APT37, a North Korean advanced persistent threat actor, has been observed deploying a sophisticated malware campaign targeting Windows systems. The campaign features a novel Rust-based backdoor named Rustonotto, supplementing previously known tools such as the PowerShell-based Chinotto malware and the surveillance-focused FadeStealer. Infection vectors include spear phishing emails delivering Windows shortcut (.lnk) files and Compiled HTML Help (.chm) files, which are leveraged to initiate the attack chain. The threat actor employs Transactional NTFS (TxF) techniques for stealthy code injection, enabling malware execution while evading detection by traditional security solutions. The entire malware suite is orchestrated via a single command-and-control (C2) server, simplifying operational control and reducing network footprint. FadeStealer is a comprehensive surveillance tool capable of logging keystrokes, capturing screenshots and audio, tracking connected devices, and exfiltrating stolen data packaged into password-protected RAR archives to evade network inspection. The use of Rust for Rustonotto indicates a shift towards more robust, cross-platform, and harder-to-analyze malware. The campaign’s complexity, use of multiple infection vectors, and stealth techniques demonstrate a high level of sophistication consistent with APT37’s historical targeting of geopolitical and strategic interests.

For European organizations, this threat poses significant risks particularly to government agencies, critical infrastructure, defense contractors, and sectors handling sensitive intellectual property or personal data. The Rustonotto backdoor and associated malware enable persistent remote access, data exfiltration, and surveillance, potentially compromising confidentiality and integrity of sensitive information. The stealthy infection vectors and code injection techniques increase the likelihood of successful infiltration and prolonged undetected presence within networks. The use of password-protected archives for exfiltration complicates detection and forensic analysis. Organizations may face operational disruption, reputational damage, and regulatory penalties under GDPR if personal data is compromised. The medium severity rating reflects the need for vigilance given the advanced tactics but also the requirement for user interaction (e.g., spear phishing) to initiate infection. However, the threat actor’s focus on espionage and surveillance aligns with risks to national security and strategic interests in Europe.

1. Enhance email security by deploying advanced anti-phishing solutions capable of detecting spear phishing and malicious attachments such as .lnk and .chm files. 2. Implement strict attachment and file type filtering policies, blocking or sandboxing Windows shortcut and Compiled HTML Help files from untrusted sources. 3. Employ endpoint detection and response (EDR) tools with behavioral analysis to detect Transactional NTFS abuse and stealthy code injection techniques. 4. Monitor network traffic for unusual connections to known or suspected C2 servers, including encrypted or anomalous data exfiltration patterns, especially involving password-protected archives. 5. Enforce least privilege principles and application whitelisting to limit execution of unauthorized scripts and binaries. 6. Conduct regular user awareness training focused on spear phishing and social engineering tactics. 7. Maintain up-to-date threat intelligence feeds and integrate IoCs such as provided hashes into security monitoring systems. 8. Perform regular audits and incident response drills to improve detection and containment capabilities against advanced persistent threats. 9. Consider deploying advanced sandboxing and detonation environments to analyze suspicious files safely. 10. Collaborate with national cybersecurity agencies for timely threat information sharing and coordinated defense.