North Korea-linked threat group APT37 has launched a sophisticated new campaign using a fresh set of custom malware tools specifically designed to reach computers that are not connected to the internet — a type of system long considered among the most secure in the world.
The campaign, dubbed Ruby Jumper, marks a sharp escalation in the group’s capabilities and reveals how state-backed hackers are finding clever ways around physical security measures that organizations depend on to protect their most sensitive data.
APT37, also tracked under the aliases ScarCruft, Ruby Sleet, and Velvet Chollima, is a well-known North Korean state-sponsored hacking group with a history of targeting government entities, defense organizations, and individuals tied to DPRK state interests.
For years, the group relied on a malware family called Chinotto to carry out espionage and data theft.
The Ruby Jumper campaign, however, introduces an entirely new toolkit — five previously undocumented malware components named RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE — each designed to play a specific role in a multi-stage attack chain that ultimately places surveillance tools on isolated, air-gapped machines.
Zscaler ThreatLabz analysts identified the campaign in December 2025, uncovering how the group had quietly built an infection chain capable of jumping across network boundaries that no internet connection can cross.
The attack begins deceptively simply — with a malicious Windows shortcut file (LNK) that, once opened by a victim, silently drops and executes a series of payloads in the background.
The decoy shown to the victim is a document about the Palestine-Israel conflict, translated from North Korean media into Arabic, suggesting the group’s targets include Arabic-speaking individuals with an interest in North Korean narratives — consistent with APT37’s known victimology.
.webp)
The full attack chain flows from the initial LNK file through RESTLEAF as the first-stage downloader, onto SNAKEDROPPER for second-stage payload delivery, then to THUMBSBD and VIRUSTASK for bridging air-gapped hosts via removable media, and finally to BLUELIGHT and FOOTWINE for full surveillance.
.webp)
The reach of this campaign is notable — once a removable drive such as a USB stick is used across both an internet-connected machine and an air-gapped machine, the malware has a pathway into systems that were never meant to touch the outside world.
Cloud services including Zoho WorkDrive, Microsoft OneDrive, Google Drive, and pCloud are abused as command-and-control (C2) infrastructure, making the malicious traffic blend in with ordinary business activity.
How THUMBSBD Bridges the Air Gap
The most technically striking component of the Ruby Jumper campaign is THUMBSBD, a backdoor that turns ordinary removable media into a covert two-way communication channel between internet-connected systems and isolated, air-gapped ones.
.webp)
When a USB drive or similar device is connected to an infected internet-facing machine, THUMBSBD copies staged command files into a hidden $RECYCLE.BIN directory on the drive — a location that is invisible under default Windows Explorer settings.
When that same drive is then plugged into an air-gapped machine running the THUMBSBD implant, the malware reads those hidden files, decrypts them with a single-byte XOR key, and executes the operator’s commands — ranging from file exfiltration and system reconnaissance to arbitrary command execution.
Working alongside THUMBSBD is VIRUSTASK, which ensures the infection spreads further by replacing a victim’s legitimate files on the removable drive with malicious LNK shortcuts bearing the same filenames.
When an unsuspecting user on a new machine clicks what appears to be their own file, they unknowingly launch the malware’s Ruby-based execution environment, infecting the new host.
SNAKEDROPPER supports this by disguising a full Ruby 3.3.0 runtime environment as a USB speed utility called usbspeed.exe, and creating a scheduled task named rubyupdatecheck that runs every five minutes to maintain persistence.
The final payload, FOOTWINE, delivers surveillance capabilities including keylogging, audio capture, video capture, and full shell access over an encrypted C2 channel using a custom XOR-based key exchange protocol.
Security teams and organizations — especially those managing air-gapped environments — should take the following steps in response to this campaign:
- Restrict removable media use across all endpoints, especially on air-gapped or high-security systems, and enforce hardware-level controls where possible.
- Monitor for scheduled tasks with unusual names like
rubyupdatecheckand audit all newly created scheduled tasks on endpoints. - Audit cloud storage access from endpoints, as the campaign abuses Zoho WorkDrive, OneDrive, Google Drive, and pCloud for C2 communications.
- Inspect LNK files in email attachments and downloaded content, as APT37 consistently uses malicious shortcut files as the first point of entry.
- Hunt for indicators of compromise, including the file paths
%PROGRAMDATA%usbspeed, registry keyHKCUSOFTWAREMicrosoftTnGtp, and hidden$RECYCLE.BINor$RECYCLE.BIN.USERdirectories on removable drives. - Monitor endpoint activity and physical access points to counter this threat, as recommended by ThreatLabz following its investigation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
