FadeStealer
FadeStealer is a Windows-focused stealer malware family referenced in Splunk analytic content and associated with APT37 in the analytic story "APT37 Rustonotto and FadeStealer." The provided content explicitly describes FadeStealer as capable of collecting keylogging data, screenshots, audio, device information, and file data. It is repeatedly linked to Office-document and spearphishing-driven initial access activity, including detections for Windows Office products dropping CAB or INF files and spawning uncommon child processes, with specific association to Microsoft MSHTML remote code execution CVE-2021-40444. Additional related detections tied to the same analytic story include PowerShell-based file download activity, curl downloads to suspicious paths, suspicious LNK creation, startup-folder persistence, malicious URL shortcut creation, msiexec network communication, process injection, indicator removal via rmdir, and high file deletion frequency. Based on the content, high-confidence associations are that FadeStealer is tracked in connection with APT37-themed intrusion activity, targets Windows environments, and is relevant to spearphishing attachment and post-exploitation behaviors observed through endpoint telemetry.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Windows Office Product Dropped Cab or Inf File ... Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, APT37 Rustonotto and FadeStealer
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“FadeStealer: … keylogging, screenshots, audio, device, and file data”
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueAnnotations ID Technique Tactic T1566.001 Spearphishing Attachment Initial Access
Execution
2 techniquesCommand and Control
1 techniqueDescription Successful execution of Atomic Red Team T1105 - Ingress Tool Transfer. Also included Invoke-CertUtil using different command switches.
Recent activity
44 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated Analytic Story APT37 Rustonotto and FadeStealer
Associated Analytic Story APT37 Rustonotto and FadeStealer
Associated Analytic Story APT37 Rustonotto and FadeStealer
Associated Analytic Story APT37 Rustonotto and FadeStealer
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.