splunk · MHaggis · Sep 18, 2025 · Sep 19, 2025
@@ -1,7 +1,7 @@
 name: Detect HTML Help Spawn Child Process
 id: 723716de-ee55-4cd4-9759-c44e7e55ba4b
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -79,6 +79,7 @@ tags:
   - AgentTesla
   - Living Off The Land
   - Compromised Windows Host
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.001

@@ -1,7 +1,7 @@
 name: BITSAdmin Download File
 id: 80630ff4-8e4c-11eb-aab5-acde48001122
-version: 12
-date: '2025-07-29'
+version: 13
+date: '2025-09-18'
 author: Michael Haag, Sittikorn S
 status: production
 type: TTP
@@ -81,6 +81,7 @@ tags:
   - Flax Typhoon
   - Gozi Malware
   - Scattered Spider
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1197

@@ -1,7 +1,7 @@
 name: Cisco NVM - Suspicious Download From File Sharing Website
 id: 94ebc001-35e7-4ae8-9b0e-52766b2f99c7
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2025-09-18'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -97,6 +97,7 @@ rba:
       type: process_name
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Cisco Network Visibility Module Analytics
   asset_type: Endpoint
   mitre_attack_id:

@@ -1,7 +1,7 @@
 name: Cobalt Strike Named Pipes
 id: 5876d429-0240-4709-8b93-ea8330b411b5
-version: 10
-date: '2025-08-04'
+version: 11
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -90,6 +90,7 @@ tags:
   - Graceful Wipe Out Attack
   - LockBit Ransomware
   - Gozi Malware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1055

@@ -1,7 +1,7 @@
 name: Detect HTML Help Renamed
 id: 62fed254-513b-460e-953d-79771493a9f3
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -45,6 +45,7 @@ tags:
   analytic_story:
   - Suspicious Compiled HTML Activity
   - Living Off The Land
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.001

@@ -1,7 +1,7 @@
 name: Detect HTML Help URL in Command Line
 id: 8c5835b9-39d9-438b-817c-95f14c69a31e
-version: 12
-date: '2025-06-30'
+version: 13
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -82,6 +82,7 @@ rba:
       type: process_name
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Suspicious Compiled HTML Activity
     - Living Off The Land
     - Compromised Windows Host

@@ -1,7 +1,7 @@
 name: Detect HTML Help Using InfoTech Storage Handlers
 id: 0b2eefa5-5508-450d-b970-3dd2fb761aec
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -76,6 +76,7 @@ tags:
   - Suspicious Compiled HTML Activity
   - Living Off The Land
   - Compromised Windows Host
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.001

@@ -1,7 +1,7 @@
 name: Detect mshta inline hta execution
 id: a0873b32-5b68-11eb-ae93-0242ac130002
-version: '17'
-date: '2025-05-06'
+version: '18'
+date: '2025-09-18'
 author: Bhavin Patel, Michael Haag, Splunk
 status: production
 type: TTP
@@ -80,6 +80,7 @@ tags:
   - Living Off The Land
   - Suspicious MSHTA Activity
   - XWorm
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.005

@@ -1,7 +1,7 @@
 name: Detect mshta renamed
 id: 8f45fcf0-5b68-11eb-ae93-0242ac130002
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -43,6 +43,7 @@ tags:
   analytic_story:
   - Suspicious MSHTA Activity
   - Living Off The Land
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.005

@@ -1,7 +1,7 @@
 name: Detect MSHTA Url in Command Line
 id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
-version: 14
-date: '2025-06-30'
+version: 15
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -82,6 +82,7 @@ rba:
       type: process_name
 tags:
   analytic_story:
+    - APT37 Rustonotto and FadeStealer
     - Compromised Windows Host
     - Lumma Stealer
     - Living Off The Land

@@ -1,7 +1,7 @@
 name: Detect Outlook exe writing a zip file
 id: a51bfe1a-94f0-4822-b1e4-16ae10145893
-version: 13
-date: '2025-05-02'
+version: 14
+date: '2025-09-18'
 author: Bhavin Patel, Splunk
 status: experimental
 type: TTP
@@ -53,6 +53,7 @@ tags:
   - Remcos
   - PXA Stealer
   - Meduza Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1566.001

@@ -1,7 +1,7 @@
 name: Detect Rundll32 Inline HTA Execution
 id: 91c79f14-5b41-11eb-ae93-0242ac130002
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -68,6 +68,7 @@ tags:
   - Suspicious MSHTA Activity
   - NOBELIUM Group
   - Living Off The Land
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.005

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 15
-date: '2025-08-07'
+version: 16
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -102,6 +102,7 @@ tags:
   - Amadey
   - IcedID
   - Interlock Rat
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

@@ -1,7 +1,7 @@
 name: IcedID Exfiltrated Archived File Creation
 id: 0db4da70-f14b-11eb-8043-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -33,6 +33,7 @@ references:
 tags:
   analytic_story:
   - IcedID
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1560.001

@@ -1,7 +1,7 @@
 name: LOLBAS With Network Traffic
 id: 2820f032-19eb-497e-8642-25b04a880359
-version: 11
-date: '2025-05-26'
+version: 12
+date: '2025-09-18'
 author: Steven Dick
 status: production
 type: TTP
@@ -74,6 +74,7 @@ tags:
   - Living Off The Land
   - Malicious Inno Setup Loader
   - Water Gamayun
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1105

@@ -1,7 +1,7 @@
 name: Malicious PowerShell Process - Execution Policy Bypass
 id: 9be56c82-b1cc-4318-87eb-d138afaaca39
-version: 15
-date: '2025-08-22'
+version: 16
+date: '2025-09-18'
 author: Rico Valdez, Mauricio Velazco, Splunk
 status: production
 type: Anomaly
@@ -76,6 +76,7 @@ tags:
   - XWorm
   - DarkCrystal RAT
   - 0bj3ctivity Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001

@@ -1,7 +1,7 @@
 name: Mshta spawning Rundll32 OR Regsvr32 Process
 id: 4aa5d062-e893-11eb-9eb2-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -69,6 +69,7 @@ tags:
   - Trickbot
   - IcedID
   - Living Off The Land
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.005

@@ -1,7 +1,7 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: 19
-date: '2025-08-22'
+version: 20
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -83,6 +83,7 @@ tags:
   - Scattered Spider
   - Interlock Ransomware
   - 0bj3ctivity Stealer
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001

@@ -1,7 +1,7 @@
 name: Powershell Fileless Script Contains Base64 Encoded Content
 id: 8acbc04c-c882-11eb-b060-acde48001122
-version: 12
-date: '2025-08-22'
+version: 13
+date: '2025-09-18'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -64,6 +64,7 @@ tags:
   - IcedID
   - XWorm
   - 0bj3ctivity Stealer
+  - APT37 Rustonotto and FadeStealer
   mitre_attack_id:
   - T1027
   - T1059.001

@@ -1,7 +1,7 @@
 name: Process Creating LNK file in Suspicious Location
 id: 5d814af1-1041-47b5-a9ac-d754e82e9a26
-version: 12
-date: '2025-05-02'
+version: 13
+date: '2025-09-18'
 author: Jose Hernandez, Michael Haag, Splunk
 status: production
 type: TTP
@@ -63,6 +63,7 @@ tags:
   - IcedID
   - Amadey
   - Gozi Malware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1566.002

@@ -1,7 +1,7 @@
 name: Processes Tapping Keyboard Events
 id: 2a371608-331d-4034-ae2c-21dda8f1d0ec
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-09-18'
 author: Jose Hernandez, Splunk
 status: experimental
 type: TTP
@@ -38,6 +38,7 @@ rba:
 tags:
   analytic_story:
   - ColdRoot MacOS RAT
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   product:
   - Splunk Enterprise

@@ -1,7 +1,7 @@
 name: Recursive Delete of Directory In Batch CMD
 id: ba570b3a-d356-11eb-8358-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-18'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -64,6 +64,7 @@ rba:
 tags:
   analytic_story:
   - Ransomware
+  - APT37 Rustonotto and FadeStealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1070.004