Cybersecurity
The North Korean-linked threat group APT37, also known as ScarCruft, has advanced its cyber capabilities by deploying sophisticated Rust and Python-based malware targeting Windows systems in recent campaigns.
Active since 2012, APT37 focuses on South Korean individuals connected to the North Korean regime and human rights activists. Recent activities highlight the group’s tactical advancements through modern programming languages and enhanced evasion techniques.
Recent Campaigns and Tools
APT37’s latest operations utilize a single command-and-control (C2) server to manage multiple malware components. Notably, the group has introduced Rustonotto, a Rust-based backdoor active since June 2025. This marks APT37’s first known use of Rust to target Windows systems.
The backdoor enables basic execution of Windows commands and communication of results to attacker-controlled infrastructure. Additionally, the group employs Chinotto, a PowerShell backdoor since 2019, and FadeStealer, a surveillance tool first identified in 2023.
Sophisticated Infection Techniques
The attack methodology showcases APT37’s technical sophistication through multiple infection vectors. The group uses Windows shortcut files and Compiled HTML Help (CHM) files for initial compromise, followed by PowerShell-based payloads.
An advanced technique involves using Transactional NTFS (TxF) for stealthy code injection, demonstrating cutting-edge evasion capabilities. The Python-based infection chain employs Process Doppelgänging via a custom loader to decrypt and inject FadeStealer into legitimate Windows processes.
The group randomly selects legitimate executables such as calc.exe and svchost.exe as injection targets to enhance operational security.
Comprehensive Surveillance Operations
FadeStealer functions as a multi-threaded surveillance tool capable of real-time data collection. It logs keystrokes continuously, captures screenshots every 30 seconds, and records microphone audio in 5-minute intervals.
The malware monitors USB devices and cameras hourly, creating timestamped archives for data exfiltration. Surveillance data is compiled into password-protected RAR archives and transmitted to C2 servers via HTTP POST requests.
APT37’s C2 infrastructure employs compromised web servers with PHP scripts managing communication through JSON-based command arrays. This approach enables centralized control over Rustonotto, Chinotto, and FadeStealer components, utilizing consistent Base64-encoded communication protocols.
Indicators of Compromise (IOCs)
| MD5 | File Name |
|---|---|
| b9900bef33c6cc9911a5cd7eeda8e093 | N/A |
| 7967156e138a66f3ee1bfce81836d8d0 | 3HNoWZd.exe.bin |
| 77a70e87429c4e552649235a9a2cf11a | wonder.dat |
| 04b5e068e6f0079c2c205a42df8a3a84 | tele.conf |
| d2b34b8bfafd6b17b1cf931bb3fdd3db | tele.dat |
| 3d6b999d65c775c1d27c8efa615ee520 | 2024-11-22.rar |
| 89986806a298ffd6367cf43f36136311 | Password.chm |
| 4caa44930e5587a0c9914bda9d240acc | 1.html |
