APT37 Deploys New Rust and Python Malware Targeting Windows Systems

The North Korean-aligned threat group APT37, also known as ScarCruft, Ruby Sleet, and Velvet Chollima, has evolved its cyber warfare capabilities by deploying sophisticated Rust and Python-based malware in recent campaigns targeting Windows systems.

Active since 2012, this advanced persistent threat group continues to focus on South Korean individuals connected to the North Korean regime and human rights activists, demonstrating significant tactical advancement through the adoption of modern programming languages and enhanced evasion techniques.

APT37’s latest campaign showcases a coordinated approach utilizing a single command-and-control (C2) server to orchestrate multiple malware components.

The threat actor has introduced Rustonotto, a newly identified Rust-based backdoor active since June 2025, marking the first known instance of APT37 leveraging Rust programming language for Windows system targeting.

This lightweight backdoor provides basic functionality for executing Windows commands and transmitting results to attacker-controlled infrastructure.

The group simultaneously deploys Chinotto, a well-documented PowerShell backdoor operational since 2019, alongside FadeStealer, a comprehensive surveillance tool first discovered in 2023.

FadeStealer represents a significant threat with capabilities including keystroke logging, screenshot capture, audio recording, device monitoring, and data exfiltration through password-protected RAR archives.

The malware employs HTTP POST requests and Base64 encoding for secure communication with its command-and-control infrastructure.

Sophisticated Infection

The attack methodology demonstrates APT37’s advanced technical sophistication through multiple infection vectors.

The group utilizes Windows shortcut files and Compiled HTML Help (CHM) files as initial compromise mechanisms, followed by deployment of PowerShell-based payloads.

A particularly notable technique involves the use of Transactional NTFS (TxF) for stealthy code injection, representing cutting-edge evasion capabilities.

The Python-based infection chain implements Process Doppelgänging technique through a custom loader that decrypts and injects FadeStealer into legitimate Windows processes.

This method involves creating transacted files, establishing memory section objects, and manipulating process contexts to execute malicious payloads while avoiding detection.

The threat actor randomly selects legitimate system executables including calc.exe, msinfo32.exe, and svchost.exe as injection targets to maintain operational security.

Comprehensive Surveillance

FadeStealer operates as a multi-threaded surveillance platform capable of real-time data collection across multiple vectors.

The malware captures keystrokes continuously, screenshots every 30 seconds, and records microphone audio in 5-minute sessions.

Additionally, it monitors USB devices and portable cameras hourly, creating timestamped archives for systematic data exfiltration.

The surveillance data is compiled into password-protected RAR archives using the hardcoded password “NaeMhq[d]q” and transmitted to C2 servers through HTTP POST requests.

The malware maintains organized directory structures under %TEMP%VSTelems_Fade for different data types, ensuring comprehensive coverage of victim activities.

Archive naming follows timestamp patterns like “watch_YYYY_MM_DD-HH_MM_SS.rar” for regular surveillance data and “data_YYYY_MM_DD-HH_MM_SS.rar” for command-directed file collection.

The C2 infrastructure utilizes compromised web servers hosting lightweight PHP scripts that manage communication through JSON-based command and result arrays.

This centralized approach enables unified control over the entire malware ecosystem including Rustonotto, Chinotto, and FadeStealer components, all utilizing consistent Base64-encoded communication protocols for operational efficiency and security.

Indicators Of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.