APT37: Rust Backdoor & Python Loader
Contents
Zscaler Blog
Get the latest Zscaler blog updates in your inbox
SubscribeAPT37 Targets Windows with Rust Backdoor and Python Loader
Introduction
APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima) is a North Korean-aligned threat actor active since at least 2012. APT37 primarily targets South Korean individuals connected to the North Korean regime or involved in human rights activism, leveraging custom malware and adopting emerging technologies.
In recent campaigns, APT37 utilizes a single command-and-control (C2) server to orchestrate all components of their malware arsenal, including a Rust-based backdoor that ThreatLabz dubbed Rustonotto (also known as CHILLYCHINO), a PowerShell-based malware known as Chinotto, and FadeStealer. Rustonotto is a newly identified backdoor in use since June 2025. Chinotto is a well-documented PowerShell backdoor that has been in use since 2019. FadeStealer, first discovered in 2023, is a surveillance tool that records keystrokes, captures screenshots and audio, monitors devices and removable media, and exfiltrates data via password-protected …
Get the latest Zscaler blog updates in your inbox
SubscribeAPT37 Targets Windows with Rust Backdoor and Python Loader
Introduction
APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima) is a North Korean-aligned threat actor active since at least 2012. APT37 primarily targets South Korean individuals connected to the North Korean regime or involved in human rights activism, leveraging custom malware and adopting emerging technologies.
In recent campaigns, APT37 utilizes a single command-and-control (C2) server to orchestrate all components of their malware arsenal, including a Rust-based backdoor that ThreatLabz dubbed Rustonotto (also known as CHILLYCHINO), a PowerShell-based malware known as Chinotto, and FadeStealer. Rustonotto is a newly identified backdoor in use since June 2025. Chinotto is a well-documented PowerShell backdoor that has been in use since 2019. FadeStealer, first discovered in 2023, is a surveillance tool that records keystrokes, captures screenshots and audio, monitors devices and removable media, and exfiltrates data via password-protected …
IoC
d2b34b8bfafd6b17b1cf931bb3fdd3db
77a70e87429c4e552649235a9a2cf11a
7967156e138a66f3ee1bfce81836d8d0
3d6b999d65c775c1d27c8efa615ee520
b9900bef33c6cc9911a5cd7eeda8e093
04b5e068e6f0079c2c205a42df8a3a84
4caa44930e5587a0c9914bda9d240acc
89986806a298ffd6367cf43f36136311
77a70e87429c4e552649235a9a2cf11a
7967156e138a66f3ee1bfce81836d8d0
3d6b999d65c775c1d27c8efa615ee520
b9900bef33c6cc9911a5cd7eeda8e093
04b5e068e6f0079c2c205a42df8a3a84
4caa44930e5587a0c9914bda9d240acc
89986806a298ffd6367cf43f36136311