Rustonotto
Rustonotto is a malware family associated in the provided content with APT37 and the analytic story "APT37 Rustonotto and FadeStealer." The content explicitly describes it as a "Rust-compiled HTTP/Backdoor" that uses Base64-encoded commands and responses. High-confidence references place it in Windows-focused detection and hunting contexts tied to spearphishing attachment activity, including Microsoft Office–delivered execution chains and detections such as "Windows Office Product Dropped Cab or Inf File" associated with CVE-2021-40444, as well as "Windows Office Product Spawned Uncommon Process." Additional related detections and stories in the content connect Rustonotto to suspicious download and execution behaviors on Windows, including curl downloads to suspicious paths, suspicious LNK creation, startup-folder persistence-related file drops, malicious URL shortcut creation, msiexec HTTP/HTTPS communication, process injection into commonly abused processes, scheduled task abuse, indicator removal via rmdir, and high file deletion frequency. The content does not provide specific IOCs such as hashes, domains, or filenames for Rustonotto itself beyond the malware name and the characterization as a Rust-compiled HTTP backdoor using Base64 command-and-response handling.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Windows Office Product Dropped Cab or Inf File ... Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, APT37 Rustonotto and FadeStealer
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“Rustonotto: Rust-compiled HTTP/Backdoor (Base64 commands and responses)”
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueMITRE ATT&CK Techniques ID Technique Tactic T1566.001 Spearphishing Attachment Initial Access
Execution
1 techniqueAnnotations ID Technique Tactic T1204.001 Malicious Link Execution
Command and Control
1 techniqueDescription Successful execution of Atomic Red Team T1105 - Ingress Tool Transfer. Also included Invoke-CertUtil using different command switches.
Recent activity
38 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated Analytic Story APT37 Rustonotto and FadeStealer
Associated Analytic Story APT37 Rustonotto and FadeStealer
Associated Analytic Story APT37 Rustonotto and FadeStealer
Associated Analytic Story APT37 Rustonotto and FadeStealer
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.