← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
APT37 Targets Windows with Rust Backdoor and Python Loader .
WHITE PetrP.73 2025-09-09 Modified: 2025-09-09
452
IOCs
HIGH VOLUME
APT37, a North Korean-aligned threat actor, has been active since at least 2012, predominantly targeting South Korean individuals associated with the North Korean regime or human rights activism. Recent campaigns have showcased a notable evolution in their cyber tactics, most prominently through the introduction of a new Rust-based backdoor, termed Rustonotto. This marks a significant shift, as it is the first known instance of APT37 utilizing Rust-compiled malware to breach Windows systems. The threat actor orchestrates its malware arsenal through a single command-and-control (C2) server, employing various components including FadeStealer, a surveillance tool noted for its ability to log keystrokes, capture screenshots and audio, and exfiltrate data.
c2 serverfadestealerchinottorustonottozip archiveapt37 c2windows helpapt37httppython modulejunevcdstrongzscalerzero trustchm filehta filexll filems officesouth koreaadminrestscarcruftfebruaryvirustotalattackdecoyaugustfind
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
VCD FadeStealer Rustonotto Chinotto
Indicators of Compromise (1 / 452 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
URL http://yangak.com/data/cheditor4/pro/temp/5.html b35351d561f8f08faf635562bc18974ea4a2c326715177d7ed65018d4475cbae 2025-09-09
References (2)
↗ https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader ↗ https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37