GitHub Repo

Analytics Story: APT37 Rustonotto and FadeStealer

Updated Date: 2026-05-13 ID: c1dd540c-b8a0-4818-af92-7d53571fecb0 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

APT37 is a North Korean aligned threat actor that continues to evolve its Windows tradecraft by combining a Rust backdoor, a PowerShell stage, and a Python based loader to deploy the FadeStealer surveillance tool. Recent activity relies on spear phishing attachments that deliver Windows shortcut or compiled HTML Help files, which stage artifacts in ProgramData and establish persistence through scheduled tasks and Run key modifications. The campaign centralizes command and control on a single server and uses standard web protocols with Base64 and XOR encoding to move data and instructions.

Why it matters

The intrusion chain begins with phishing delivered archives that drop a Windows shortcut or CHM file to launch simple stagers. These stagers connect to a single C2 to fetch additional components and write them to ProgramData, where a task named MicrosoftUpdate and a Run entry are created for persistence. Rustonotto, a Rust compiled backdoor, provides basic command execution while a PowerShell variant known as Chinotto may be used interchangeably for early control. During hands on keyboard activity the actor retrieves a CAB archive and expands it on disk, then launches a legitimate Python module that side loads a compiled Python component internally named TransactedHollowing.py. This module reads a Base64 encoded and XOR encrypted payload from disk, decrypts it, and performs Process Doppelgänging via Windows Transactional NTFS to map the payload into a suspended legitimate process and pivot execution through thread context manipulation. Once resident, FadeStealer activates keylogging, screen capture, and device monitoring features and exfiltrates collected data as password protected RAR archives over HTTP to the same controller. The observed behaviors offer multiple opportunities for detection, including CHM and LNK execution, staging and expansion in ProgramData, scheduled task and Run key persistence, Python loader decode patterns, TxF backed section mapping, and RAR based exfiltration over web protocols.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect mshta renamed Mshta Hunting
Windows Indicator Removal Via Rmdir Indicator Removal Anomaly
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Windows Suspicious C2 Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
Malicious PowerShell Process - Execution Policy Bypass PowerShell Anomaly
Windows Process Injection into Notepad Portable Executable Injection Anomaly
Windows Scheduled Task with Suspicious Name Scheduled Task TTP
Windows Screen Capture in TEMP folder Screen Capture TTP
Windows Archive Collected Data via Powershell Archive Collected Data Anomaly
Windows User Execution Malicious URL Shortcut File Malicious File Anomaly
Suspicious mshta spawn Mshta TTP
Windows Cabinet File Extraction Via Expand Ingress Tool Transfer TTP
Windows Suspicious Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Mshta spawning Rundll32 OR Regsvr32 Process Mshta TTP
Detect Outlook exe writing a zip file Spearphishing Attachment Anomaly
Windows Screen Capture Via Powershell Screen Capture TTP
Windows Exfiltration Over C2 Via Invoke RestMethod Exfiltration Over C2 Channel TTP
Processes Tapping Keyboard Events None TTP
Windows Input Capture Using Credential UI Dll GUI Input Capture Hunting
Windows Replication Through Removable Media Replication Through Removable Media TTP
Windows Alternate DataStream - Base64 Content NTFS File Attributes TTP
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder Anomaly
Windows High File Deletion Frequency Data Destruction Anomaly
Windows WPDBusEnum Registry Key Modification Data from Removable Media, Replication Through Removable Media, Hardware Additions Anomaly
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted Non-C2 Protocol TTP
PowerShell 4104 Hunting PowerShell Hunting
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File TTP
Windows Scheduled Task with Suspicious Command Scheduled Task TTP
Recursive Delete of Directory In Batch CMD File Deletion TTP
LOLBAS With Network Traffic Ingress Tool Transfer, System Binary Proxy Execution, Exfiltration Over Web Service TTP
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted Non-C2 Protocol TTP
Suspicious Image Creation In Appdata Folder Screen Capture TTP
Detect Rundll32 Inline HTA Execution Mshta TTP
Windows Archived Collected Data In TEMP Folder Archive Collected Data Anomaly
Detect HTML Help Spawn Child Process Compiled HTML File TTP
Windows Archive Collected Data via Rar Archive via Utility Anomaly
Windows HTTP Network Communication From MSIExec Msiexec Anomaly
Windows Process Executed From Removable Media Data from Removable Media, Replication Through Removable Media, Hardware Additions Anomaly
Process Creating LNK file in Suspicious Location Spearphishing Link Anomaly
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
Windows File Download Via PowerShell PowerShell, Ingress Tool Transfer Anomaly
Detect mshta inline hta execution Mshta TTP
Windows Office Product Spawned Child Process For Download Spearphishing Attachment TTP
Windows Process Execution From ProgramData Match Legitimate Resource Name or Location Hunting
Suspicious Process Executed From Container File Masquerade File Type, Malicious File TTP
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
BITSAdmin Download File Ingress Tool Transfer, BITS Jobs TTP
Windows CAB File on Disk Spearphishing Attachment Anomaly
Windows Office Product Dropped Cab or Inf File Spearphishing Attachment TTP
Windows Spearphishing Attachment Onenote Spawn Mshta Spearphishing Attachment TTP
Windows Suspicious Driver Loaded Path Windows Service TTP
Detect HTML Help Using InfoTech Storage Handlers Compiled HTML File TTP
Detect MSHTA Url in Command Line Mshta TTP
Windows Exfiltration Over C2 Via Powershell UploadString Exfiltration Over C2 Channel TTP
Windows Service Created with Suspicious Service Path Service Execution TTP
Windows Obfuscated Files or Information via RAR SFX Encrypted/Encoded File Anomaly
Detect HTML Help Renamed Compiled HTML File Hunting
Windows Process Injection into Commonly Abused Processes Portable Executable Injection Anomaly
Cisco NVM - Suspicious Download From File Sharing Website BITS Jobs Anomaly
IcedID Exfiltrated Archived File Creation Archive via Utility Hunting
Windows USBSTOR Registry Key Modification Data from Removable Media, Replication Through Removable Media, Hardware Additions Anomaly
Suspicious Curl Network Connection Ingress Tool Transfer TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Detect HTML Help URL in Command Line Compiled HTML File TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4700 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4702 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Osquery Results Other osquery:results osquery
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 15 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 26 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Splunk Stream HTTP Splunk icon Splunk stream:http stream:http
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational

References

Source: GitHub | Version: 3