APT37 Adds New Capabilities for Air-Gapped Networks
Summary:
In December 2025, Zscaler’s ThreatLabz identified a new cyberespionage campaign dubbed "Ruby Jumper," orchestrated by the DPRK-sponsored threat group, APT37 (AKA ScarCruft, Ruby Sleet, and Velvet Chollima). The campaign stands out due to its multi-stage infection chain that relies on a novel, self-contained Ruby execution environment and its specialized capability to bridge air-gapped networks. APT37 leverages malicious LNK files as the initial access vector, delivering a complex payload sequence that abuses legitimate cloud services for C2 communication. This campaign highlights APT37's continued focus on sophisticated surveillance, utilizing a suite of malware, including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT, to target individuals aligned with North Korean media narratives, ultimately stealing sensitive data, conducting audio/video surveillance, and exfiltrating data across isolated physical environments.
Security Officer Comments:
The Ruby Jumper campaign employs a highly sophisticated attack vector architecture, designed to stealthily compromise targets and facilitate lateral movement onto air-gapped systems via removable media. The attack chain is initiated when a victim executes a malicious LNK file. This LNK file executes a PowerShell command that scans the directory to locate itself by file size, and then extracts multiple embedded payloads from fixed offsets within the LNK file, utilizing 1-byte XOR decryption for shellcode.
During the initial compromise, the attack chain deploys a decoy document (an article regarding the Palestine-Israel conflict translated from a North Korean newspaper into Arabic) alongside the initial in-memory payload, RESTLEAF. RESTLEAF is notable for utilizing Zoho WorkDrive for its C2 communications by exchanging hardcoded refresh token credentials (client_id, refresh_token, client_secret) for an access token. It uses process injection to execute a downloaded shellcode file and leaves timestamped beacon files in a folder named Second on the Zoho WorkDrive. The campaign heavily abuses legitimate Web Services (Zoho WorkDrive, Google Drive, Microsoft OneDrive) alongside dedicated C2 domains and IPs.
Following RESTLEAF, subsequent stages fetch and deploy additional specialized malware:
https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks
In December 2025, Zscaler’s ThreatLabz identified a new cyberespionage campaign dubbed "Ruby Jumper," orchestrated by the DPRK-sponsored threat group, APT37 (AKA ScarCruft, Ruby Sleet, and Velvet Chollima). The campaign stands out due to its multi-stage infection chain that relies on a novel, self-contained Ruby execution environment and its specialized capability to bridge air-gapped networks. APT37 leverages malicious LNK files as the initial access vector, delivering a complex payload sequence that abuses legitimate cloud services for C2 communication. This campaign highlights APT37's continued focus on sophisticated surveillance, utilizing a suite of malware, including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT, to target individuals aligned with North Korean media narratives, ultimately stealing sensitive data, conducting audio/video surveillance, and exfiltrating data across isolated physical environments.
Security Officer Comments:
The Ruby Jumper campaign employs a highly sophisticated attack vector architecture, designed to stealthily compromise targets and facilitate lateral movement onto air-gapped systems via removable media. The attack chain is initiated when a victim executes a malicious LNK file. This LNK file executes a PowerShell command that scans the directory to locate itself by file size, and then extracts multiple embedded payloads from fixed offsets within the LNK file, utilizing 1-byte XOR decryption for shellcode.
During the initial compromise, the attack chain deploys a decoy document (an article regarding the Palestine-Israel conflict translated from a North Korean newspaper into Arabic) alongside the initial in-memory payload, RESTLEAF. RESTLEAF is notable for utilizing Zoho WorkDrive for its C2 communications by exchanging hardcoded refresh token credentials (client_id, refresh_token, client_secret) for an access token. It uses process injection to execute a downloaded shellcode file and leaves timestamped beacon files in a folder named Second on the Zoho WorkDrive. The campaign heavily abuses legitimate Web Services (Zoho WorkDrive, Google Drive, Microsoft OneDrive) alongside dedicated C2 domains and IPs.
Following RESTLEAF, subsequent stages fetch and deploy additional specialized malware:
- SNAKEDROPPER: This next-stage loader establishes persistence by installing a Ruby runtime environment. It creates a scheduled task (rubyupdatecheck) that executes every 5 minutes and hijacks the execution flow by replacing the legitimate operating_system.rb file. To evade detection, the Ruby interpreter is masqueraded as a utility named usbspeed.exe. SNAKEDROPPER subsequently drops THUMBSBD and VIRUSTASK.
- THUMBSBD: A specialized backdoor built to operate on air-gapped systems. It uses removable media as a covert C2 channel to exfiltrate data and relay commands between internet-connected and isolated networks. It operates out of a hidden $RECYCLE.BIN directory, collecting system data and running recursive file system and process enumeration.
- VIRUSTASK: The removable media propagation component. When a USB or removable drive is attached, VIRUSTASK infects it by replacing legitimate files with malicious LNK shortcuts bearing the same names. It hides artifacts by creating a hidden folder named $RECYCLE.BIN.USER on the removable media.
- FOOTWINE: A surveillance-focused backdoor deployed later in the chain. Its capabilities include keylogging, screen capturing (via the dm command), and both audio and video/webcam capture (via the cm command). It encodes payloads with a random 32-byte XOR key.
- BLUELIGHT: A secondary backdoor used for enumerating the file system (using the t command) and uploading collected data directly to cloud storage C2s.
- Block Known Malicious Infrastructure: Immediately block outbound communication to the known C2 domains and the IP address 144.172.106[.]66:8080.
- Monitor Endpoint Execution Activity: Implement EDR rules to detect anomalous PowerShell execution spawned by LNK files, specifically scripts searching for or carving data like find.bat, search.dat, and viewer.dat.
- Detect Masqueraded Binaries: Alert on unusual execution of binaries named usbspeed.exe, particularly if they exhibit characteristics or signatures of the Ruby interpreter (rubyw.exe).
- Cloud Service Auditing: Monitor and restrict anomalous authentication or high-volume data transfers to Zoho WorkDrive and other cloud services if they are not standard in your environment. Look for the creation of directories named Second used as beacon signals.
- Removable Media Restrictions: Disable USB auto-run and restrict removable media usage on critical endpoints to prevent the execution of THUMBSBD and the spread of VIRUSTASK. Inspect attached drives for hidden folders like $RECYCLE.BIN.USER.
- Monitor Physical Access Points: Tightly control and monitor physical access to endpoints, especially in environments handling highly sensitive or air-gapped data.
- Strict Network Segmentation: Ensure air-gapped networks are heavily monitored for policy violations regarding data ingress/egress via physical media.
- User Security Awareness Training: Educate personnel on the risks of opening unsolicited LNK files, even if they appear to be legitimate documents or media files related to current geopolitical events.
- File Extension Visibility: Enforce policies that display file extensions by default to help users distinguish between legitimate documents and executable LNK shortcuts.
https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks