APT37 strikes: New Rust backdoor endangers South Korean users!

APT37 strikes: New Rust backdoor endangers South Korean users!

A new wave of attacks is causing excitement in the dynamic world of cybersecurity: The North Korean APT group APT37, also known as LScarCruft, Ruby Sleet or Velvet Chollima, has significantly expanded its arsenal of malware. What particularly catches the eye is a new backdoor based on the Rust programming language called “Rustonotto”, which specifically attacks Windows systems. Security Insider has published this information.

APT37's attack patterns have been primarily recorded in South Korea. These attacks use malicious Windows shortcuts or Compiled HTML Help (CHM) files as an entry point. All activities run through a single command and control server, so the attackers maintain control over the infiltrated systems. Threat analysis from Zscaler’s ThreatLabz clearly shows that Rustonotto has been active since June 2025 and is the first known Rust-based malware from this group.

Singular access and sophisticated techniques

The attacks do not appear to be directed against companies or government entities, but rather target individuals with ties to the North Korean regime or sensitive political matters in South Korea. APT37 uses a combination of several malware components, including the monitoring tool “FadeStealer,” which not only captures keystrokes, but also takes screenshots and records audio data. This data is then compressed into password-protected RAR archives and transferred to the C2 server. Security analyzes show that the compromise occurs through the use of anti-detection measures such as Transactional NTFS and Process Doppelganging, which makes the detection of the malware even more difficult, as Cyberpress explains.

A scheduled task disguised as “MicrosoftUpdate” regularly executes the Rustonotto payload, thereby ensuring permanent access to affected systems. The malware uses a combination of coding techniques to cover its tracks and influence surveillance.

APTs and their goals

The BSI (Federal Office for Information Security) has been monitoring the activities of such attack teams for a long time. In their reports, they document the strategic goals of these groups, which can change over time. The current threat landscape is characterized by long-term attacker groups that pursue specific interests, with APT37 playing an important role, and that aim to collect information, as in [BSI].

The attackers often operate in a legal gray area, which makes their activities particularly explosive. With technologies such as modern programming languages ​​and sophisticated injection methods, APT37 has proven to be not only threatening but also extremely adaptable. Companies and individuals are therefore encouraged to rethink their cybersecurity strategies and regularly check existing systems for signs of compromise.

The world of cyber threats is slippery and constantly changing - so keeping an eye on the danger situation can't hurt!