PIOLINK links recent APT37 activity to a shared C2 infrastructure used to operate Rustonotto, Chinotto, and FadeStealer against targets connected to North Korea policy, human rights, and South Korean interests. Initial access uses Windows shortcut files and CHM help files, including LNK payloads that extract an HWP decoy and a Rust-compiled Rustonotto backdoor from embedded AEL, BEL, and EOF markers. Rustonotto builds a victim identifier from the computer and user names, receives Base64-encoded Windows commands over HTTP, executes them, and returns encoded output to the C2 server. Supported commands enable file inventory, directory compression and upload, file exfiltration, downloads, registry edits, scheduled tasks, archive extraction, renaming, and deletion, while FadeStealer adds keylogging, screenshots, audio recording, device monitoring, and RAR-based data theft.