APT37 Expands Arsenal with Rustonotto Backdoor, PowerShell Chinotto, and FadeStealer

Zscaler ThreatLabz has uncovered new details about North Korean-aligned threat actor APT37 (also known as ScarCruft, Ruby Sleet, or Velvet Chollima), showing how the group continues to refine its malware arsenal with modern languages, advanced injection techniques, and multi-stage infection chains.

APT37 has been active since at least 2012, primarily targeting South Korean individuals connected to the North Korean regime or engaged in human rights activism. According to ThreatLabz, “APT37 primarily targets South Korean individuals connected to the North Korean regime or involved in human rights activism, leveraging custom malware and adopting emerging technologies.”

The group is notable for its persistent development of custom tools and its ability to blend social engineering with technical innovation.

One of the most significant discoveries is Rustonotto, a lightweight backdoor written in Rust and first observed in June 2025. ThreatLabz explains: “Rustonotto is a newly identified backdoor in use since June 2025… While Rustonotto may appear simplistic, the use of Rust highlights the group’s ongoing effort to adopt modern languages and potentially support multi-platform attacks.”

Rustonotto can execute Windows commands, exfiltrate results via Base64 encoding, and maintain communication with a centralized command-and-control (C2) server. Its introduction marks the first known use of Rust-based malware by APT37 targeting Windows systems.

APT37 also continues to rely on Chinotto, a PowerShell-based malware active since 2019. Delivered through Windows shortcut (LNK) or help (CHM) files, Chinotto enables attackers to maintain persistence and remotely control compromised systems.

As ThreatLabz describes, “Chinotto is capable of performing various tasks, such as transferring files, executing commands, modifying the registry, creating scheduled tasks, and more.”

Chinotto connects to the same C2 infrastructure as Rustonotto, underscoring how APT37 unifies control of its entire malware toolset.

Discovered in 2023, FadeStealer is one of the group’s most invasive surveillance tools. ThreatLabz notes: “FadeStealer is a surveillance tool that records keystrokes, captures screenshots and audio, monitors devices and removable media, and exfiltrates data via password-protected RAR archives.”

FadeStealer’s modular capabilities include keylogging, screen capture, microphone recording, USB monitoring, and targeted file theft. Data is packaged into encrypted RAR files and sent to C2 servers using HTTP POST requests.

Zscaler’s analysis highlights APT37’s growing use of stealthy code injection methods. “The technical analysis explores APT37’s sophisticated tactics, including spear phishing, Compiled HTML Help (CHM) file delivery, and Transactional NTFS (TxF) for stealthy code injection.”

In particular, the group has leveraged Process Doppelgänging in conjunction with Python-based loaders to inject payloads into legitimate Windows processes without leaving artifacts on disk, making detection significantly harder.

Unlike many APTs that operate distributed infrastructures, APT37 uses a single C2 server to orchestrate all malware components. ThreatLabz observed how the server manages command delivery, data exfiltration, and file uploads through lightweight PHP scripts that coordinate Rustonotto, Chinotto, and FadeStealer simultaneously.

ThreatLabz confirmed that most victims were located in South Korea. Based on decoy documents and lures, analysts assess with medium confidence that targets included individuals tied to North Korean regime interests or South Korean political and diplomatic circles.

Zscaler ThreatLabz concludes: “APT37 continues to prove its adaptability and proficiency by utilizing advanced tools and tactics to achieve its objectives. By incorporating new technologies alongside refined social engineering techniques, the group is able to effectively exfiltrate sensitive information and conduct targeted surveillance on individuals of interest.”

Related Posts:

• North Korea hacker group APT37 is using zero-day vulnerability to attack Japan, Vietnam and the Middle East countries
• Akira v2 Emerges: Rust-Based Ransomware Raises the Stakes
• APT37 Escalates Cyber-Espionage on South Korea: New RoKRAT Backdoor Uses Stealthy LNK Files & Steganography
• Fickle Stealer: The New Rust-Based Malware Masquerading as GitHub Desktop
• North Korean APT37’s “ToyBox Story”: Stealthy Attacks Unveiled