North Korea-linked APT 37 used Zoho WorkDrive and USB malware to breach air-gapped networks in the Ruby Jumper campaign. North Korean group ScarCruft (aka APT37, Reaper, and Group123) deployed new tools in a campaign dubbed Ruby Jumper, using a backdoor that leverages Zoho WorkDrive for C2 and a USB-based implant to breach air-gapped systems. Zscaler ThreatLabz […] North Korea-linked APT 37 used Zoho WorkDrive and USB malware to breach air-gapped networks in the Ruby Jumper campaign. North Korean group ScarCruft (aka APT37, Reaper, and Group123) deployed new tools in a campaign dubbed Ruby Jumper, using a backdoor that leverages Zoho WorkDrive for C2 and a USB-based implant to breach air-gapped systems. Zscaler ThreatLabz discovered the campaign in December 2025; the attacks relied on multiple malware families to conduct surveillance and deliver additional payloads. The recent attacks begin with malicious LNK files and deploys multiple newly identified tools, including RESTLEAF and SNAKEDROPPER, to deliver backdoors such as FOOTWINE and BLUELIGHT for surveillance. Zscaler ThreatLabz mapped the full “Ruby Jumper” attack chain used by North Korea’s APT37. The campaign starts with a malicious LNK file that runs PowerShell and extracts hidden payloads, ultimately loading a backdoor called RESTLEAF in memory. RESTLEAF abuses Zoho WorkDrive for command-and-control, authenticating with hardcoded tokens and downloading shellcode for execution via process injection. The shellcode deploys SNAKEDROPPER, which installs a rogue Ruby runtime disguised as a USB utility, establishes persistence, and drops additional components. Among them is THUMBSBD, a backdoor designed to bridge air-gapped networks using removable media. It collects system data, stages files for exfiltration, and uses hidden folders on USB drives to pass commands and stolen data between isolated systems. “THUMBSBD collects system information including hardware diagnostics (dxdiag), running processes, network configuration (ipconfig /all), recursive file system enumeration (complete file tree), and connectivity status via ping tests and netstat.” reads the report published by Zscaler. “THUMBSBD employed several working directories to stage data for exfiltration and for executing backdoor commands. The directories ThreatLabz observed are listed in the table below.” VIRUSTASK spreads the infection further by replacing files on USB drives with malicious shortcuts, infecting new machines when users click them. Later-stage payloads include FOOTWINE, a surveillance backdoor with keylogging and audio/video capture capabilities, and BLUELIGHT, which leverages cloud services for covert C2 communications. “THUMBSBD also delivers BLUELIGHT, a previously documented backdoor which leverages several legitimate cloud providers, including Google Drive, Microsoft OneDrive, pCloud, and BackBlaze for its C2 communication.” continues the report. “BLUELIGHT’s backdoor functionalities include executing arbitrary commands, enumerating the file system, downloading additional payloads, uploading files, and self-removal.” Together, the tools form a sophisticated toolkit for espionage and air-gap compromise. ThreatLabz attributes the Ruby Jumper campaign to APT37 with high confidence. The group’s use of LNK-based infection chains combining batch, PowerShell, and encrypted shellcode matches past activity. Previously linked malware like BLUELIGHT, its distinctive two-stage shellcode with custom API hashing, and reliance on cloud services for C2 all align with known tactics. The decoy content also fits APT37’s typical DPRK-focused targeting. ScarCruft has been active since at least 2012, it made the headlines in early February 2018 when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users. Kaspersky first documented the operations of the group in 2016. Cyber attacks conducted by the APT37 group mainly targeted government, defense, military, and media organizations in South Korea. “The Ruby Jumper campaign involves a mult-stage infection chain that begins with a malicious LNK file and utilizes legitimate cloud services (like Zoho WorkDrive, Google Drive, Microsoft OneDrive, etc.) to deploy a novel, self-contained Ruby execution environment.” concludes the report. “Most critically, THUMBSBD and VIRUSTASK weaponize removable media to bypass network isolation and infect air-gapped systems. To maintain a strong security posture, the security community should focus on monitoring endpoint activity and physical access points to counter this threat and other campaigns led by APT37.” Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, APT37)
Published: 2026-03-02T12:38:26