New APT37 Attacking Windows Machines With New Rust and Python Based Malware

APT37, the North Korean-aligned threat actor also known as ScarCruft, Ruby Sleet, and Velvet Chollima, has expanded its arsenal with sophisticated new malware targeting Windows systems.

Active since 2012, the group primarily focuses on South Korean individuals connected to the North Korean regime or involved in human rights activism.

The threat actor has now introduced a Rust-based backdoor dubbed Rustonotto and enhanced Python-based injection techniques to deploy their surveillance tool FadeStealer.

The latest campaign demonstrates APT37’s evolution in adopting modern programming languages and advanced injection techniques.

The attack chain begins with spear-phishing emails containing malicious Windows shortcut files or Compiled HTML Help (CHM) files.

These initial vectors lead to the deployment of multiple malware components orchestrated through a single command-and-control server.

The integration of Rust programming language represents a significant shift for the group, potentially enabling multi-platform attacks while maintaining lightweight backdoor functionality.

Zscaler researchers identified this sophisticated malware cluster operating since June 2025, revealing the threat actor’s continued refinement of social engineering tactics and technical capabilities.

The campaign utilizes Transactional NTFS (TxF) for stealthy code injection, demonstrating advanced evasion techniques.

The researchers observed APT37 leveraging vulnerable web servers as C2 infrastructure, employing a unified PHP script to control their entire malware toolkit including Rustonotto, Chinotto, and FadeStealer variants.

The attack methodology involves multiple stages of payload delivery and execution. Initial compromise occurs through either Windows shortcut files embedded with PowerShell scripts or CHM files that establish registry persistence mechanisms.

These vectors subsequently deploy the Rust-compiled Rustonotto backdoor, which serves as a lightweight command executor capable of receiving Base64-encoded Windows commands and returning execution results to the threat actor’s infrastructure.

Advanced Injection Techniques and Payload Deployment

The most sophisticated aspect of this campaign involves the deployment of FadeStealer through a Python-based injection mechanism utilizing Process Doppelgänging.

The threat actor delivers malicious payloads packaged in Microsoft Cabinet files, which contain three critical components: a legitimate Python module renamed as tele_update.exe, a compiled Python module (tele.conf) responsible for decryption and injection, and the encrypted FadeStealer payload (tele.dat).

The Python injection script, internally named TransactedHollowing.py, employs Windows Transactional NTFS APIs to create temporary files within transaction contexts.

The decryption routine extracts XOR keys from the payload and applies custom decryption algorithms to reveal the final executable.

The Process Doppelgänging technique involves creating section objects from transacted files, mapping them into suspended legitimate processes, and manipulating thread contexts to redirect execution flow.

FadeStealer operates as a comprehensive surveillance tool, conducting real-time keylogging, capturing screenshots every 30 seconds, recording 5-minute audio sessions, and monitoring USB devices hourly.

The malware creates timestamped archives with hardcoded password protection, utilizing embedded RAR utilities for data compression and exfiltration through HTTP POST requests with multipart form data.

The campaign’s technical sophistication combined with targeted social engineering demonstrates APT37’s continued evolution and persistent threat to individuals and organizations connected to North Korean affairs.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.