APT37 Deploys New Rust and Python Malware Against Windows Systems

The North Korean-aligned threat group APT37, also known as ScarCruft, Ruby Sleet, and Velvet Chollima, has expanded its malware arsenal with sophisticated new tools targeting South Korean individuals connected to the North Korean regime and human rights activists.

Security researchers at Zscaler ThreatLabz have uncovered a coordinated campaign utilizing a Rust-based backdoor dubbed Rustonotto alongside established PowerShell and Python-based malware variants.

Advanced Multi-Language Malware Campaign

APT37’s latest operations demonstrate the group’s evolution toward modern programming languages and refined attack techniques.

The campaign orchestrates three primary malware components through a single command-and-control server: Rustonotto, the newly identified Rust-compiled backdoor active since June 2025; Chinotto, a well-documented PowerShell backdoor operational since 2019; and FadeStealer, a comprehensive surveillance tool first discovered in 2023.

Rustonotto represents the first known instance of APT37 leveraging Rust-based malware against Windows systems. The lightweight backdoor executes Windows commands received in Base64-encoded format and returns results using the same encoding method.

Despite its simplistic functionality, the malware’s use of the Rust programming language signals the group’s ongoing adoption of modern development frameworks, potentially supporting multi-platform attacks.

The attack chain begins with Windows shortcut files or Compiled HTML Help (CHM) files delivering the initial payload. When victims execute the malicious shortcut, a PowerShell script extracts embedded decoy documents and payloads using predefined markers.

The system creates a scheduled task named “MicrosoftUpdate” that executes the Rustonotto payload every five minutes, establishing persistent access to compromised systems.

Sophisticated Surveillance and Data Exfiltration

FadeStealer operates as the campaign’s primary surveillance component, implementing comprehensive data collection capabilities including keystroke logging, screenshot capture, audio recording, and monitoring of connected USB devices and MTP-enabled devices.

The malware compresses collected data into password-protected RAR archives using the hardcoded password “NaeMhq[d]q” before exfiltration to the C2 server.

The threat actors employ advanced code injection techniques, specifically utilizing Transactional NTFS (TxF) and Process Doppelgänging to inject malicious code into legitimate Windows processes stealthily.

A Python-based loader implements this sophisticated injection method, creating memory sections from transacted files before rolling back transactions and mapping payloads into suspended legitimate processes.

APT37’s C2 infrastructure utilizes compromised web servers running lightweight PHP scripts that manage communication between threat actors and malware implants through Base64-encoded exchanges.

The server maintains parent and child arrays for storing command results and pending instructions, providing centralized control over the entire malware ecosystem.

Zscaler’s multilayered cloud security platform detects this threat cluster with multiple signatures, including Win32.Backdoor.Chinotto, Win32.Trojan.Apt37.LZ, and Win32.Downloader.FadeStealer.

The campaign targets explicitly South Korean individuals involved in North Korean political affairs or diplomatic activities, consistent with APT37’s historical targeting patterns and strategic intelligence objectives.

Indicators Of Compromise (IOCs)

MD5	File name
b9900bef33c6cc9911a5cd7eeda8e093	N/A
7967156e138a66f3ee1bfce81836d8d0	3HNoWZd.exe.bin
77a70e87429c4e552649235a9a2cf11a	wonder.dat
04b5e068e6f0079c2c205a42df8a3a84	tele.conf
d2b34b8bfafd6b17b1cf931bb3fdd3db	tele.dat
3d6b999d65c775c1d27c8efa615ee520	2024-11-22.rar
89986806a298ffd6367cf43f36136311	Password.chm
4caa44930e5587a0c9914bda9d240acc	1.html

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post APT37 Deploys New Rust and Python Malware Against Windows Systems appeared first on Cyber Security News.