In late 2025, cybersecurity researchers at Zscaler ThreatLabz uncovered a new wave of activity attributed to APT37—a North Korean state-aligned threat group also tracked under names like ScarCruft, Ruby Sleet, and Velvet Chollima. This campaign, internally dubbed Ruby Jumper, demonstrates an evolved set of tools and techniques that allow the threat actor to evade traditional network isolation strategies, including compromises of air-gapped systems.
Background: Who is APT37?
Advanced Persistent Threat (APT) 37 is a well-documented DPRK-sponsored cyber espionage group active since at least the early 2010s. Their operations historically focus on intelligence gathering and surveillance against government, defense, and high-value industry sectors in East Asia and beyond.
The Ruby Jumper campaign represents both a continuation of their espionage missions and an expansion into novel persistence and propagation vectors that challenge traditional network isolation measures.
Campaign Overview
At its core, the Ruby Jumper campaign uses malicious Windows shortcut (LNK) files to initiate execution. When a victim interacts with these shortcuts, they trigger a multi-stage infection chain built around a set of bespoke tools that ultimately enable:
- Remote command and control (C2)
- Deployment of surveillance backdoors
- Propagation across air-gapped systems via removable media
The threat actors make creative use of both cloud services and local devices to move malware and commands between networks that are otherwise physically isolated.
Attack Flow & Key Components
1. Initial Access: Malicious LNK Files
The entry point for Ruby Jumper is a shortcut (.LNK) file, crafted to look innocuous but loaded with embedded artifacts. When executed, this LNK triggers several actions:
- A PowerShell script is launched.
- It extracts multiple components — including a decoy document, a shellcode payload, and staging scripts — directly from itself based on hard-coded offsets.
- A Windows batch file and PowerShell script then position the payload for further execution.
This initial module is known as RESTLEAF — the first implant responsible for establishing communications with command infrastructure and fetching secondary components.
2. Command and Control via Cloud
A distinguishing feature of this campaign is RESTLEAF’s use of Zoho WorkDrive for remote communications. By abusing legitimate cloud infrastructure:
- The malware fetches additional payloads (like SNAKEDROPPER).
- It beacons back to the cloud to signal a successful infection and maintain control flow.
This type of living off the land technique complicates detection, because traffic appears to originate from trusted cloud services.
3. Secondary Loaders & Runtime Environments
Once RESTLEAF establishes a foothold:
- SNAKEDROPPER installs a Ruby runtime and sets up persistence.
- This loader subsequently deploys two specialized modules:
- THUMBSBD – a backdoor that relays commands between systems using removable media
- VIRUSTASK – a propagation agent that corrupts removable storage by replacing legitimate files with malicious LNKs
4. Payloads & Post-Exploitation
As the chain progresses, additional backdoors like FOOTWINE and BLUELIGHT are delivered. These payloads provide:
- Keylogging
- Audio and video capture
- Persistent surveillance
These capabilities underscore the focus on long-term monitoring of compromised systems.
Air-Gap Evasion via Removable Media
Perhaps the most significant evolution in this campaign is the ability to cross air gaps:
Typically, air-gapped systems (those not connected to any network) are considered secure by virtue of their isolation. However, the Ruby Jumper campaign introduces removable media as a bridge:
- THUMBSBD reads and writes commands to USB or external storage.
- VIRUSTASK ensures that subsequent systems loading that media also become infected.
This method effectively turns standard removable storage into an in-field distribution network, allowing the attacker to reach otherwise protected machines — a significant concern for sensitive environments relying on physical network isolation.
Technical Highlights
Shellcode-Based Execution
All payloads employ custom shellcode loaders that make detection harder and analyze obfuscated components in memory rather than on disk.
Decoy Documents
LNK payloads often include decoy documents (e.g., articles in localized languages) that lure users into executing the malicious shortcuts.
Multi-Stage Execution Chain
From the initial RESTLEAF implant to secondary backdoors and propagation tools, the infection chain is modular and designed for stealth and persistence.
Defensive Considerations
Defenders need to account for several novel aspects of this campaign:
- Cloud Abuse: Monitoring legitimate cloud service traffic for anomalous patterns.
- Removable Media Policies: Restricting USB access and inspecting removable devices for unauthorized changes.
- Behavior-Based Detection: Static file scanning alone may miss these shellcode and runtime-loaded threats.
- User Awareness: Educating users about the risks of opening unexpected shortcut files reaching them via email or removable devices.
Conclusion
The Ruby Jumper campaign represents a significant evolution in APT37’s toolkit: one that combines cloud-enabled C2, shellcode-based modular payloads, and removable media propagation to target both conventional and air-gapped environments. It underscores a broader trend in cyber espionage where attackers ingeniously leverage everyday infrastructure — like cloud storage and USB drives — to bypass isolation defenses and persist long-term.
For organizations that rely on air-gapped systems as a security boundary, this research highlights a growing threat: physical isolation alone is no longer a guarantee without corresponding procedural, endpoint, and threat monitoring controls.
