CHILLYCHINO
CHILLYCHINO is a Rust-based backdoor/implant associated with the North Korean threat group ScarCruft (APT37), specifically a subgroup tracked by S2W as ChinopuNK. Reporting states it was introduced in June 2025 and is the first known instance of APT37 using a Rust-based malware to target Windows systems. It is described as being adapted from a prior PowerShell version, and in later reporting as a new variant used in ScarCruft campaigns.
CHILLYCHINO was observed in phishing-driven intrusion chains targeting South Korean users. The lure involved emails themed as postal-code or street-address update notices, delivering a malicious LNK file embedded in a RAR or ZIP archive. Execution of the LNK dropped an AutoIt loader, which then fetched and executed additional payloads from an external server. In these campaigns, CHILLYCHINO was deployed alongside other malware including the NubSpy backdoor, LightPeek and FadeStealer stealers, TxPyLoader, and VCD ransomware.
The malware is part of a broader ScarCruft operational shift combining espionage tooling with ransomware deployment and abuse of real-time messaging infrastructure such as PubNub. High-confidence reporting links the campaign to ScarCruft based on overlapping tradecraft and malware clustering. Targeting described in the source material includes South Korean users, with ScarCruft historically targeting defectors, journalists, government entities, media organizations, academics, and defense- or North Korea-related victims. No specific CHILLYCHINO indicators of compromise are provided in the supplied content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
CHILLYCHINO : A Rust-based backdoor adapted from a prior PowerShell version.
CHILLYCHINO : A Rust-based backdoor adapted from a prior PowerShell version.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Rust-based backdoor/implant used by APT37 for espionage and data exfiltration, first seen in June 2025.
Rust-based backdoor adapted from an earlier PowerShell version, reflecting ScarCruft's adoption of Rust for malware development.
CHILLYCHINO is a backdoor malware used by North Korean threat actors for persistent access and control over compromised systems.
A known malware family, with a new variant used in ScarCruft's recent campaign. Specific functionality is not detailed in the content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.