diff --git a/detections/application/detect_html_help_spawn_child_process.yml b/detections/application/detect_html_help_spawn_child_process.yml
index 4047b390a4..5c2918d2bf 100644
--- a/detections/application/detect_html_help_spawn_child_process.yml
+++ b/detections/application/detect_html_help_spawn_child_process.yml
@@ -1,7 +1,7 @@
name: Detect HTML Help Spawn Child Process
id: 723716de-ee55-4cd4-9759-c44e7e55ba4b
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -79,6 +79,7 @@ tags:
- AgentTesla
- Living Off The Land
- Compromised Windows Host
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1218.001
diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml
index 34ca23a6d1..efb921ec63 100644
--- a/detections/endpoint/bitsadmin_download_file.yml
+++ b/detections/endpoint/bitsadmin_download_file.yml
@@ -1,7 +1,7 @@
name: BITSAdmin Download File
id: 80630ff4-8e4c-11eb-aab5-acde48001122
version: 13
-date: '2025-09-16'
+date: '2025-09-18'
author: Michael Haag, Sittikorn S
status: production
type: TTP
@@ -81,6 +81,7 @@ tags:
- Flax Typhoon
- Gozi Malware
- Scattered Spider
+ - APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
asset_type: Endpoint
mitre_attack_id:
diff --git a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml
index dafdcbd6f7..fd1a19227c 100644
--- a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml
+++ b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Suspicious Download From File Sharing Website
id: 94ebc001-35e7-4ae8-9b0e-52766b2f99c7
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2025-09-18'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -97,6 +97,7 @@ rba:
type: process_name
tags:
analytic_story:
+ - APT37 Rustonotto and FadeStealer
- Cisco Network Visibility Module Analytics
asset_type: Endpoint
mitre_attack_id:
diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml
index 6a7ed2ea42..c0bdc330dd 100644
--- a/detections/endpoint/cobalt_strike_named_pipes.yml
+++ b/detections/endpoint/cobalt_strike_named_pipes.yml
@@ -1,7 +1,7 @@
name: Cobalt Strike Named Pipes
id: 5876d429-0240-4709-8b93-ea8330b411b5
-version: 10
-date: '2025-08-04'
+version: 11
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -90,6 +90,7 @@ tags:
- Graceful Wipe Out Attack
- LockBit Ransomware
- Gozi Malware
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1055
diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml
index 44efeb5579..f5a823524d 100644
--- a/detections/endpoint/detect_html_help_renamed.yml
+++ b/detections/endpoint/detect_html_help_renamed.yml
@@ -1,7 +1,7 @@
name: Detect HTML Help Renamed
id: 62fed254-513b-460e-953d-79771493a9f3
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: Hunting
@@ -45,6 +45,7 @@ tags:
analytic_story:
- Suspicious Compiled HTML Activity
- Living Off The Land
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1218.001
diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml
index 7e3a4f32c3..987241bff9 100644
--- a/detections/endpoint/detect_html_help_url_in_command_line.yml
+++ b/detections/endpoint/detect_html_help_url_in_command_line.yml
@@ -1,7 +1,7 @@
name: Detect HTML Help URL in Command Line
id: 8c5835b9-39d9-438b-817c-95f14c69a31e
-version: 12
-date: '2025-06-30'
+version: 13
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -82,6 +82,7 @@ rba:
type: process_name
tags:
analytic_story:
+ - APT37 Rustonotto and FadeStealer
- Suspicious Compiled HTML Activity
- Living Off The Land
- Compromised Windows Host
diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
index d096ef262e..62415a7ddc 100644
--- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
+++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
@@ -1,7 +1,7 @@
name: Detect HTML Help Using InfoTech Storage Handlers
id: 0b2eefa5-5508-450d-b970-3dd2fb761aec
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -76,6 +76,7 @@ tags:
- Suspicious Compiled HTML Activity
- Living Off The Land
- Compromised Windows Host
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1218.001
diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml
index 89cedd60ca..d2f37de1e9 100644
--- a/detections/endpoint/detect_mshta_inline_hta_execution.yml
+++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml
@@ -1,7 +1,7 @@
name: Detect mshta inline hta execution
id: a0873b32-5b68-11eb-ae93-0242ac130002
-version: '17'
-date: '2025-05-06'
+version: '18'
+date: '2025-09-18'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: TTP
@@ -80,6 +80,7 @@ tags:
- Living Off The Land
- Suspicious MSHTA Activity
- XWorm
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1218.005
diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml
index 41fa471e01..664f76887c 100644
--- a/detections/endpoint/detect_mshta_renamed.yml
+++ b/detections/endpoint/detect_mshta_renamed.yml
@@ -1,7 +1,7 @@
name: Detect mshta renamed
id: 8f45fcf0-5b68-11eb-ae93-0242ac130002
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: Hunting
@@ -43,6 +43,7 @@ tags:
analytic_story:
- Suspicious MSHTA Activity
- Living Off The Land
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1218.005
diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml
index 2645611206..d924662ab3 100644
--- a/detections/endpoint/detect_mshta_url_in_command_line.yml
+++ b/detections/endpoint/detect_mshta_url_in_command_line.yml
@@ -1,7 +1,7 @@
name: Detect MSHTA Url in Command Line
id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
-version: 14
-date: '2025-06-30'
+version: 15
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -82,6 +82,7 @@ rba:
type: process_name
tags:
analytic_story:
+ - APT37 Rustonotto and FadeStealer
- Compromised Windows Host
- Lumma Stealer
- Living Off The Land
diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
index 2a7b27ce5b..af88fceaf0 100644
--- a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
+++ b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
@@ -1,7 +1,7 @@
name: Detect Outlook exe writing a zip file
id: a51bfe1a-94f0-4822-b1e4-16ae10145893
-version: 13
-date: '2025-05-02'
+version: 14
+date: '2025-09-18'
author: Bhavin Patel, Splunk
status: experimental
type: TTP
@@ -53,6 +53,7 @@ tags:
- Remcos
- PXA Stealer
- Meduza Stealer
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1566.001
diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml
index 12d42f723f..3d21c17e75 100644
--- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml
+++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml
@@ -1,7 +1,7 @@
name: Detect Rundll32 Inline HTA Execution
id: 91c79f14-5b41-11eb-ae93-0242ac130002
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -68,6 +68,7 @@ tags:
- Suspicious MSHTA Activity
- NOBELIUM Group
- Living Off The Land
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1218.005
diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml
index 4c3ba843bc..ae71384e8a 100644
--- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml
+++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml
@@ -106,6 +106,7 @@ tags:
- Amadey
- IcedID
- Interlock Rat
+ - APT37 Rustonotto and FadeStealer
- PromptLock
- Lokibot
asset_type: Endpoint
diff --git a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml
index ca650e0bf0..70aaf6d22a 100644
--- a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml
+++ b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml
@@ -1,7 +1,7 @@
name: IcedID Exfiltrated Archived File Creation
id: 0db4da70-f14b-11eb-8043-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: Hunting
@@ -33,6 +33,7 @@ references:
tags:
analytic_story:
- IcedID
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1560.001
diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml
index e679cc9ffb..e22330f33a 100644
--- a/detections/endpoint/lolbas_with_network_traffic.yml
+++ b/detections/endpoint/lolbas_with_network_traffic.yml
@@ -74,6 +74,7 @@ tags:
- Living Off The Land
- Malicious Inno Setup Loader
- Water Gamayun
+ - APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
asset_type: Endpoint
mitre_attack_id:
diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
index db8bcc1cb1..c2c100fff4 100644
--- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
+++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
@@ -1,7 +1,7 @@
name: Malicious PowerShell Process - Execution Policy Bypass
id: 9be56c82-b1cc-4318-87eb-d138afaaca39
-version: 15
-date: '2025-08-22'
+version: 16
+date: '2025-09-18'
author: Rico Valdez, Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -76,6 +76,7 @@ tags:
- XWorm
- DarkCrystal RAT
- 0bj3ctivity Stealer
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1059.001
diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
index 206a789991..b2007887d4 100644
--- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
+++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
@@ -1,7 +1,7 @@
name: Mshta spawning Rundll32 OR Regsvr32 Process
id: 4aa5d062-e893-11eb-9eb2-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -69,6 +69,7 @@ tags:
- Trickbot
- IcedID
- Living Off The Land
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1218.005
diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml
index 40cb43e4bd..e057168f1a 100644
--- a/detections/endpoint/powershell_4104_hunting.yml
+++ b/detections/endpoint/powershell_4104_hunting.yml
@@ -1,7 +1,7 @@
name: PowerShell 4104 Hunting
id: d6f2b006-0041-11ec-8885-acde48001122
version: 20
-date: '2025-09-16'
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: Hunting
@@ -83,6 +83,7 @@ tags:
- Scattered Spider
- Interlock Ransomware
- 0bj3ctivity Stealer
+ - APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
asset_type: Endpoint
mitre_attack_id:
diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml
index abce56d31c..2a618b8d20 100644
--- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml
+++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml
@@ -1,7 +1,7 @@
name: Powershell Fileless Script Contains Base64 Encoded Content
id: 8acbc04c-c882-11eb-b060-acde48001122
version: 13
-date: '2025-09-16'
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -64,6 +64,7 @@ tags:
- IcedID
- XWorm
- 0bj3ctivity Stealer
+ - APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
mitre_attack_id:
- T1027
diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
index 43114bf432..ae9bb290f0 100644
--- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
+++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
@@ -1,7 +1,7 @@
name: Process Creating LNK file in Suspicious Location
id: 5d814af1-1041-47b5-a9ac-d754e82e9a26
-version: 12
-date: '2025-05-02'
+version: 13
+date: '2025-09-18'
author: Jose Hernandez, Michael Haag, Splunk
status: production
type: TTP
@@ -63,6 +63,7 @@ tags:
- IcedID
- Amadey
- Gozi Malware
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1566.002
diff --git a/detections/endpoint/processes_tapping_keyboard_events.yml b/detections/endpoint/processes_tapping_keyboard_events.yml
index aca5d82d48..4f5f8b4d45 100644
--- a/detections/endpoint/processes_tapping_keyboard_events.yml
+++ b/detections/endpoint/processes_tapping_keyboard_events.yml
@@ -1,7 +1,7 @@
name: Processes Tapping Keyboard Events
id: 2a371608-331d-4034-ae2c-21dda8f1d0ec
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-09-18'
author: Jose Hernandez, Splunk
status: experimental
type: TTP
@@ -38,6 +38,7 @@ rba:
tags:
analytic_story:
- ColdRoot MacOS RAT
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
product:
- Splunk Enterprise
diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
index 999e660557..498cad0bb7 100644
--- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
+++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
@@ -1,7 +1,7 @@
name: Recursive Delete of Directory In Batch CMD
id: ba570b3a-d356-11eb-8358-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -64,6 +64,7 @@ rba:
tags:
analytic_story:
- Ransomware
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1070.004
diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml
index 42df36d913..75df6a4b29 100644
--- a/detections/endpoint/registry_keys_used_for_persistence.yml
+++ b/detections/endpoint/registry_keys_used_for_persistence.yml
@@ -1,7 +1,7 @@
name: Registry Keys Used For Persistence
id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b
-version: 25
-date: '2025-08-22'
+version: 26
+date: '2025-09-18'
author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk
status: production
type: TTP
@@ -116,6 +116,7 @@ tags:
- MoonPeak
- Interlock Ransomware
- 0bj3ctivity Stealer
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1547.001
diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
index 1d852d8c58..f8eb4443af 100644
--- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
+++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
@@ -105,6 +105,7 @@ tags:
- MoonPeak
- Scattered Spider
- 0bj3ctivity Stealer
+ - APT37 Rustonotto and FadeStealer
- Lokibot
asset_type: Endpoint
mitre_attack_id:
diff --git a/detections/endpoint/suspicious_curl_network_connection.yml b/detections/endpoint/suspicious_curl_network_connection.yml
index 230142e26a..72a242b1df 100644
--- a/detections/endpoint/suspicious_curl_network_connection.yml
+++ b/detections/endpoint/suspicious_curl_network_connection.yml
@@ -53,6 +53,7 @@ tags:
- Silver Sparrow
- Ingress Tool Transfer
- Linux Living Off The Land
+ - APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
asset_type: Endpoint
mitre_attack_id:
diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
index 4b7762ff63..04e9b54def 100644
--- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
+++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
@@ -1,7 +1,7 @@
name: Suspicious Image Creation In Appdata Folder
id: f6f904c4-1ac0-11ec-806b-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -64,6 +64,7 @@ rba:
tags:
analytic_story:
- Remcos
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1113
diff --git a/detections/endpoint/suspicious_mshta_spawn.yml b/detections/endpoint/suspicious_mshta_spawn.yml
index 557bebd1c5..5452cf030d 100644
--- a/detections/endpoint/suspicious_mshta_spawn.yml
+++ b/detections/endpoint/suspicious_mshta_spawn.yml
@@ -1,7 +1,7 @@
name: Suspicious mshta spawn
id: 4d33a488-5b5f-11eb-ae93-0242ac130002
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -68,6 +68,7 @@ tags:
analytic_story:
- Suspicious MSHTA Activity
- Living Off The Land
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1218.005
diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml
index 7d9c64d04e..c33a5b22d9 100644
--- a/detections/endpoint/suspicious_process_executed_from_container_file.yml
+++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml
@@ -74,6 +74,7 @@ rba:
type: file_name
tags:
analytic_story:
+ - APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
- Unusual Processes
- Amadey
diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
index 160ba439a7..8f0eab66a2 100644
--- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
+++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
@@ -88,6 +88,7 @@ tags:
- MoonPeak
- China-Nexus Threat Activity
- Scattered Spider
+ - APT37 Rustonotto and FadeStealer
- Lokibot
asset_type: Endpoint
mitre_attack_id:
diff --git a/detections/endpoint/windows_alternate_datastream___base64_content.yml b/detections/endpoint/windows_alternate_datastream___base64_content.yml
index 8dfb862bfc..736be0138e 100644
--- a/detections/endpoint/windows_alternate_datastream___base64_content.yml
+++ b/detections/endpoint/windows_alternate_datastream___base64_content.yml
@@ -1,7 +1,7 @@
name: Windows Alternate DataStream - Base64 Content
id: 683f48de-982f-4a7e-9aac-9cec550da498
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
author: Steven Dick, Teoderick Contreras, Michael Haag, Splunk
status: production
type: TTP
@@ -60,6 +60,7 @@ rba:
tags:
analytic_story:
- Windows Defense Evasion Tactics
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1564.004
diff --git a/detections/endpoint/windows_archive_collected_data_via_powershell.yml b/detections/endpoint/windows_archive_collected_data_via_powershell.yml
index 89a54a9faa..d5305ed119 100644
--- a/detections/endpoint/windows_archive_collected_data_via_powershell.yml
+++ b/detections/endpoint/windows_archive_collected_data_via_powershell.yml
@@ -1,7 +1,7 @@
name: Windows Archive Collected Data via Powershell
id: 74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5
-version: 7
-date: '2025-06-24'
+version: 8
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -52,6 +52,7 @@ rba:
threat_objects: []
tags:
analytic_story:
+ - APT37 Rustonotto and FadeStealer
- CISA AA23-347A
asset_type: Endpoint
mitre_attack_id:
diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml
index f2d22c5c35..7f61bc4191 100644
--- a/detections/endpoint/windows_archive_collected_data_via_rar.yml
+++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml
@@ -1,7 +1,7 @@
name: Windows Archive Collected Data via Rar
id: 2015de95-fe91-413d-9d62-2fe011b67e82
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -66,6 +66,7 @@ tags:
- DarkGate Malware
- Salt Typhoon
- China-Nexus Threat Activity
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1560.001
diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml
index 3814b44b4e..b8bbdf1f12 100644
--- a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml
+++ b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml
@@ -66,6 +66,7 @@ rba:
tags:
analytic_story:
- Braodo Stealer
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1560
diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml
index a839d1604c..99e6497da7 100644
--- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml
+++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml
@@ -1,7 +1,7 @@
name: Windows Boot or Logon Autostart Execution In Startup Folder
id: 99d157cb-923f-4a00-aee9-1f385412146f
-version: 10
-date: '2025-07-28'
+version: 11
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -65,6 +65,7 @@ tags:
- Quasar RAT
- RedLine Stealer
- Interlock Ransomware
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1547.001
diff --git a/detections/endpoint/windows_cab_file_on_disk.yml b/detections/endpoint/windows_cab_file_on_disk.yml
index 6f9325a059..26af81cfa7 100644
--- a/detections/endpoint/windows_cab_file_on_disk.yml
+++ b/detections/endpoint/windows_cab_file_on_disk.yml
@@ -1,7 +1,7 @@
name: Windows CAB File on Disk
id: 622f08d0-69ef-42c2-8139-66088bc25acd
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -59,6 +59,7 @@ rba:
tags:
analytic_story:
- DarkGate Malware
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
atomic_guid: []
mitre_attack_id:
diff --git a/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml b/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml
new file mode 100644
index 0000000000..ae308eeb3e
--- /dev/null
+++ b/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml
@@ -0,0 +1,84 @@
+name: Windows Cabinet File Extraction Via Expand
+id: 4e3e3b8c-6d3a-4b47-9f5a-9e3e0a0a6f2f
+version: 1
+date: '2025-09-18'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+description: |
+ Detects usage of expand.exe to extract Microsoft Cabinet (CAB) archives, with
+ emphasis on extractions into `C:\\ProgramData` or similar staging locations. In
+ recent APT37 activity, a CAB payload (e.g., wonder.cab) was expanded into
+ ProgramData prior to persistence and execution. This behavior is a strong signal
+ for ingress tool transfer and staging of payloads.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: |
+ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
+ from datamodel=Endpoint.Processes
+ where Processes.process_name="expand.exe"
+ (Processes.process="*-F:*" OR Processes.process="*/F:*")
+ Processes.process="*\\ProgramData\\*"
+ by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user_id Processes.vendor_product
+ | `drop_dm_object_name(Processes)`
+ | `security_content_ctime(firstTime)`
+ | `security_content_ctime(lastTime)`
+ | `windows_cabinet_file_extraction_via_expand_filter`
+how_to_implement: |
+ This analytic relies on process creation telemetry mapped to the Endpoint.Processes
+ datamodel (e.g., Sysmon EID 1 or EDR). Ensure full command-line logging is enabled
+ to capture expand.exe arguments, including `/F:*` or `-F:*` and destination paths.
+known_false_positives: |
+ Legitimate software deployment or administrators may use expand.exe for local
+ file extraction. Filter by approved deployment tools, signed parent processes,
+ and sanctioned paths.
+references:
+- https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+ search: '%original_detection_search% | search user = "$user$" dest = "$dest$"'
+ earliest_offset: $info_min_time$
+ latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+ search: |
+ | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") starthoursago=168
+ | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name"
+ values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories"
+ values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+ by normalized_risk_object
+ | `security_content_ctime(firstTime)`
+ | `security_content_ctime(lastTime)`
+ earliest_offset: $info_min_time$
+ latest_offset: $info_max_time$
+rba:
+ message: expand.exe extracted cabinet contents on $dest$ executed by $user$.
+ risk_objects:
+ - field: dest
+ type: system
+ score: 30
+ - field: user
+ type: system
+ score: 30
+ threat_objects:
+ - field: process_name
+ type: process_name
+tags:
+ analytic_story:
+ - APT37 Rustonotto and FadeStealer
+ asset_type: Endpoint
+ mitre_attack_id:
+ - T1105
+ product:
+ - Splunk Enterprise
+ - Splunk Enterprise Security
+ - Splunk Cloud
+ security_domain: endpoint
+tests:
+- name: True Positive Test
+ attack_data:
+ - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log
+ source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog
+
diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml
index 7def43cbce..246bfe687f 100644
--- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml
+++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml
@@ -93,6 +93,7 @@ rba:
type: process_name
tags:
analytic_story:
+ - APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
- Black Basta Ransomware
- China-Nexus Threat Activity
diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml
index a553b2f22a..0b11aedd55 100644
--- a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml
+++ b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml
@@ -1,7 +1,7 @@
name: Windows Exfiltration Over C2 Via Invoke RestMethod
id: 06ade821-f6fa-40d0-80af-15bc1d45b3ba
-version: 8
-date: '2025-06-24'
+version: 9
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -57,6 +57,7 @@ rba:
threat_objects: []
tags:
analytic_story:
+ - APT37 Rustonotto and FadeStealer
- Winter Vivern
- Water Gamayun
asset_type: Endpoint
diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml
index 3d2779ee2a..04a49cbdb8 100644
--- a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml
+++ b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml
@@ -1,7 +1,7 @@
name: Windows Exfiltration Over C2 Via Powershell UploadString
id: 59e8bf41-7472-412a-90d3-00f3afa452e9
-version: 7
-date: '2025-06-24'
+version: 8
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -56,6 +56,7 @@ rba:
threat_objects: []
tags:
analytic_story:
+ - APT37 Rustonotto and FadeStealer
- Winter Vivern
asset_type: Endpoint
mitre_attack_id:
diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml
index 755674d0a7..f1a2f11d6b 100644
--- a/detections/endpoint/windows_file_download_via_powershell.yml
+++ b/detections/endpoint/windows_file_download_via_powershell.yml
@@ -1,7 +1,7 @@
name: Windows File Download Via PowerShell
id: 58c4e56c-b5b8-46a3-b5fb-6537dca3c6de
version: 3
-date: '2025-09-16'
+date: '2025-09-18'
author: Michael Haag, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -90,6 +90,7 @@ rba:
type: process_name
tags:
analytic_story:
+ - APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
- Winter Vivern
- Phemedrone Stealer
diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml
index 86984c1653..9ca0bf76d7 100644
--- a/detections/endpoint/windows_high_file_deletion_frequency.yml
+++ b/detections/endpoint/windows_high_file_deletion_frequency.yml
@@ -1,7 +1,7 @@
name: Windows High File Deletion Frequency
id: 45b125c4-866f-11eb-a95a-acde48001122
-version: 9
-date: '2025-07-28'
+version: 10
+date: '2025-09-18'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
@@ -79,6 +79,7 @@ tags:
- Clop Ransomware
- Interlock Ransomware
- NailaoLocker Ransomware
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1485
diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml
index f4eda1f6fd..74e01c813c 100644
--- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml
+++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml
@@ -81,6 +81,7 @@ rba:
type: process_name
tags:
analytic_story:
+ - APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
- Windows System Binary Proxy Execution MSIExec
- Water Gamayun
diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml
index 910d6fc600..6074c402fb 100644
--- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml
+++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml
@@ -1,7 +1,7 @@
name: Windows Indicator Removal Via Rmdir
id: c4566d2c-b094-48a1-9c59-d66e22065560
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -63,6 +63,7 @@ rba:
tags:
analytic_story:
- DarkGate Malware
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1070
diff --git a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml
index f675b2a5e9..b84feae810 100644
--- a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml
+++ b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml
@@ -1,7 +1,7 @@
name: Windows Input Capture Using Credential UI Dll
id: 406c21d6-6c75-4e9f-9ca9-48049a1dd90e
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: Hunting
@@ -33,6 +33,7 @@ references:
tags:
analytic_story:
- Brute Ratel C4
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1056.002
diff --git a/detections/endpoint/windows_iso_lnk_file_creation.yml b/detections/endpoint/windows_iso_lnk_file_creation.yml
index 34d9d3df87..0208a03802 100644
--- a/detections/endpoint/windows_iso_lnk_file_creation.yml
+++ b/detections/endpoint/windows_iso_lnk_file_creation.yml
@@ -1,7 +1,7 @@
name: Windows ISO LNK File Creation
id: d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
author: Michael Haag, Teoderick Contreras, Splunk
status: production
type: Hunting
@@ -47,6 +47,7 @@ tags:
- Warzone RAT
- Amadey
- Gozi Malware
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1204.001
diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
index 2b7ed23330..83b156eb2f 100644
--- a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
+++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
@@ -53,6 +53,7 @@ rba:
tags:
analytic_story:
- Crypto Stealer
+ - APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
asset_type: Endpoint
mitre_attack_id:
diff --git a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml
index fecbed2b19..9954492a60 100644
--- a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml
+++ b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Dropped Cab or Inf File
id: dbdd251e-dd45-4ec9-a555-f5e151391746
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -72,6 +72,7 @@ tags:
- Spearphishing Attachments
- Microsoft MSHTML Remote Code Execution CVE-2021-40444
- Compromised Windows Host
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
cve:
- CVE-2021-40444
diff --git a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml
index a40e4cd4ac..b6b8a1d809 100644
--- a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml
+++ b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Spawned Child Process For Download
id: f02b64b8-cbea-4f75-bf77-7a05111566b1
-version: 5
-date: '2025-06-26'
+version: 6
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -77,6 +77,7 @@ tags:
- CVE-2023-36884 Office and Windows HTML RCE Vulnerability
- PlugX
- NjRAT
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1566.001
diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml
index 8f3fedf71d..97a60bcb04 100644
--- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml
+++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Spawned Uncommon Process
id: 55d8741c-fa32-4692-8109-410304961eb8
-version: 4
-date: '2025-05-02'
+version: 5
+date: '2025-09-18'
author: Michael Haag, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -97,6 +97,7 @@ tags:
- Spearphishing Attachments
- Trickbot
- Warzone RAT
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1566.001
diff --git a/detections/endpoint/windows_process_executed_from_removable_media.yml b/detections/endpoint/windows_process_executed_from_removable_media.yml
index f4397c5eca..e06a31f4e5 100644
--- a/detections/endpoint/windows_process_executed_from_removable_media.yml
+++ b/detections/endpoint/windows_process_executed_from_removable_media.yml
@@ -1,7 +1,7 @@
name: Windows Process Executed From Removable Media
id: b483804a-4cc0-49a4-9f00-ac29ba844d08
-version: 5
-date: '2025-06-10'
+version: 6
+date: '2025-09-18'
author: Steven Dick
status: production
type: Anomaly
@@ -88,6 +88,7 @@ rba:
tags:
analytic_story:
- Data Protection
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1200
diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml
index 333d9b4c35..c370acf1f9 100644
--- a/detections/endpoint/windows_process_execution_from_programdata.yml
+++ b/detections/endpoint/windows_process_execution_from_programdata.yml
@@ -1,7 +1,7 @@
name: Windows Process Execution From ProgramData
id: 237016fa-d8e6-47b4-80f9-70c4d42c72c0
version: '5'
-date: '2025-09-16'
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -71,6 +71,7 @@ tags:
- XWorm
- Salt Typhoon
- China-Nexus Threat Activity
+ - APT37 Rustonotto and FadeStealer
- GhostRedirector IIS Module and Rungan Backdoor
asset_type: Endpoint
mitre_attack_id:
diff --git a/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml b/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml
index 04bd55f0a2..c4c46bd29a 100644
--- a/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml
+++ b/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml
@@ -1,7 +1,7 @@
name: Windows Process Injection into Commonly Abused Processes
id: 1e1dedc6-f6f3-41a0-9dd7-a1245904fe75
-version: 3
-date: '2025-05-02'
+version: 4
+date: '2025-09-18'
author: 0xC0FFEEEE, Github Community
type: Anomaly
status: production
@@ -71,6 +71,7 @@ tags:
- BishopFox Sliver Adversary Emulation Framework
- Earth Alux
- SAP NetWeaver Exploitation
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1055.002
diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml
index e84f46ba9e..0c8460f12b 100644
--- a/detections/endpoint/windows_process_injection_into_notepad.yml
+++ b/detections/endpoint/windows_process_injection_into_notepad.yml
@@ -1,7 +1,7 @@
name: Windows Process Injection into Notepad
id: b8340d0f-ba48-4391-bea7-9e793c5aae36
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-18'
author: Michael Haag, Splunk
type: Anomaly
status: production
@@ -64,6 +64,7 @@ tags:
analytic_story:
- BishopFox Sliver Adversary Emulation Framework
- Earth Alux
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1055.002
diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml
index 1de85f1bbf..6f35ec2683 100644
--- a/detections/endpoint/windows_replication_through_removable_media.yml
+++ b/detections/endpoint/windows_replication_through_removable_media.yml
@@ -1,7 +1,7 @@
name: Windows Replication Through Removable Media
id: 60df805d-4605-41c8-bbba-57baa6a4eb97
-version: 11
-date: '2025-05-06'
+version: 12
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -66,6 +66,7 @@ tags:
- Derusbi
- Salt Typhoon
- NjRAT
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1091
diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml
index af7c1104ea..af01444771 100644
--- a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml
+++ b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml
@@ -1,7 +1,7 @@
name: Windows Scheduled Task with Suspicious Command
id: 1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3
-version: 4
-date: '2025-07-16'
+version: 5
+date: '2025-09-18'
author: Steven Dick
status: production
type: TTP
@@ -79,6 +79,7 @@ tags:
- Ryuk Ransomware
- Windows Persistence Techniques
- Seashell Blizzard
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1053.005
diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml
index 550f83c251..6d11687565 100644
--- a/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml
+++ b/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml
@@ -1,7 +1,7 @@
name: Windows Scheduled Task with Suspicious Name
id: 9e9ab4e3-c9d0-4967-a197-6d755e8a7e6e
-version: 3
-date: '2025-08-22'
+version: 4
+date: '2025-09-18'
author: Steven Dick
status: production
type: TTP
@@ -78,6 +78,7 @@ tags:
- Ransomware
- Ryuk Ransomware
- 0bj3ctivity Stealer
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1053.005
diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml
index 74130fb62a..ee9e9bee0c 100644
--- a/detections/endpoint/windows_screen_capture_in_temp_folder.yml
+++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml
@@ -1,7 +1,7 @@
name: Windows Screen Capture in TEMP folder
id: 00524d1f-a032-46f5-9108-e7d9f01bfb3c
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 11
@@ -57,6 +57,7 @@ tags:
analytic_story:
- Crypto Stealer
- Braodo Stealer
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1113
diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml
index 0184331b21..aae7d42800 100644
--- a/detections/endpoint/windows_screen_capture_via_powershell.yml
+++ b/detections/endpoint/windows_screen_capture_via_powershell.yml
@@ -1,7 +1,7 @@
name: Windows Screen Capture Via Powershell
id: 5e0b1936-8f99-4399-8ee2-9edc5b32e170
-version: 8
-date: '2025-06-24'
+version: 9
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -56,6 +56,7 @@ rba:
threat_objects: []
tags:
analytic_story:
+ - APT37 Rustonotto and FadeStealer
- Winter Vivern
- Water Gamayun
asset_type: Endpoint
diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
index 1e1ce48088..827f8d2065 100644
--- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
+++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
@@ -1,7 +1,7 @@
name: Windows Service Created with Suspicious Service Path
id: 429141be-8311-11eb-adb6-acde48001122
-version: 15
-date: '2025-05-02'
+version: 16
+date: '2025-09-18'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -66,6 +66,7 @@ tags:
- Clop Ransomware
- Crypto Stealer
- Brute Ratel C4
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1569.002
diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
index 33d88d0332..02172c4cbc 100644
--- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
+++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
@@ -1,7 +1,7 @@
name: Windows Spearphishing Attachment Onenote Spawn Mshta
id: 35aeb0e7-7de5-444a-ac45-24d6788796ec
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -69,6 +69,7 @@ tags:
- Spearphishing Attachments
- Compromised Windows Host
- AsyncRAT
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1566.001
diff --git a/detections/endpoint/windows_suspicious_driver_loaded_path.yml b/detections/endpoint/windows_suspicious_driver_loaded_path.yml
index 96eed3d8a1..afccde3e2a 100644
--- a/detections/endpoint/windows_suspicious_driver_loaded_path.yml
+++ b/detections/endpoint/windows_suspicious_driver_loaded_path.yml
@@ -1,7 +1,7 @@
name: Windows Suspicious Driver Loaded Path
id: 2ca1c4a1-8342-4750-9363-905650e0c933
-version: 4
-date: '2025-07-28'
+version: 5
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -58,6 +58,7 @@ tags:
- BlackByte Ransomware
- Snake Keylogger
- Interlock Ransomware
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1543.003
diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
index bbf92809a5..24d1519215 100644
--- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
+++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
@@ -1,7 +1,7 @@
name: Windows System Binary Proxy Execution Compiled HTML File Decompile
id: 2acf0e19-4149-451c-a3f3-39cd3c77e37d
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-09-18'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -73,6 +73,7 @@ tags:
- Suspicious Compiled HTML Activity
- Living Off The Land
- Compromised Windows Host
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1218.001
diff --git a/detections/endpoint/windows_usbstor_registry_key_modification.yml b/detections/endpoint/windows_usbstor_registry_key_modification.yml
index ac81263fa6..11b5e05056 100644
--- a/detections/endpoint/windows_usbstor_registry_key_modification.yml
+++ b/detections/endpoint/windows_usbstor_registry_key_modification.yml
@@ -1,7 +1,7 @@
name: Windows USBSTOR Registry Key Modification
id: a345980a-417d-4ed3-9fb4-cac30c9405a0
-version: 3
-date: '2025-05-02'
+version: 4
+date: '2025-09-18'
author: Steven Dick
status: production
type: Anomaly
@@ -68,6 +68,7 @@ rba:
tags:
analytic_story:
- Data Protection
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1200
diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml
index de6c079f0e..31573d9fa1 100644
--- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml
+++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml
@@ -1,7 +1,7 @@
name: Windows User Execution Malicious URL Shortcut File
id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc
-version: 9
-date: '2025-07-16'
+version: 10
+date: '2025-09-18'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -64,6 +64,7 @@ tags:
- NjRAT
- Quasar RAT
- Snake Keylogger
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1204.002
diff --git a/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml
index 72d48eaadd..f77db48d24 100644
--- a/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml
+++ b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml
@@ -1,7 +1,7 @@
name: Windows WPDBusEnum Registry Key Modification
id: 52b48e8b-eb6e-48b0-b8f1-73273f6b134e
-version: 3
-date: '2025-05-02'
+version: 4
+date: '2025-09-18'
author: Steven Dick
status: production
type: Anomaly
@@ -71,6 +71,7 @@ rba:
tags:
analytic_story:
- Data Protection
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1200
diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml
index 66f7aeb1e9..d3310302c5 100644
--- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml
+++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml
@@ -85,6 +85,7 @@ tags:
- AsyncRAT
- Windows Persistence Techniques
- 0bj3ctivity Stealer
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1053.005
diff --git a/detections/web/multiple_archive_files_http_post_traffic.yml b/detections/web/multiple_archive_files_http_post_traffic.yml
index 41e9630b9d..00393228a4 100644
--- a/detections/web/multiple_archive_files_http_post_traffic.yml
+++ b/detections/web/multiple_archive_files_http_post_traffic.yml
@@ -1,7 +1,7 @@
name: Multiple Archive Files Http Post Traffic
id: 4477f3ea-a28f-11eb-b762-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -57,6 +57,7 @@ tags:
analytic_story:
- Data Exfiltration
- Command And Control
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1048.003
diff --git a/detections/web/plain_http_post_exfiltrated_data.yml b/detections/web/plain_http_post_exfiltrated_data.yml
index 0fbbd09cc3..cb9bafc47b 100644
--- a/detections/web/plain_http_post_exfiltrated_data.yml
+++ b/detections/web/plain_http_post_exfiltrated_data.yml
@@ -1,7 +1,7 @@
name: Plain HTTP POST Exfiltrated Data
id: e2b36208-a364-11eb-8909-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-18'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -52,6 +52,7 @@ tags:
analytic_story:
- Data Exfiltration
- Command And Control
+ - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
- T1048.003
diff --git a/stories/apt37_rustonotto_and_fadestealer.yml b/stories/apt37_rustonotto_and_fadestealer.yml
new file mode 100644
index 0000000000..bd41d6b184
--- /dev/null
+++ b/stories/apt37_rustonotto_and_fadestealer.yml
@@ -0,0 +1,18 @@
+name: APT37 Rustonotto and FadeStealer
+id: c1dd540c-b8a0-4818-af92-7d53571fecb0
+version: 2
+status: production
+date: '2025-09-18'
+author: Michael Haag, Splunk
+description: APT37 is a North Korean aligned threat actor that continues to evolve its Windows tradecraft by combining a Rust backdoor, a PowerShell stage, and a Python based loader to deploy the FadeStealer surveillance tool. Recent activity relies on spear phishing attachments that deliver Windows shortcut or compiled HTML Help files, which stage artifacts in ProgramData and establish persistence through scheduled tasks and Run key modifications. The campaign centralizes command and control on a single server and uses standard web protocols with Base64 and XOR encoding to move data and instructions.
+narrative: The intrusion chain begins with phishing delivered archives that drop a Windows shortcut or CHM file to launch simple stagers. These stagers connect to a single C2 to fetch additional components and write them to ProgramData, where a task named MicrosoftUpdate and a Run entry are created for persistence. Rustonotto, a Rust compiled backdoor, provides basic command execution while a PowerShell variant known as Chinotto may be used interchangeably for early control. During hands on keyboard activity the actor retrieves a CAB archive and expands it on disk, then launches a legitimate Python module that side loads a compiled Python component internally named TransactedHollowing.py. This module reads a Base64 encoded and XOR encrypted payload from disk, decrypts it, and performs Process Doppelgänging via Windows Transactional NTFS to map the payload into a suspended legitimate process and pivot execution through thread context manipulation. Once resident, FadeStealer activates keylogging, screen capture, and device monitoring features and exfiltrates collected data as password protected RAR archives over HTTP to the same controller. The observed behaviors offer multiple opportunities for detection, including CHM and LNK execution, staging and expansion in ProgramData, scheduled task and Run key persistence, Python loader decode patterns, TxF backed section mapping, and RAR based exfiltration over web protocols.
+references:
+- https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader
+tags:
+ category:
+ - Adversary Tactics
+ product:
+ - Splunk Enterprise
+ - Splunk Enterprise Security
+ - Splunk Cloud
+ usecase: Advanced Threat Detection
\ No newline at end of file