Analytics Story: APT37 Rustonotto and FadeStealer

Date: 2025-09-18 ID: c1dd540c-b8a0-4818-af92-7d53571fecb0 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

APT37 is a North Korean aligned threat actor that continues to evolve its Windows tradecraft by combining a Rust backdoor, a PowerShell stage, and a Python based loader to deploy the FadeStealer surveillance tool. Recent activity relies on spear phishing attachments that deliver Windows shortcut or compiled HTML Help files, which stage artifacts in ProgramData and establish persistence through scheduled tasks and Run key modifications. The campaign centralizes command and control on a single server and uses standard web protocols with Base64 and XOR encoding to move data and instructions.

Why it matters

The intrusion chain begins with phishing delivered archives that drop a Windows shortcut or CHM file to launch simple stagers. These stagers connect to a single C2 to fetch additional components and write them to ProgramData, where a task named MicrosoftUpdate and a Run entry are created for persistence. Rustonotto, a Rust compiled backdoor, provides basic command execution while a PowerShell variant known as Chinotto may be used interchangeably for early control. During hands on keyboard activity the actor retrieves a CAB archive and expands it on disk, then launches a legitimate Python module that side loads a compiled Python component internally named TransactedHollowing.py. This module reads a Base64 encoded and XOR encrypted payload from disk, decrypts it, and performs Process Doppelgänging via Windows Transactional NTFS to map the payload into a suspended legitimate process and pivot execution through thread context manipulation. Once resident, FadeStealer activates keylogging, screen capture, and device monitoring features and exfiltrates collected data as password protected RAR archives over HTTP to the same controller. The observed behaviors offer multiple opportunities for detection, including CHM and LNK execution, staging and expansion in ProgramData, scheduled task and Run key persistence, Python loader decode patterns, TxF backed section mapping, and RAR based exfiltration over web protocols.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Detect HTML Help Spawn Child Process	Compiled HTML File	TTP
BITSAdmin Download File	BITS Jobs, Ingress Tool Transfer	TTP
Cisco NVM - Suspicious Download From File Sharing Website	BITS Jobs	Anomaly
Cobalt Strike Named Pipes	Process Injection	TTP
Detect HTML Help Renamed	Compiled HTML File	Hunting
Detect HTML Help URL in Command Line	Compiled HTML File	TTP
Detect HTML Help Using InfoTech Storage Handlers	Compiled HTML File	TTP
Detect mshta inline hta execution	Mshta	TTP
Detect mshta renamed	Mshta	Hunting
Detect MSHTA Url in Command Line	Mshta	TTP
Detect Outlook exe writing a zip file	Spearphishing Attachment	TTP
Detect Rundll32 Inline HTA Execution	Mshta	TTP
Executables Or Script Creation In Temp Path	Masquerading	Anomaly
IcedID Exfiltrated Archived File Creation	Archive via Utility	Hunting
LOLBAS With Network Traffic	Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution	TTP
Malicious PowerShell Process - Execution Policy Bypass	PowerShell	Anomaly
Mshta spawning Rundll32 OR Regsvr32 Process	Mshta	TTP
PowerShell 4104 Hunting	PowerShell	Hunting
Powershell Fileless Script Contains Base64 Encoded Content	Obfuscated Files or Information, PowerShell	TTP
Process Creating LNK file in Suspicious Location	Spearphishing Link	TTP
Processes Tapping Keyboard Events	None	TTP
Recursive Delete of Directory In Batch CMD	File Deletion	TTP
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task	TTP
Suspicious Curl Network Connection	Ingress Tool Transfer	TTP
Suspicious Image Creation In Appdata Folder	Screen Capture	TTP
Suspicious mshta spawn	Mshta	TTP
Suspicious Process Executed From Container File	Malicious File, Masquerade File Type	TTP
Suspicious Scheduled Task from Public Directory	Scheduled Task	Anomaly
Windows Alternate DataStream - Base64 Content	NTFS File Attributes	TTP
Windows Archive Collected Data via Powershell	Archive Collected Data	Anomaly
Windows Archive Collected Data via Rar	Archive via Utility	Anomaly
Windows Archived Collected Data In TEMP Folder	Archive Collected Data	Anomaly
Windows Boot or Logon Autostart Execution In Startup Folder	Registry Run Keys / Startup Folder	Anomaly
Windows CAB File on Disk	Spearphishing Attachment	Anomaly
Windows Cabinet File Extraction Via Expand	Ingress Tool Transfer	TTP
Windows Curl Download to Suspicious Path	Ingress Tool Transfer	TTP
Windows Exfiltration Over C2 Via Invoke RestMethod	Exfiltration Over C2 Channel	TTP
Windows Exfiltration Over C2 Via Powershell UploadString	Exfiltration Over C2 Channel	TTP
Windows File Download Via PowerShell	PowerShell, Ingress Tool Transfer	Anomaly
Windows High File Deletion Frequency	Data Destruction	Anomaly
Windows HTTP Network Communication From MSIExec	Msiexec	Anomaly
Windows Indicator Removal Via Rmdir	Indicator Removal	Anomaly
Windows Input Capture Using Credential UI Dll	GUI Input Capture	Hunting
Windows ISO LNK File Creation	Malicious Link, Spearphishing Attachment	Hunting
Windows Obfuscated Files or Information via RAR SFX	Encrypted/Encoded File	Anomaly
Windows Office Product Dropped Cab or Inf File	Spearphishing Attachment	TTP
Windows Office Product Spawned Child Process For Download	Spearphishing Attachment	TTP
Windows Office Product Spawned Uncommon Process	Spearphishing Attachment	TTP
Windows Process Executed From Removable Media	Hardware Additions, Data from Removable Media, Replication Through Removable Media	Anomaly
Windows Process Execution From ProgramData	Match Legitimate Resource Name or Location	Anomaly
Windows Process Injection into Commonly Abused Processes	Portable Executable Injection	Anomaly
Windows Process Injection into Notepad	Portable Executable Injection	Anomaly
Windows Replication Through Removable Media	Replication Through Removable Media	TTP
Windows Scheduled Task with Suspicious Command	Scheduled Task	TTP
Windows Scheduled Task with Suspicious Name	Scheduled Task	TTP
Windows Screen Capture in TEMP folder	Screen Capture	TTP
Windows Screen Capture Via Powershell	Screen Capture	TTP
Windows Service Created with Suspicious Service Path	Service Execution	TTP
Windows Spearphishing Attachment Onenote Spawn Mshta	Spearphishing Attachment	TTP
Windows Suspicious Driver Loaded Path	Windows Service	TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile	Compiled HTML File	TTP
Windows USBSTOR Registry Key Modification	Hardware Additions, Data from Removable Media, Replication Through Removable Media	Anomaly
Windows User Execution Malicious URL Shortcut File	Malicious File	Anomaly
Windows WPDBusEnum Registry Key Modification	Hardware Additions, Data from Removable Media, Replication Through Removable Media	Anomaly
WinEvent Scheduled Task Created Within Public Path	Scheduled Task	TTP
Multiple Archive Files Http Post Traffic	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
Plain HTTP POST Exfiltrated Data	Exfiltration Over Unencrypted Non-C2 Protocol	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Cisco Network Visibility Module Flow Data	Network	`cisco:nvm:flowdata`	`not_applicable`
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Powershell Script Block Logging 4104	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Splunk Stream HTTP	Splunk	`stream:http`	`stream:http`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 10	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 15	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 17	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 18	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 23	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 26	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 3	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 6	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log Security 4698	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log Security 4700	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log Security 4702	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log System 7045	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`

References

https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader

Source: GitHub | Version: 2