In December 2025, security researchers at Zscaler ThreatLabz uncovered a highly sophisticated campaign conducted by APT37 (also tracked as ScarCruft, Ruby Sleet, Velvet Chollima), a North Korean state-linked advanced persistent threat (APT) group. The campaign, dubbed “Ruby Jumper” by ThreatLabz, demonstrated how APT37 is evolving its toolkit to target air-gapped environments using removable media, cloud-based command and control (C2), and a multi-stage malware ecosystem that leverages custom loaders, backdoors, and propagation utilities.
Key Technical Takeaways
The Ruby Jumper campaign introduces multiple new components that extend APT37’s operational reach into air-gapped or segmented systems:
- RESTLEAF: Initial implant that uses Zoho WorkDrive cloud storage for C2 communications.
- SNAKEDROPPER: A next-stage loader that installs a full Ruby runtime, establishes persistence, and drops other components.
- THUMBSBD: A two-way backdoor designed to bridge air-gapped systems via removable media.
- VIRUSTASK: A removable-media propagation tool that infects USB devices by hijacking user files and replacing them with malicious Windows shortcut (LNK) files.
- FOOTWINE & BLUELIGHT: Follow-on payloads that provide surveillance capabilities, including keylogging and audio/video capture.
Attack Overview and Workflow
Initial Infection Chain
APT37’s Ruby Jumper campaign begins with malicious Windows LNK shortcut files, which serve as the initial infection vector. When a victim opens a malicious LNK file, it triggers a PowerShell command that:
- Scans the current directory for itself based on file size.
- Extracts multiple embedded payloads from fixed binary offsets within the LNK file.
The embedded payloads typically consist of:
| Filename | Type | Purpose |
|---|---|---|
find.bat | Batch file | Launches PowerShell logic |
search.dat | PowerShell script | Loads shellcode into memory |
viewer.dat | Shellcode blob | Hosts encrypted payload and injection logic |
| Decoy file | Document | Displayed to distract victim |
The decoy file may be a plausible document (e.g., news article or report) to distract analysts while the embedded shellcode executes. Once launched, the shellcode uses a two-stage injection process:
- Stage 1: Injects second-stage shellcode into a legitimate Windows executable (
System32orSysWow64). - Stage 2: The second stage decrypts and reflectively loads an encrypted PE payload.
RESTLEAF: Cloud-Based Command & Control
The initial decrypted payload in memory is RESTLEAF, a custom implant that uses Zoho WorkDrive as a C2 channel — a novel tactic for APT37. RESTLEAF:
- Contains hardcoded Zoho client credentials.
- Exchanges the embedded refresh token for a valid access token.
- Retrieves shellcode (named
AAA.bin) from a WorkDrive repository. - Executes the downloaded shellcode via classic process injection.
- Beacon responses to the cloud host by creating timestamped files.
This approach provides resilient, low-profile C2 using a legitimate cloud storage service, making detection and takedown more difficult.
SNAKEDROPPER: Loader and Ruby Runtime Installer
RESTLEAF’s next stage spawns SNAKEDROPPER, a malicious component that performs several actions:
- Extracts a packed archive (
ruby3.zip) to%PROGRAMDATA%\usbspeed. - Deploys a full Ruby 3.3.0 runtime environment, renaming the interpreter to
usbspeed.exeto appear benign. - Modifies the Ruby gem infrastructure by replacing core files (e.g.,
operating_system.rb) with attacker-controlled scripts. - Creates a scheduled task (
rubyupdatecheck) to auto-launch the Ruby runtime every five minutes. - Places several malicious script files into the Ruby lib directory (some initially blank).
The SNAKEDROPPER design uses the Ruby environment as a flexible execution platform for additional payloads.
THUMBSBD: Air-Gap Bridging Backdoor
The THUMBSBD component is where Ruby Jumper shows its air-gap innovation. THUMBSBD is dropped by SNAKEDROPPER and functions as a backdoor that:
- Checks a registry key (
HKCU\SOFTWARE\Microsoft\TnGtp) to prevent multiple instances. - Creates an encrypted local configuration file (
TN.dat) capturing basic system info. - Stages directories to handle commands, exfiltration, and staging data.
Air-Gap Bridging Logic
THUMBSBD’s main innovation is using removable media as a bidirectional command and data relay:
- When removable media (e.g., USB drive) is inserted:
- Creates a hidden
$RECYCLE.BINfolder to conceal staged artifacts. - Copies data from THUMBSBD’s staging directories to the drive.
- Processes command and control instructions encoded within files on the media.
- Retrieves exfiltrated output and stages it back onto the media for consumption by another system.
- Creates a hidden
This method effectively transforms USB drives into covert C2 relays for environments that are otherwise unreachable over network connections.
VIRUSTASK: Removable Media Infector
In contrast to THUMBSBD’s command/exfiltration focus, VIRUSTASK aims to infect removable media to facilitate spreading into new air-gapped hosts. VIRUSTASK:
- Tracks execution state via
HKCU\Software\Microsoft\ActiveUSBPolicies. - Ensures removable media has sufficient free space (≥2 GB).
- Creates a hidden
$RECYCLE.BIN.USERfolder on the media. - Copies its Ruby runtime and payload executables into this hidden location.
- Enumerates existing user files, hides them, and replaces them with malicious LNK shortcuts that execute the hidden Ruby interpreter when clicked.
- On the next host, opening a hijacked file triggers the Ruby runtime and subsequently infects the host system.
This propagation model mimics classic USB infection techniques but uses modern Ruby-driven logic to expand APT37’s foothold.
Follow-On Payloads: FOOTWINE and BLUELIGHT
Later in the infection chain, operators can deliver additional payloads such as:
- FOOTWINE: A backdoor with advanced surveillance capabilities, including keylogging and audio/video capture.
- BLUELIGHT (documented alongside Footwine): Potentially another functional payload related to surveillance or persistence.
These modules enable ongoing espionage and data collection once a host is compromised.
Threat Attribution and Context
APT37 is a North Korea–linked state-sponsored group active since at least 2012, primarily focused on cyber espionage against geopolitical and government targets, with a strong history of spear phishing, credential theft, and data exfiltration.
Ruby Jumper shows continued evolution in their toolset, particularly in how APT37:
- Blends cloud services with covert channels.
- Bridges logically isolated systems like air-gapped networks.
- Infects removable media for lateral propagation.
Conclusion
The Ruby Jumper campaign represents a significant escalation in APT37’s operational capabilities, highlighting both ingenuity and technical craftsmanship in tackling the unique challenges posed by air-gapped network environments. By leveraging cloud storage services for C2, installing full scripting runtimes, and innovating with media-based bridging techniques, APT37 has created a resilient and multi-faceted toolkit that can infiltrate, persist, and exfiltrate data even in segmented or disconnected systems.
