The Reveal Platform
Intel Name: Apt37 targets windows with rust backdoor and python loader
Date of Scan: September 9, 2025
Impact: High
Summary: North Korean-aligned threat group APT37 (aka ScarCruft, Ruby Sleet, Velvet Chollima) has been observed using advanced malware in recent campaigns targeting individuals linked to the North Korean regime and human rights activism in South Korea. The group leverages a single C2 server to control multiple malware components, including the newly discovered Rustonotto (aka CHILLYCHINO), a Rust-based backdoor active since June 2025; the long-used PowerShell backdoor Chinotto; and FadeStealer, a surveillance tool that captures keystrokes, screenshots, audio, and removable media activity. APT37 employs spear phishing, CHM file delivery, and Transactional NTFS (TxF) for stealthy code injection, showcasing its evolving and sophisticated threat capabilities.
