Executive Summary

The North Korean state-sponsored threat actor ScarCruft (also known as APT37) has recently executed a highly sophisticated cyber-espionage campaign that leverages both cloud-based and removable media vectors to compromise even the most isolated, air-gapped networks. This campaign, tracked as Ruby Jumper, is notable for its abuse of Zoho WorkDrive as a command-and-control (C2) channel and the deployment of advanced USB malware to bridge the gap between internet-connected and physically isolated systems. The operation demonstrates a significant escalation in threat actor capabilities, combining multi-stage payload delivery, process injection, and covert data exfiltration techniques. Organizations in government, defense, and critical infrastructure sectors are particularly at risk, especially those relying on air-gapped environments for sensitive operations.

Threat Actor Profile

ScarCruft (APT37) is a well-documented North Korean advanced persistent threat group, active since at least 2012. The group is known for targeting South Korean government agencies, defense contractors, and organizations with strategic value to the Democratic People’s Republic of Korea (DPRK). ScarCruft specializes in cyber-espionage, information theft, and surveillance, often employing custom malware, zero-day exploits, and sophisticated social engineering. The group’s operations are characterized by rapid adaptation to new technologies and the creative abuse of legitimate cloud services for stealthy C2 communications. In the Ruby Jumper campaign, ScarCruft has demonstrated an unprecedented ability to compromise air-gapped networks, a feat that requires both technical sophistication and operational discipline.

Technical Analysis of Malware/TTPs

The Ruby Jumper campaign employs a multi-stage infection chain, beginning with spear-phishing emails containing malicious .LNK (Windows shortcut) files. When a victim opens the .LNK file, a PowerShell command is executed, which scans the directory for itself (by file size) and extracts several embedded payloads. These include a decoy document (often themed around current geopolitical events), an executable payload, an additional PowerShell script, and a batch file.

The batch file launches PowerShell, which decrypts and loads shellcode directly into memory, minimizing disk artifacts. The primary payload, RESTLEAF, is a backdoor that authenticates to Zoho WorkDrive using a valid access token. This abuse of Zoho WorkDrive is particularly insidious, as it leverages a legitimate cloud storage service for C2, making detection by traditional network security tools challenging. RESTLEAF downloads additional shellcode for process injection and deploys a secondary dropper, SNAKEDROPPER.

SNAKEDROPPER installs a Ruby runtime environment (disguised as a benign utility) and establishes persistence via a scheduled task. It then drops two critical components: THUMBSBD and VIRUSTASK. THUMBSBD is a USB-resident malware, masquerading as a Ruby script, which uses removable media to relay commands and exfiltrate data between internet-connected and air-gapped systems. It creates hidden folders on USB drives to stage commands and store output, and is capable of system information harvesting, downloading secondary payloads, file exfiltration, and arbitrary command execution.

VIRUSTASK is another Ruby-based component focused on propagating the infection via USB drives. It replaces legitimate files on the USB with malicious .LNK shortcuts, ensuring the malware spreads to any system the drive is connected to, including air-gapped machines.

Once inside an air-gapped environment, THUMBSBD can deliver additional payloads such as FOOTWINE and BLUELIGHT. FOOTWINE is a surveillance tool with keylogging, audio/video capture, and a custom TCP-based C2 protocol. It supports a wide range of commands, including interactive shell access, file manipulation, registry modification, process enumeration, screenshot and keystroke capture, audio/video surveillance, batch script execution, proxy setup, and DLL loading. BLUELIGHT is a cloud backdoor that uses services like Google Drive, OneDrive, pCloud, and BackBlaze for C2, enabling arbitrary command execution, file system enumeration, payload download/upload, and self-removal.

The campaign’s technical sophistication is further evidenced by its use of process injection, reflective code loading, obfuscated files, and the hijacking of execution flow. The malware is modular, allowing ScarCruft to update or swap components as needed, and its reliance on legitimate cloud services and removable media makes detection and remediation particularly challenging.

Exploitation in the Wild

ScarCruft has been observed actively deploying the Ruby Jumper campaign against organizations with high-value, air-gapped environments. The infection chain begins with targeted phishing emails, often containing decoy documents related to current events to increase the likelihood of user interaction. Once the initial payload is executed, the malware establishes persistence and begins lateral movement, using USB drives as a bridge to air-gapped systems.

The use of Zoho WorkDrive for C2 is a novel tactic, allowing the threat actor to blend malicious traffic with legitimate business operations. The campaign also leverages other cloud storage providers, including Google Drive, OneDrive, pCloud, and BackBlaze, for payload delivery and data exfiltration. The modular nature of the malware allows ScarCruft to tailor its operations to the specific environment, deploying surveillance tools and backdoors as needed.

Victims have reported the creation of hidden folders on USB drives, the installation of unexpected Ruby runtimes, and the appearance of scheduled tasks related to the malware. Network traffic analysis has revealed connections to known C2 domains and IP addresses associated with ScarCruft infrastructure, as well as unusual data flows to cloud storage services.

Victimology and Targeting

The primary targets of the Ruby Jumper campaign are organizations with sensitive, air-gapped environments, including government agencies, defense contractors, and critical infrastructure providers. The campaign has been observed targeting entities in South Korea and other countries aligned with DPRK state interests. The use of decoy documents themed around current geopolitical events suggests a focus on organizations involved in international relations, security policy, and defense.

ScarCruft is known for its ability to rapidly adapt its targeting and tactics based on the operational environment. In this campaign, the group has demonstrated a clear understanding of the challenges associated with breaching air-gapped networks and has developed custom tooling to overcome these barriers. The use of USB malware to bridge the gap between internet-connected and isolated systems is particularly concerning, as it enables the exfiltration of sensitive data from environments previously considered secure.

Mitigation and Countermeasures

To defend against the Ruby Jumper campaign and similar threats, organizations should implement a multi-layered security strategy. Monitoring for unusual PowerShell activity, especially originating from .LNK files, is critical. Access to cloud storage services such as Zoho WorkDrive, Google Drive, OneDrive, pCloud, and BackBlaze should be audited and restricted in sensitive environments. The use of removable media should be tightly controlled or blocked entirely in air-gapped or high-security networks.

Endpoint monitoring should include detection of Ruby runtime installations and the creation of suspicious scheduled tasks. USB drives should be regularly inspected for hidden folders and unfamiliar files, and users should be educated about the risks associated with opening unsolicited .LNK files or connecting unknown USB devices.

Network traffic should be analyzed for connections to known C2 infrastructure and for anomalous data flows to cloud storage providers. Security teams should hunt for indicators of compromise, including the presence of RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT components, as well as behavioral indicators such as process injection and reflective code loading.

Organizations are encouraged to leverage threat intelligence platforms and third-party risk management solutions to stay informed about emerging threats and to automate the detection and response process wherever possible.

References

The Hacker News: ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks https://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.html

Zscaler ThreatLabz: APT37 Adds New Capabilities for Air-Gapped Networks https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks

Reddit: ScarCruft Breaches Air-Gapped Networks Using Zoho WorkDrive https://www.reddit.com/r/pwnhub/comments/1rgkjjq/scarcruft_breaches_airgapped_networks_using_zoho/

MITRE ATT&CK: APT37 https://attack.mitre.org/groups/G0067/

MITRE ATT&CK: T1091 Replication Through Removable Media https://attack.mitre.org/techniques/T1091/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help protect your organization, we are happy to answer questions at ops@rescana.com.