FadeStealer
FadeStealer is a ScarCruft-linked malware family used for data exfiltration. The provided content describes it as a previously documented stealer associated with the North Korean state-sponsored APT group ScarCruft, including activity attributed by S2W TALON to ChinopuNK, a ScarCruft subgroup. In the reported campaign targeting South Korean users, the infection chain used a malicious LNK file embedded in a RAR archive themed as a postal-code update notice. Execution of the LNK dropped an AutoIt loader, which retrieved additional payloads from an external server, including FadeStealer alongside other malware such as NubSpy, LightPeek, VCD Ransomware, and CHILLYCHINO. FadeStealer is explicitly described as supporting data exfiltration and as collecting keylogging data, screenshots, audio, device information, and file data. The campaign context ties it to spearphishing-style delivery and Windows host compromise. High-confidence associations in the content link FadeStealer to APT37/ScarCruft operations and targeting of South Korean users.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Windows Office Product Dropped Cab or Inf File ... Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, APT37 Rustonotto and FadeStealer
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
FadeStealer : A previously documented ScarCruft-linked malware designed for data exfiltration.
“FadeStealer: … keylogging, screenshots, audio, device, and file data”
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Command and Control
1 technique
Command and Control
Recent activity
45 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated Analytic Story APT37 Rustonotto and FadeStealer
Associated Analytic Story APT37 Rustonotto and FadeStealer
Associated Analytic Story APT37 Rustonotto and FadeStealer
Associated Analytic Story APT37 Rustonotto and FadeStealer
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.