Executive Summary

In late 2025, the North Korean advanced persistent threat group APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima) was observed deploying a new, highly sophisticated malware campaign targeting air-gapped networks. This campaign, referred to as Ruby Jumper by Zscaler ThreatLabz, leverages a multi-stage infection chain and novel malware families to bridge the security gap between isolated, high-value environments and the internet. The attackers exploit removable media, such as USB drives, to propagate malware and exfiltrate sensitive data from networks that are physically separated from external connectivity. The campaign demonstrates a significant escalation in the technical capabilities of APT37, highlighting the urgent need for organizations with air-gapped assets to reassess their threat models and implement robust countermeasures.

Threat Actor Profile

APT37 is a North Korean state-sponsored cyber espionage group active since at least 2012. The group is known for targeting government, military, defense, and research organizations, particularly those with interests in the Korean peninsula. APT37 has a history of leveraging zero-day vulnerabilities, custom malware, and advanced social engineering to achieve its objectives. The group’s operations are closely aligned with the strategic interests of the Democratic People’s Republic of Korea (DPRK), focusing on intelligence gathering, surveillance, and data theft. APT37 is characterized by its rapid adoption of new techniques, including the abuse of cloud services for command and control (C2), and its willingness to target highly secure, air-gapped environments.

Technical Analysis of Malware/TTPs

The Ruby Jumper campaign employs a multi-stage infection chain, utilizing several custom malware components and advanced tactics, techniques, and procedures (TTPs) to compromise air-gapped networks.

The initial infection vector is a malicious Windows LNK (shortcut) file distributed via spear-phishing emails or compromised websites. These LNK files are often disguised as legitimate documents, such as North Korean news articles in Arabic, to lure targets into execution. Upon activation, the LNK file launches PowerShell, which extracts and executes an embedded payload.

The first-stage payload, RESTLEAF, is a lightweight implant that abuses Zoho WorkDrive as a C2 channel. This is the first documented case of APT37 leveraging Zoho WorkDrive for C2 communications. RESTLEAF downloads additional shellcode payloads and signals infection status to the attackers via unique beacon files.

The next stage involves SNAKEDROPPER, which installs a full Ruby 3.3.0 runtime on the compromised host, masquerading as a USB utility named usbspeed.exe. SNAKEDROPPER establishes persistence through scheduled tasks (notably rubyupdatecheck) and drops further Ruby-based modules containing shellcode for subsequent payloads.

The core of the campaign’s air-gap bridging capability lies in the THUMBSBD and VIRUSTASK modules. THUMBSBD is a backdoor specifically designed for air-gapped environments. It uses removable media as a covert C2 relay, collecting system information, executing attacker commands, and staging data for exfiltration. Data and commands are stored in hidden directories (such as $RECYCLE.BIN) on USB drives, which are then physically transferred between isolated and internet-connected systems.

VIRUSTASK propagates the malware by replacing legitimate files on USB drives with malicious LNK files, ensuring that the infection spreads to new hosts when the drive is inserted elsewhere. It also uses hidden folders (e.g., $RECYCLE.BIN.USER) to store payloads and maintain stealth.

For advanced surveillance and data theft, the campaign deploys FOOTWINE and BLUELIGHT backdoors. FOOTWINE is delivered as foot.apk (despite the .apk extension, it is a Windows payload) and supports keylogging, screenshot capture, audio and video recording, and encrypted C2 over TCP. BLUELIGHT leverages popular cloud storage services, including Google Drive, OneDrive, pCloud, and BackBlaze, for C2 communications, file uploads/downloads, and self-removal.

The malware employs multiple evasion techniques, including XOR encryption of payloads, process injection, reflective code loading, and masquerading as legitimate system files. The use of scheduled tasks, hidden directories, and file replacement further complicates detection and remediation.

Exploitation in the Wild

The Ruby Jumper campaign has been observed targeting individuals and organizations with interests in North Korean affairs, government agencies, and entities operating air-gapped networks. The attackers rely on social engineering to deliver the initial LNK payload, often using decoy documents relevant to the target’s interests. Once a system is compromised, the malware chain is executed, and the infection propagates via USB drives.

The campaign’s C2 infrastructure is highly resilient, leveraging both legitimate cloud services (such as Zoho WorkDrive, Google Drive, and OneDrive) and custom domains (e.g., philion.store, homeatedke.store, hightkdhe.store). This hybrid approach enables the attackers to maintain control over infected hosts, even in environments with strict network segmentation.

Notably, the campaign does not exploit any specific software vulnerabilities or CVEs. Instead, it abuses standard Windows features (LNK files, PowerShell, scheduled tasks) and user behavior (USB drive usage) to achieve its objectives. This makes the attack chain broadly applicable to any organization using Windows systems and removable media.

Victimology and Targeting

APT37’s targeting aligns with DPRK state interests, focusing on government, military, research, and critical infrastructure sectors. The group has a particular interest in entities and individuals involved in North Korean affairs, including those consuming North Korean media or participating in diplomatic, defense, or policy-related activities.

The campaign’s use of decoy documents in Arabic suggests a focus on Middle Eastern targets, possibly to gather intelligence on regional perspectives regarding North Korea. However, the technical approach is generic enough to be repurposed for other regions and sectors.

Victims are typically high-value organizations with air-gapped assets, such as government agencies, defense contractors, research institutions, and critical infrastructure operators. The use of USB drives as a propagation vector indicates a deliberate attempt to breach environments that are otherwise isolated from external threats.

Mitigation and Countermeasures

Given the sophistication and adaptability of the Ruby Jumper campaign, organizations must adopt a multi-layered defense strategy to mitigate the risk of compromise.

Endpoint monitoring should be enhanced to detect the presence of the listed indicators of compromise (IOCs), including suspicious LNK files, the installation of the Ruby 3.3.0 runtime, and the creation of scheduled tasks named rubyupdatecheck. Security teams should audit and restrict the use of removable media in sensitive environments, implementing strict policies for USB drive usage, scanning, and approval.

Network monitoring should focus on detecting unusual access to cloud storage services such as Zoho WorkDrive, Google Drive, OneDrive, and pCloud from endpoints, especially those that should not require such services for business operations. Any anomalous outbound connections to the identified C2 domains and IP addresses should be investigated immediately.

User awareness training is critical, emphasizing the risks associated with opening unsolicited attachments, executing unknown LNK files, and using personal or unapproved USB drives on secure systems.

Organizations should implement technical controls to disable or restrict the execution of PowerShell scripts and LNK files from removable media. Application whitelisting, endpoint detection and response (EDR) solutions, and regular system audits can further reduce the attack surface.

Incident response plans should be updated to include procedures for investigating and remediating malware infections propagated via removable media, with particular attention to air-gapped environments.

References

Zscaler ThreatLabz: APT37 Adds New Capabilities for Air-Gapped Networks – https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks

BleepingComputer: APT37 hackers use new malware to breach air-gapped networks – https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

MITRE ATT&CK: APT37 (ScarCruft) – https://attack.mitre.org/groups/G0067/

Security Affairs Newsletter – https://securityaffairs.com/188669/security/security-affairs-newsletter-round-565-by-pierluigi-paganini-international-edition.html

The Cyber Security Hub on X – https://x.com/TheCyberSecHub/status/2027464161970819401

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify emerging threats and strengthen their cyber resilience. For more information or to discuss how Rescana can support your organization’s security posture, we are happy to answer questions at ops@rescana.com.