APT37 Targets Windows with Rust Backdoor and Python Loader

    Tuesday, September 9, 2025 In: Threat Research Print

    Date: 09/09/2025

    Severity: High

    Summary

    North Korean-aligned threat group APT37 (aka ScarCruft, Ruby Sleet, Velvet Chollima) has been observed using advanced malware in recent campaigns targeting individuals linked to the North Korean regime and human rights activism in South Korea. The group leverages a single C2 server to control multiple malware components, including the newly discovered Rustonotto (aka CHILLYCHINO), a Rust-based backdoor active since June 2025; the long-used PowerShell backdoor Chinotto; and FadeStealer, a surveillance tool that captures keystrokes, screenshots, audio, and removable media activity. APT37 employs spear phishing, CHM file delivery, and Transactional NTFS (TxF) for stealthy code injection, showcasing its evolving and sophisticated threat capabilities.

    Indicators of Compromise (IOC) List 

    Hash

    04b5e068e6f0079c2c205a42df8a3a84

    3d6b999d65c775c1d27c8efa615ee520

    4caa44930e5587a0c9914bda9d240acc

    77a70e87429c4e552649235a9a2cf11a

    7967156e138a66f3ee1bfce81836d8d0

    89986806a298ffd6367cf43f36136311

    b9900bef33c6cc9911a5cd7eeda8e093

    d2b34b8bfafd6b17b1cf931bb3fdd3db

    670d4251e9c2438f70796dde747febe45aae1e19

    9cb9b595177529d4e1bad577fa618d3fff5fa894

    738a31e7a0d96fe1b0ad6778db39425160835a80ac33ce8a84f26b71c00c26b9

    b91bc5bc74dc056c1286dcbc8f41c09b19e52450b62857d36f454cedab860c55

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection           

    Detection Query 1 :

    md5hash IN ("b9900bef33c6cc9911a5cd7eeda8e093","04b5e068e6f0079c2c205a42df8a3a84","3d6b999d65c775c1d27c8efa615ee520","4caa44930e5587a0c9914bda9d240acc","77a70e87429c4e552649235a9a2cf11a","7967156e138a66f3ee1bfce81836d8d0","89986806a298ffd6367cf43f36136311","d2b34b8bfafd6b17b1cf931bb3fdd3db")

    Detection Query 2 :

    hash IN ("670d4251e9c2438f70796dde747febe45aae1e19","9cb9b595177529d4e1bad577fa618d3fff5fa894")

    Detection Query 3 :

    sha256hash IN ("b91bc5bc74dc056c1286dcbc8f41c09b19e52450b62857d36f454cedab860c55","738a31e7a0d96fe1b0ad6778db39425160835a80ac33ce8a84f26b71c00c26b9")

    Reference:   

    https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader#introduction

    https://otx.alienvault.com/pulse/68bf9d1150de29c6099e81ff                            


    Tags

    MalwareThreat ActorAPT37Aka ScarCruftRuby SleetVelvet ChollimaRustonottoBackdoorFadeStealerNorth KoreaSouth KoreaPython

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.