Zscaler ThreatLabz details recent APT37 activity against Windows systems, linking the North Korean-aligned actor to Rustonotto, Chinotto, and FadeStealer. The campaigns use Windows shortcut files and CHM help files as initial delivery vectors, including a shortcut that launches Chinotto, drops a decoy HWP document titled “Two Perspectives on North Korea in South Korean Society,” and installs the Rustonotto backdoor with a MicrosoftUpdate scheduled task. Rustonotto receives Base64-encoded Windows commands from a C2 server and returns Base64-encoded execution results, while CHM-delivered Chinotto provides file transfer, command execution, registry modification, archive extraction, and scheduled-task capabilities through HTTP POST communications. Follow-on hands-on-keyboard activity delivered CAB-packaged Python launchers and used Process Doppelgänging-style injection to deploy FadeStealer, a surveillance tool for keystrokes, screenshots, audio, device monitoring, removable media tracking, and RAR-based data exfiltration. The report matters because it shows APT37 adopting Rust and Python-based tradecraft while continuing targeted operations against South Korean individuals connected to North Korea issues and human rights activism.