Chinotto
Chinotto is a PowerShell-based backdoor associated with North Korea-linked APT37/ScarCruft (also tracked as Reaper, Ruby Sleet, and Velvet Chollima) and specifically referenced in activity attributed to the ChinopuNK sub-cluster. It has been used for espionage and data theft, including targeted surveillance operations against journalists, human rights activists, North Korean defectors, and other North Korea-related professionals, with campaigns also targeting South Korean users and entities. Reported capabilities include file transfer, command execution, exfiltration of system information, and persistence via the registry and scheduled tasks. The malware has been delivered through multiple initial access vectors, including spear-phishing messages distributing ZIP/RAR archives containing malicious LNK files or CHM help files, macro-enabled Word documents, HWP documents with embedded OLE objects, and a malicious Excel XLL add-in. In several documented chains, these lures invoke MSHTA to retrieve an HTA payload containing the Chinotto backdoor. Content also states Chinotto has supported attacks on both Windows and Android systems. Related reporting describes Chinotto as part of a broader ScarCruft malware cluster and notes newer variants or counterparts such as CHILLYCHINO/Rustonotto. Specific artifacts mentioned in the content include the final payload filename HqcUpdate.exe identified as Chinotto, the HTA retrieval URL hxxp://yangak[.]com/data/cheditor4/pro/temp/5.html, XLL MD5 82d58de096f53e4df84d6f67975a8dda, HWP MD5 a4706737645582e1b5f71a462dd01140, extracted PE MD5 d8c9a357da3297e7ccb2ed3a5761e59f, and LNK metadata showing MAC address 00:0c:29:41:1b:1c.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The campaign is attributed to ChinopuNK, a subgroup of ScarCruft tracked internally by S2W, which is known for distributing the Chinotto malware.
The campaign is attributed to ChinopuNK, a subgroup of ScarCruft tracked internally by S2W, which is known for distributing the Chinotto malware.
“Chinotto: PowerShell Backdoor (File Transfer, Command Execution, Registry and Scheduled Tasks)”
For years, the group relied on a malware family called Chinotto to carry out espionage and data theft.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as the final information-stealing payload in the campaign.
An APT37-associated malware family used historically for espionage and data theft.
PowerShell backdoor supporting file transfer and command execution, with persistence via registry and scheduled tasks; delivered via LNK/CHM/HTA/PowerShell chains.
PowerShell-based backdoor used by APT37, often as a counterpart to CHILLYCHINO, to retrieve and launch additional payloads such as FadeStealer.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.