diff --git a/detections/application/detect_html_help_spawn_child_process.yml b/detections/application/detect_html_help_spawn_child_process.yml
index 4047b390a4..5c2918d2bf 100644
--- a/detections/application/detect_html_help_spawn_child_process.yml
+++ b/detections/application/detect_html_help_spawn_child_process.yml
@@ -1,7 +1,7 @@
 name: Detect HTML Help Spawn Child Process
 id: 723716de-ee55-4cd4-9759-c44e7e55ba4b
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -79,6 +79,7 @@ tags:
   - AgentTesla
   - Living Off The Land
   - Compromised Windows Host
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.001
diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml
index 5cbf185398..082db5a301 100644
--- a/detections/endpoint/bitsadmin_download_file.yml
+++ b/detections/endpoint/bitsadmin_download_file.yml
@@ -1,7 +1,7 @@
 name: BITSAdmin Download File
 id: 80630ff4-8e4c-11eb-aab5-acde48001122
-version: 12
-date: '2025-07-29'
+version: 13
+date: '2025-09-18'
 author: Michael Haag, Sittikorn S
 status: production
 type: TTP
@@ -81,6 +81,7 @@ tags:
   - Flax Typhoon
   - Gozi Malware
   - Scattered Spider
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1197
diff --git a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml
index dafdcbd6f7..fd1a19227c 100644
--- a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml
+++ b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml
@@ -1,7 +1,7 @@
 name: Cisco NVM - Suspicious Download From File Sharing Website
 id: 94ebc001-35e7-4ae8-9b0e-52766b2f99c7
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2025-09-18'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -97,6 +97,7 @@ rba:
       type: process_name
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Cisco Network Visibility Module Analytics
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml
index 6a7ed2ea42..c0bdc330dd 100644
--- a/detections/endpoint/cobalt_strike_named_pipes.yml
+++ b/detections/endpoint/cobalt_strike_named_pipes.yml
@@ -1,7 +1,7 @@
 name: Cobalt Strike Named Pipes
 id: 5876d429-0240-4709-8b93-ea8330b411b5
-version: 10
-date: '2025-08-04'
+version: 11
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -90,6 +90,7 @@ tags:
   - Graceful Wipe Out Attack
   - LockBit Ransomware
   - Gozi Malware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1055
diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml
index 44efeb5579..f5a823524d 100644
--- a/detections/endpoint/detect_html_help_renamed.yml
+++ b/detections/endpoint/detect_html_help_renamed.yml
@@ -1,7 +1,7 @@
 name: Detect HTML Help Renamed
 id: 62fed254-513b-460e-953d-79771493a9f3
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -45,6 +45,7 @@ tags:
   analytic_story:
   - Suspicious Compiled HTML Activity
   - Living Off The Land
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.001
diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml
index 7e3a4f32c3..987241bff9 100644
--- a/detections/endpoint/detect_html_help_url_in_command_line.yml
+++ b/detections/endpoint/detect_html_help_url_in_command_line.yml
@@ -1,7 +1,7 @@
 name: Detect HTML Help URL in Command Line
 id: 8c5835b9-39d9-438b-817c-95f14c69a31e
-version: 12
-date: '2025-06-30'
+version: 13
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -82,6 +82,7 @@ rba:
       type: process_name
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Suspicious Compiled HTML Activity
     - Living Off The Land
     - Compromised Windows Host
diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
index d096ef262e..62415a7ddc 100644
--- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
+++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
@@ -1,7 +1,7 @@
 name: Detect HTML Help Using InfoTech Storage Handlers
 id: 0b2eefa5-5508-450d-b970-3dd2fb761aec
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -76,6 +76,7 @@ tags:
   - Suspicious Compiled HTML Activity
   - Living Off The Land
   - Compromised Windows Host
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.001
diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml
index 89cedd60ca..d2f37de1e9 100644
--- a/detections/endpoint/detect_mshta_inline_hta_execution.yml
+++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml
@@ -1,7 +1,7 @@
 name: Detect mshta inline hta execution
 id: a0873b32-5b68-11eb-ae93-0242ac130002
-version: '17'
-date: '2025-05-06'
+version: '18'
+date: '2025-09-18'
 author: Bhavin Patel, Michael Haag, Splunk
 status: production
 type: TTP
@@ -80,6 +80,7 @@ tags:
   - Living Off The Land
   - Suspicious MSHTA Activity
   - XWorm
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.005
diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml
index 41fa471e01..664f76887c 100644
--- a/detections/endpoint/detect_mshta_renamed.yml
+++ b/detections/endpoint/detect_mshta_renamed.yml
@@ -1,7 +1,7 @@
 name: Detect mshta renamed
 id: 8f45fcf0-5b68-11eb-ae93-0242ac130002
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -43,6 +43,7 @@ tags:
   analytic_story:
   - Suspicious MSHTA Activity
   - Living Off The Land
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.005
diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml
index 2645611206..d924662ab3 100644
--- a/detections/endpoint/detect_mshta_url_in_command_line.yml
+++ b/detections/endpoint/detect_mshta_url_in_command_line.yml
@@ -1,7 +1,7 @@
 name: Detect MSHTA Url in Command Line
 id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
-version: 14
-date: '2025-06-30'
+version: 15
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -82,6 +82,7 @@ rba:
       type: process_name
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Compromised Windows Host
     - Lumma Stealer
     - Living Off The Land
diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
index 2a7b27ce5b..af88fceaf0 100644
--- a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
+++ b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
@@ -1,7 +1,7 @@
 name: Detect Outlook exe writing a zip file
 id: a51bfe1a-94f0-4822-b1e4-16ae10145893
-version: 13
-date: '2025-05-02'
+version: 14
+date: '2025-09-18'
 author: Bhavin Patel, Splunk
 status: experimental
 type: TTP
@@ -53,6 +53,7 @@ tags:
   - Remcos
   - PXA Stealer
   - Meduza Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1566.001
diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml
index 12d42f723f..3d21c17e75 100644
--- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml
+++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml
@@ -1,7 +1,7 @@
 name: Detect Rundll32 Inline HTA Execution
 id: 91c79f14-5b41-11eb-ae93-0242ac130002
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -68,6 +68,7 @@ tags:
   - Suspicious MSHTA Activity
   - NOBELIUM Group
   - Living Off The Land
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.005
diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml
index 47b18998c3..5d8d18a843 100644
--- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml
+++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml
@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 15
-date: '2025-08-07'
+version: 16
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -102,6 +102,7 @@ tags:
   - Amadey
   - IcedID
   - Interlock Rat
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1036
diff --git a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml
index ca650e0bf0..70aaf6d22a 100644
--- a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml
+++ b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml
@@ -1,7 +1,7 @@
 name: IcedID Exfiltrated Archived File Creation
 id: 0db4da70-f14b-11eb-8043-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -33,6 +33,7 @@ references:
 tags:
   analytic_story:
   - IcedID
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1560.001
diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml
index 2b3b6bd436..65e229b262 100644
--- a/detections/endpoint/lolbas_with_network_traffic.yml
+++ b/detections/endpoint/lolbas_with_network_traffic.yml
@@ -1,7 +1,7 @@
 name: LOLBAS With Network Traffic
 id: 2820f032-19eb-497e-8642-25b04a880359
-version: 11
-date: '2025-05-26'
+version: 12
+date: '2025-09-18'
 author: Steven Dick
 status: production
 type: TTP
@@ -74,6 +74,7 @@ tags:
   - Living Off The Land
   - Malicious Inno Setup Loader
   - Water Gamayun
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1105
diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
index db8bcc1cb1..c2c100fff4 100644
--- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
+++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
@@ -1,7 +1,7 @@
 name: Malicious PowerShell Process - Execution Policy Bypass
 id: 9be56c82-b1cc-4318-87eb-d138afaaca39
-version: 15
-date: '2025-08-22'
+version: 16
+date: '2025-09-18'
 author: Rico Valdez, Mauricio Velazco, Splunk
 status: production
 type: Anomaly
@@ -76,6 +76,7 @@ tags:
   - XWorm
   - DarkCrystal RAT
   - 0bj3ctivity Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001
diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
index 206a789991..b2007887d4 100644
--- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
+++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
@@ -1,7 +1,7 @@
 name: Mshta spawning Rundll32 OR Regsvr32 Process
 id: 4aa5d062-e893-11eb-9eb2-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -69,6 +69,7 @@ tags:
   - Trickbot
   - IcedID
   - Living Off The Land
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.005
diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml
index 243bae6181..5be89f2bd4 100644
--- a/detections/endpoint/powershell_4104_hunting.yml
+++ b/detections/endpoint/powershell_4104_hunting.yml
@@ -1,7 +1,7 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: 19
-date: '2025-08-22'
+version: 20
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -83,6 +83,7 @@ tags:
   - Scattered Spider
   - Interlock Ransomware
   - 0bj3ctivity Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001
diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml
index 75043260ec..a0f5d4c9d7 100644
--- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml
+++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml
@@ -1,7 +1,7 @@
 name: Powershell Fileless Script Contains Base64 Encoded Content
 id: 8acbc04c-c882-11eb-b060-acde48001122
-version: 12
-date: '2025-08-22'
+version: 13
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -64,6 +64,7 @@ tags:
   - IcedID
   - XWorm
   - 0bj3ctivity Stealer
+  - APT37 Rustonotto and FadeStealer
   mitre_attack_id:
   - T1027
   - T1059.001
diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
index 43114bf432..ae9bb290f0 100644
--- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
+++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
@@ -1,7 +1,7 @@
 name: Process Creating LNK file in Suspicious Location
 id: 5d814af1-1041-47b5-a9ac-d754e82e9a26
-version: 12
-date: '2025-05-02'
+version: 13
+date: '2025-09-18'
 author: Jose Hernandez, Michael Haag, Splunk
 status: production
 type: TTP
@@ -63,6 +63,7 @@ tags:
   - IcedID
   - Amadey
   - Gozi Malware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1566.002
diff --git a/detections/endpoint/processes_tapping_keyboard_events.yml b/detections/endpoint/processes_tapping_keyboard_events.yml
index aca5d82d48..4f5f8b4d45 100644
--- a/detections/endpoint/processes_tapping_keyboard_events.yml
+++ b/detections/endpoint/processes_tapping_keyboard_events.yml
@@ -1,7 +1,7 @@
 name: Processes Tapping Keyboard Events
 id: 2a371608-331d-4034-ae2c-21dda8f1d0ec
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-09-18'
 author: Jose Hernandez, Splunk
 status: experimental
 type: TTP
@@ -38,6 +38,7 @@ rba:
 tags:
   analytic_story:
   - ColdRoot MacOS RAT
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   product:
   - Splunk Enterprise
diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
index 999e660557..498cad0bb7 100644
--- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
+++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
@@ -1,7 +1,7 @@
 name: Recursive Delete of Directory In Batch CMD
 id: ba570b3a-d356-11eb-8358-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -64,6 +64,7 @@ rba:
 tags:
   analytic_story:
   - Ransomware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1070.004
diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml
index 42df36d913..75df6a4b29 100644
--- a/detections/endpoint/registry_keys_used_for_persistence.yml
+++ b/detections/endpoint/registry_keys_used_for_persistence.yml
@@ -1,7 +1,7 @@
 name: Registry Keys Used For Persistence
 id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b
-version: 25
-date: '2025-08-22'
+version: 26
+date: '2025-09-18'
 author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk
 status: production
 type: TTP
@@ -116,6 +116,7 @@ tags:
   - MoonPeak
   - Interlock Ransomware
   - 0bj3ctivity Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1547.001
diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
index 273044c950..14ff41bd23 100644
--- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
+++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
@@ -1,7 +1,7 @@
 name: Scheduled Task Deleted Or Created via CMD
 id: d5af132c-7c17-439c-9d31-13d55340f36c
-version: 20
-date: '2025-08-22'
+version: 21
+date: '2025-09-18'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -105,6 +105,7 @@ tags:
   - MoonPeak
   - Scattered Spider
   - 0bj3ctivity Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005
diff --git a/detections/endpoint/suspicious_curl_network_connection.yml b/detections/endpoint/suspicious_curl_network_connection.yml
index 22c426f43c..28d3e77887 100644
--- a/detections/endpoint/suspicious_curl_network_connection.yml
+++ b/detections/endpoint/suspicious_curl_network_connection.yml
@@ -1,7 +1,7 @@
 name: Suspicious Curl Network Connection
 id: 3f613dc0-21f2-4063-93b1-5d3c15eef22f
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: experimental
 type: TTP
@@ -53,6 +53,7 @@ tags:
   - Silver Sparrow
   - Ingress Tool Transfer
   - Linux Living Off The Land
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1105
diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
index 4b7762ff63..04e9b54def 100644
--- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
+++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
@@ -1,7 +1,7 @@
 name: Suspicious Image Creation In Appdata Folder
 id: f6f904c4-1ac0-11ec-806b-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -64,6 +64,7 @@ rba:
 tags:
   analytic_story:
   - Remcos
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1113
diff --git a/detections/endpoint/suspicious_mshta_spawn.yml b/detections/endpoint/suspicious_mshta_spawn.yml
index 557bebd1c5..5452cf030d 100644
--- a/detections/endpoint/suspicious_mshta_spawn.yml
+++ b/detections/endpoint/suspicious_mshta_spawn.yml
@@ -1,7 +1,7 @@
 name: Suspicious mshta spawn
 id: 4d33a488-5b5f-11eb-ae93-0242ac130002
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -68,6 +68,7 @@ tags:
   analytic_story:
   - Suspicious MSHTA Activity
   - Living Off The Land
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.005
diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml
index 844389b65c..010fa10dcd 100644
--- a/detections/endpoint/suspicious_process_executed_from_container_file.yml
+++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml
@@ -1,7 +1,7 @@
 name: Suspicious Process Executed From Container File
 id: d8120352-3b62-411c-8cb6-7b47584dd5e8
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-18'
 author: Steven Dick
 status: production
 type: TTP
@@ -74,6 +74,7 @@ rba:
       type: file_name
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Unusual Processes
     - Amadey
     - Remcos
diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
index 9cc82b6d47..9ce6643ab0 100644
--- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
+++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
@@ -1,7 +1,7 @@
 name: Suspicious Scheduled Task from Public Directory
 id: 7feb7972-7ac3-11eb-bac8-acde48001122
-version: 15
-date: '2025-07-29'
+version: 16
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -87,6 +87,7 @@ tags:
   - MoonPeak
   - China-Nexus Threat Activity
   - Scattered Spider
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005
diff --git a/detections/endpoint/windows_alternate_datastream___base64_content.yml b/detections/endpoint/windows_alternate_datastream___base64_content.yml
index 8dfb862bfc..736be0138e 100644
--- a/detections/endpoint/windows_alternate_datastream___base64_content.yml
+++ b/detections/endpoint/windows_alternate_datastream___base64_content.yml
@@ -1,7 +1,7 @@
 name: Windows Alternate DataStream - Base64 Content
 id: 683f48de-982f-4a7e-9aac-9cec550da498
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
 author: Steven Dick, Teoderick Contreras, Michael Haag, Splunk
 status: production
 type: TTP
@@ -60,6 +60,7 @@ rba:
 tags:
   analytic_story:
   - Windows Defense Evasion Tactics
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1564.004
diff --git a/detections/endpoint/windows_archive_collected_data_via_powershell.yml b/detections/endpoint/windows_archive_collected_data_via_powershell.yml
index 89a54a9faa..d5305ed119 100644
--- a/detections/endpoint/windows_archive_collected_data_via_powershell.yml
+++ b/detections/endpoint/windows_archive_collected_data_via_powershell.yml
@@ -1,7 +1,7 @@
 name: Windows Archive Collected Data via Powershell
 id: 74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5
-version: 7
-date: '2025-06-24'
+version: 8
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -52,6 +52,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - CISA AA23-347A
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml
index f2d22c5c35..7f61bc4191 100644
--- a/detections/endpoint/windows_archive_collected_data_via_rar.yml
+++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml
@@ -1,7 +1,7 @@
 name: Windows Archive Collected Data via Rar
 id: 2015de95-fe91-413d-9d62-2fe011b67e82
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -66,6 +66,7 @@ tags:
   - DarkGate Malware
   - Salt Typhoon
   - China-Nexus Threat Activity
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1560.001
diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml
index 145c37fdcb..a2d666b222 100644
--- a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml
+++ b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml
@@ -1,7 +1,7 @@
 name: Windows Archived Collected Data In TEMP Folder
 id: cb56a1ea-e0b1-46d5-913f-e024cba40cbe
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 data_source:
 - Sysmon EventID 11
@@ -56,6 +56,7 @@ rba:
 tags:
   analytic_story:
   - Braodo Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1560
diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml
index a839d1604c..99e6497da7 100644
--- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml
+++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml
@@ -1,7 +1,7 @@
 name: Windows Boot or Logon Autostart Execution In Startup Folder
 id: 99d157cb-923f-4a00-aee9-1f385412146f
-version: 10
-date: '2025-07-28'
+version: 11
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -65,6 +65,7 @@ tags:
   - Quasar RAT
   - RedLine Stealer
   - Interlock Ransomware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1547.001
diff --git a/detections/endpoint/windows_cab_file_on_disk.yml b/detections/endpoint/windows_cab_file_on_disk.yml
index 6f9325a059..26af81cfa7 100644
--- a/detections/endpoint/windows_cab_file_on_disk.yml
+++ b/detections/endpoint/windows_cab_file_on_disk.yml
@@ -1,7 +1,7 @@
 name: Windows CAB File on Disk
 id: 622f08d0-69ef-42c2-8139-66088bc25acd
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -59,6 +59,7 @@ rba:
 tags:
   analytic_story:
   - DarkGate Malware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   atomic_guid: []
   mitre_attack_id:
diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml
index 97afbe592b..c584962477 100644
--- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml
+++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml
@@ -1,7 +1,7 @@
 name: Windows Curl Download to Suspicious Path
 id: c32f091e-30db-11ec-8738-acde48001122
-version: 15
-date: '2025-09-09'
+version: 16
+date: '2025-09-18'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -93,6 +93,7 @@ rba:
       type: process_name
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Black Basta Ransomware
     - China-Nexus Threat Activity
     - Forest Blizzard
diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml
index a553b2f22a..0b11aedd55 100644
--- a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml
+++ b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml
@@ -1,7 +1,7 @@
 name: Windows Exfiltration Over C2 Via Invoke RestMethod
 id: 06ade821-f6fa-40d0-80af-15bc1d45b3ba
-version: 8
-date: '2025-06-24'
+version: 9
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -57,6 +57,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Winter Vivern
     - Water Gamayun
   asset_type: Endpoint
diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml
index 3d2779ee2a..04a49cbdb8 100644
--- a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml
+++ b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml
@@ -1,7 +1,7 @@
 name: Windows Exfiltration Over C2 Via Powershell UploadString
 id: 59e8bf41-7472-412a-90d3-00f3afa452e9
-version: 7
-date: '2025-06-24'
+version: 8
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -56,6 +56,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Winter Vivern
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/windows_expand_cabinet_file_extraction.yml b/detections/endpoint/windows_expand_cabinet_file_extraction.yml
new file mode 100644
index 0000000000..23ebce0ec6
--- /dev/null
+++ b/detections/endpoint/windows_expand_cabinet_file_extraction.yml
@@ -0,0 +1,85 @@
+name: Windows Expand Cabinet File Extraction
+id: 4e3e3b8c-6d3a-4b47-9f5a-9e3e0a0a6f2f
+version: 1
+date: '2025-09-18'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+description: |
+  Detects usage of expand.exe to extract Microsoft Cabinet (CAB) archives, with
+  emphasis on extractions into `C:\\ProgramData` or similar staging locations. In
+  recent APT37 activity, a CAB payload (e.g., wonder.cab) was expanded into
+  ProgramData prior to persistence and execution. This behavior is a strong signal
+  for ingress tool transfer and staging of payloads.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: |
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
+  from datamodel=Endpoint.Processes
+  where Processes.process_name="expand.exe"
+    (Processes.process="* -F:* *" OR Processes.process="* /F:* *")
+    (Processes.process="*.cab*" OR Processes.process="*\\ProgramData\\*")
+  by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `windows_expand_cabinet_file_extraction_filter`
+how_to_implement: |
+  This analytic relies on process creation telemetry mapped to the Endpoint.Processes
+  datamodel (e.g., Sysmon EID 1 or EDR). Ensure full command-line logging is enabled
+  to capture expand.exe arguments, including `/F:*` or `-F:*` and destination paths.
+known_false_positives: |
+  Legitimate software deployment or administrators may use expand.exe for local
+  file extraction. Filter by approved deployment tools, signed parent processes,
+  and sanctioned paths.
+references:
+- https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: |
+    | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") starthoursago=168
+    | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name"
+      values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories"
+      values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+      by normalized_risk_object
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: expand.exe extracted cabinet contents on $dest$ executed by $user$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 30
+  - field: user
+    type: system
+    score: 30
+  threat_objects: 
+  - field: process_name
+    type: process_name
+tags:
+  analytic_story:
+  - APT37 Rustonotto and FadeStealer
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1105
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
+
+
diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml
index 2855b926ec..86bc5b78fc 100644
--- a/detections/endpoint/windows_file_download_via_powershell.yml
+++ b/detections/endpoint/windows_file_download_via_powershell.yml
@@ -1,7 +1,7 @@
 name: Windows File Download Via PowerShell
 id: 58c4e56c-b5b8-46a3-b5fb-6537dca3c6de
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2025-09-18'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -90,6 +90,7 @@ rba:
       type: process_name
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Winter Vivern
     - Phemedrone Stealer
     - Malicious PowerShell
diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml
index 86984c1653..9ca0bf76d7 100644
--- a/detections/endpoint/windows_high_file_deletion_frequency.yml
+++ b/detections/endpoint/windows_high_file_deletion_frequency.yml
@@ -1,7 +1,7 @@
 name: Windows High File Deletion Frequency
 id: 45b125c4-866f-11eb-a95a-acde48001122
-version: 9
-date: '2025-07-28'
+version: 10
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: Anomaly
@@ -79,6 +79,7 @@ tags:
   - Clop Ransomware
   - Interlock Ransomware
   - NailaoLocker Ransomware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1485
diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml
index 1c14946754..1bca7e03d1 100644
--- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml
+++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml
@@ -1,7 +1,7 @@
 name: Windows HTTP Network Communication From MSIExec
 id: b0fd38c7-f71a-43a2-870e-f3ca06bcdd99
-version: 6
-date: '2025-06-30'
+version: 7
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -81,6 +81,7 @@ rba:
       type: process_name
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Windows System Binary Proxy Execution MSIExec
     - Water Gamayun
     - Cisco Network Visibility Module Analytics
diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml
index 910d6fc600..6074c402fb 100644
--- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml
+++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml
@@ -1,7 +1,7 @@
 name: Windows Indicator Removal Via Rmdir
 id: c4566d2c-b094-48a1-9c59-d66e22065560
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -63,6 +63,7 @@ rba:
 tags:
   analytic_story:
   - DarkGate Malware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1070
diff --git a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml
index f675b2a5e9..b84feae810 100644
--- a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml
+++ b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml
@@ -1,7 +1,7 @@
 name: Windows Input Capture Using Credential UI Dll
 id: 406c21d6-6c75-4e9f-9ca9-48049a1dd90e
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -33,6 +33,7 @@ references:
 tags:
   analytic_story:
   - Brute Ratel C4
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1056.002
diff --git a/detections/endpoint/windows_iso_lnk_file_creation.yml b/detections/endpoint/windows_iso_lnk_file_creation.yml
index 34d9d3df87..0208a03802 100644
--- a/detections/endpoint/windows_iso_lnk_file_creation.yml
+++ b/detections/endpoint/windows_iso_lnk_file_creation.yml
@@ -1,7 +1,7 @@
 name: Windows ISO LNK File Creation
 id: d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
 author: Michael Haag, Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -47,6 +47,7 @@ tags:
   - Warzone RAT
   - Amadey
   - Gozi Malware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1204.001
diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
index f8023fbcdd..f69d4bcc2e 100644
--- a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
+++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
@@ -1,7 +1,7 @@
 name: Windows Obfuscated Files or Information via RAR SFX
 id: 4ab6862b-ce88-4223-96c0-f6da2cffb898
-version: 4
-date: '2025-05-02'
+version: 5
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 data_source:
 - Sysmon EventID 11
@@ -53,6 +53,7 @@ rba:
 tags:
   analytic_story:
   - Crypto Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1027.013
diff --git a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml
index fecbed2b19..9954492a60 100644
--- a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml
+++ b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml
@@ -1,7 +1,7 @@
 name: Windows Office Product Dropped Cab or Inf File
 id: dbdd251e-dd45-4ec9-a555-f5e151391746
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -72,6 +72,7 @@ tags:
   - Spearphishing Attachments
   - Microsoft MSHTML Remote Code Execution CVE-2021-40444
   - Compromised Windows Host
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   cve:
   - CVE-2021-40444
diff --git a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml
index a40e4cd4ac..b6b8a1d809 100644
--- a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml
+++ b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml
@@ -1,7 +1,7 @@
 name: Windows Office Product Spawned Child Process For Download
 id: f02b64b8-cbea-4f75-bf77-7a05111566b1
-version: 5
-date: '2025-06-26'
+version: 6
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -77,6 +77,7 @@ tags:
   - CVE-2023-36884 Office and Windows HTML RCE Vulnerability
   - PlugX
   - NjRAT
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1566.001
diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml
index 8f3fedf71d..97a60bcb04 100644
--- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml
+++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml
@@ -1,7 +1,7 @@
 name: Windows Office Product Spawned Uncommon Process
 id: 55d8741c-fa32-4692-8109-410304961eb8
-version: 4
-date: '2025-05-02'
+version: 5
+date: '2025-09-18'
 author: Michael Haag, Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -97,6 +97,7 @@ tags:
   - Spearphishing Attachments
   - Trickbot
   - Warzone RAT
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1566.001
diff --git a/detections/endpoint/windows_process_executed_from_removable_media.yml b/detections/endpoint/windows_process_executed_from_removable_media.yml
index f4397c5eca..e06a31f4e5 100644
--- a/detections/endpoint/windows_process_executed_from_removable_media.yml
+++ b/detections/endpoint/windows_process_executed_from_removable_media.yml
@@ -1,7 +1,7 @@
 name: Windows Process Executed From Removable Media
 id: b483804a-4cc0-49a4-9f00-ac29ba844d08
-version: 5
-date: '2025-06-10'
+version: 6
+date: '2025-09-18'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -88,6 +88,7 @@ rba:
 tags:
   analytic_story:
   - Data Protection
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1200
diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml
index d2597749ce..68faa930bc 100644
--- a/detections/endpoint/windows_process_execution_from_programdata.yml
+++ b/detections/endpoint/windows_process_execution_from_programdata.yml
@@ -1,7 +1,7 @@
 name: Windows Process Execution From ProgramData
 id: 237016fa-d8e6-47b4-80f9-70c4d42c72c0
-version: '4'
-date: '2025-05-06'
+version: '5'
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -71,6 +71,7 @@ tags:
   - XWorm
   - Salt Typhoon
   - China-Nexus Threat Activity
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1036.005
diff --git a/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml b/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml
index 04bd55f0a2..c4c46bd29a 100644
--- a/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml
+++ b/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml
@@ -1,7 +1,7 @@
 name: Windows Process Injection into Commonly Abused Processes
 id: 1e1dedc6-f6f3-41a0-9dd7-a1245904fe75
-version: 3
-date: '2025-05-02'
+version: 4
+date: '2025-09-18'
 author: 0xC0FFEEEE, Github Community
 type: Anomaly
 status: production
@@ -71,6 +71,7 @@ tags:
   - BishopFox Sliver Adversary Emulation Framework
   - Earth Alux
   - SAP NetWeaver Exploitation
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1055.002
diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml
index e84f46ba9e..0c8460f12b 100644
--- a/detections/endpoint/windows_process_injection_into_notepad.yml
+++ b/detections/endpoint/windows_process_injection_into_notepad.yml
@@ -1,7 +1,7 @@
 name: Windows Process Injection into Notepad
 id: b8340d0f-ba48-4391-bea7-9e793c5aae36
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-18'
 author: Michael Haag, Splunk
 type: Anomaly
 status: production
@@ -64,6 +64,7 @@ tags:
   analytic_story:
   - BishopFox Sliver Adversary Emulation Framework
   - Earth Alux
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1055.002
diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml
index 1de85f1bbf..6f35ec2683 100644
--- a/detections/endpoint/windows_replication_through_removable_media.yml
+++ b/detections/endpoint/windows_replication_through_removable_media.yml
@@ -1,7 +1,7 @@
 name: Windows Replication Through Removable Media
 id: 60df805d-4605-41c8-bbba-57baa6a4eb97
-version: 11
-date: '2025-05-06'
+version: 12
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -66,6 +66,7 @@ tags:
   - Derusbi
   - Salt Typhoon
   - NjRAT
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1091
diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml
index af7c1104ea..af01444771 100644
--- a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml
+++ b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml
@@ -1,7 +1,7 @@
 name: Windows Scheduled Task with Suspicious Command
 id: 1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3
-version: 4
-date: '2025-07-16'
+version: 5
+date: '2025-09-18'
 author: Steven Dick
 status: production
 type: TTP
@@ -79,6 +79,7 @@ tags:
   - Ryuk Ransomware
   - Windows Persistence Techniques
   - Seashell Blizzard
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005
diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml
index 550f83c251..6d11687565 100644
--- a/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml
+++ b/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml
@@ -1,7 +1,7 @@
 name: Windows Scheduled Task with Suspicious Name
 id: 9e9ab4e3-c9d0-4967-a197-6d755e8a7e6e
-version: 3
-date: '2025-08-22'
+version: 4
+date: '2025-09-18'
 author: Steven Dick
 status: production
 type: TTP
@@ -78,6 +78,7 @@ tags:
   - Ransomware
   - Ryuk Ransomware
   - 0bj3ctivity Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005
diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml
index 74130fb62a..ee9e9bee0c 100644
--- a/detections/endpoint/windows_screen_capture_in_temp_folder.yml
+++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml
@@ -1,7 +1,7 @@
 name: Windows Screen Capture in TEMP folder
 id: 00524d1f-a032-46f5-9108-e7d9f01bfb3c
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 data_source:
 - Sysmon EventID 11
@@ -57,6 +57,7 @@ tags:
   analytic_story:
   - Crypto Stealer
   - Braodo Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1113
diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml
index 0184331b21..aae7d42800 100644
--- a/detections/endpoint/windows_screen_capture_via_powershell.yml
+++ b/detections/endpoint/windows_screen_capture_via_powershell.yml
@@ -1,7 +1,7 @@
 name: Windows Screen Capture Via Powershell
 id: 5e0b1936-8f99-4399-8ee2-9edc5b32e170
-version: 8
-date: '2025-06-24'
+version: 9
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -56,6 +56,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Winter Vivern
     - Water Gamayun
   asset_type: Endpoint
diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
index 1e1ce48088..827f8d2065 100644
--- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
+++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
@@ -1,7 +1,7 @@
 name: Windows Service Created with Suspicious Service Path
 id: 429141be-8311-11eb-adb6-acde48001122
-version: 15
-date: '2025-05-02'
+version: 16
+date: '2025-09-18'
 author: Teoderick Contreras, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -66,6 +66,7 @@ tags:
   - Clop Ransomware
   - Crypto Stealer
   - Brute Ratel C4
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1569.002
diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
index 33d88d0332..02172c4cbc 100644
--- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
+++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
@@ -1,7 +1,7 @@
 name: Windows Spearphishing Attachment Onenote Spawn Mshta
 id: 35aeb0e7-7de5-444a-ac45-24d6788796ec
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -69,6 +69,7 @@ tags:
   - Spearphishing Attachments
   - Compromised Windows Host
   - AsyncRAT
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1566.001
diff --git a/detections/endpoint/windows_suspicious_driver_loaded_path.yml b/detections/endpoint/windows_suspicious_driver_loaded_path.yml
index 96eed3d8a1..afccde3e2a 100644
--- a/detections/endpoint/windows_suspicious_driver_loaded_path.yml
+++ b/detections/endpoint/windows_suspicious_driver_loaded_path.yml
@@ -1,7 +1,7 @@
 name: Windows Suspicious Driver Loaded Path
 id: 2ca1c4a1-8342-4750-9363-905650e0c933
-version: 4
-date: '2025-07-28'
+version: 5
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -58,6 +58,7 @@ tags:
   - BlackByte Ransomware
   - Snake Keylogger
   - Interlock Ransomware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1543.003
diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
index bbf92809a5..24d1519215 100644
--- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
+++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
@@ -1,7 +1,7 @@
 name: Windows System Binary Proxy Execution Compiled HTML File Decompile
 id: 2acf0e19-4149-451c-a3f3-39cd3c77e37d
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -73,6 +73,7 @@ tags:
   - Suspicious Compiled HTML Activity
   - Living Off The Land
   - Compromised Windows Host
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.001
diff --git a/detections/endpoint/windows_usbstor_registry_key_modification.yml b/detections/endpoint/windows_usbstor_registry_key_modification.yml
index ac81263fa6..11b5e05056 100644
--- a/detections/endpoint/windows_usbstor_registry_key_modification.yml
+++ b/detections/endpoint/windows_usbstor_registry_key_modification.yml
@@ -1,7 +1,7 @@
 name: Windows USBSTOR Registry Key Modification
 id: a345980a-417d-4ed3-9fb4-cac30c9405a0
-version: 3
-date: '2025-05-02'
+version: 4
+date: '2025-09-18'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -68,6 +68,7 @@ rba:
 tags:
   analytic_story:
   - Data Protection
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1200
diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml
index de6c079f0e..31573d9fa1 100644
--- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml
+++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml
@@ -1,7 +1,7 @@
 name: Windows User Execution Malicious URL Shortcut File
 id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc
-version: 9
-date: '2025-07-16'
+version: 10
+date: '2025-09-18'
 author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -64,6 +64,7 @@ tags:
   - NjRAT
   - Quasar RAT
   - Snake Keylogger
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1204.002
diff --git a/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml
index 72d48eaadd..f77db48d24 100644
--- a/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml
+++ b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml
@@ -1,7 +1,7 @@
 name: Windows WPDBusEnum Registry Key Modification
 id: 52b48e8b-eb6e-48b0-b8f1-73273f6b134e
-version: 3
-date: '2025-05-02'
+version: 4
+date: '2025-09-18'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -71,6 +71,7 @@ rba:
 tags:
   analytic_story:
   - Data Protection
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1200
diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml
index cf27c1b60c..b945c0b5cb 100644
--- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml
+++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml
@@ -1,7 +1,7 @@
 name: WinEvent Scheduled Task Created Within Public Path
 id: 5d9c6eee-988c-11eb-8253-acde48001122
-version: 18
-date: '2025-08-22'
+version: 19
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -77,6 +77,7 @@ tags:
   - AsyncRAT
   - Windows Persistence Techniques
   - 0bj3ctivity Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005
diff --git a/detections/web/multiple_archive_files_http_post_traffic.yml b/detections/web/multiple_archive_files_http_post_traffic.yml
index 41e9630b9d..00393228a4 100644
--- a/detections/web/multiple_archive_files_http_post_traffic.yml
+++ b/detections/web/multiple_archive_files_http_post_traffic.yml
@@ -1,7 +1,7 @@
 name: Multiple Archive Files Http Post Traffic
 id: 4477f3ea-a28f-11eb-b762-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -57,6 +57,7 @@ tags:
   analytic_story:
   - Data Exfiltration
   - Command And Control
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1048.003
diff --git a/detections/web/plain_http_post_exfiltrated_data.yml b/detections/web/plain_http_post_exfiltrated_data.yml
index 0fbbd09cc3..cb9bafc47b 100644
--- a/detections/web/plain_http_post_exfiltrated_data.yml
+++ b/detections/web/plain_http_post_exfiltrated_data.yml
@@ -1,7 +1,7 @@
 name: Plain HTTP POST Exfiltrated Data
 id: e2b36208-a364-11eb-8909-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -52,6 +52,7 @@ tags:
   analytic_story:
   - Data Exfiltration
   - Command And Control
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1048.003
diff --git a/stories/apt37_rustonotto_and_fadestealer.yml b/stories/apt37_rustonotto_and_fadestealer.yml
new file mode 100644
index 0000000000..bd41d6b184
--- /dev/null
+++ b/stories/apt37_rustonotto_and_fadestealer.yml
@@ -0,0 +1,18 @@
+name: APT37 Rustonotto and FadeStealer
+id: c1dd540c-b8a0-4818-af92-7d53571fecb0
+version: 2
+status: production
+date: '2025-09-18'
+author: Michael Haag, Splunk
+description: APT37 is a North Korean aligned threat actor that continues to evolve its Windows tradecraft by combining a Rust backdoor, a PowerShell stage, and a Python based loader to deploy the FadeStealer surveillance tool. Recent activity relies on spear phishing attachments that deliver Windows shortcut or compiled HTML Help files, which stage artifacts in ProgramData and establish persistence through scheduled tasks and Run key modifications. The campaign centralizes command and control on a single server and uses standard web protocols with Base64 and XOR encoding to move data and instructions.
+narrative: The intrusion chain begins with phishing delivered archives that drop a Windows shortcut or CHM file to launch simple stagers. These stagers connect to a single C2 to fetch additional components and write them to ProgramData, where a task named MicrosoftUpdate and a Run entry are created for persistence. Rustonotto, a Rust compiled backdoor, provides basic command execution while a PowerShell variant known as Chinotto may be used interchangeably for early control. During hands on keyboard activity the actor retrieves a CAB archive and expands it on disk, then launches a legitimate Python module that side loads a compiled Python component internally named TransactedHollowing.py. This module reads a Base64 encoded and XOR encrypted payload from disk, decrypts it, and performs Process Doppelgänging via Windows Transactional NTFS to map the payload into a suspended legitimate process and pivot execution through thread context manipulation. Once resident, FadeStealer activates keylogging, screen capture, and device monitoring features and exfiltrates collected data as password protected RAR archives over HTTP to the same controller. The observed behaviors offer multiple opportunities for detection, including CHM and LNK execution, staging and expansion in ProgramData, scheduled task and Run key persistence, Python loader decode patterns, TxF backed section mapping, and RAR based exfiltration over web protocols.
+references:
+- https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
\ No newline at end of file