (Elevated). It warrants immediate detection, containment, and proactive hunting across Windows environments.

Conclusion

The discovery of Rustonotto, Chinotto, and FadeStealer signifies APT37’s evolution toward sophisticated, multi-language payloads and stealthy Windows attacks. Organizations—especially those linked to Korean geopolitical interests—must heighten vigilance, ensure layered defenses, and conduct retrospective threat hunting across email, scheduled tasks, HTTP logs, and process injection footprints.

Sources