North Korean threat actor APT37 (Reaper) has expanded its arsenal with sophisticated new malware designed to compromise air-gapped networks — systems physically isolated from the internet that organizations use to protect their most sensitive data.
Researchers at Zscaler ThreatLabz have uncovered the “Ruby Jumper” campaign, which employs a complex infection chain featuring multiple novel malware families working in tandem to bridge air-gap defenses using removable media.
Key Findings
- RESTLEAF — A new backdoor that abuses Zoho WorkDrive cloud storage for command-and-control communications. This marks the first observed use of Zoho WorkDrive by APT37.
- SNAKEDROPPER — Deploys a complete Ruby 3.3.0 runtime environment disguised as a USB utility (“usbspeed.exe”), which then loads malicious scripts.
- THUMBSBD — Transforms removable media into bidirectional covert C2 relays, enabling operators to deliver commands and exfiltrate data from air-gapped systems via USB drives.
- VIRUSTASK — A propagation module that weaponizes removable media to spread to other air-gapped systems.
Attack Chain
The attack begins with a malicious LNK file that displays a decoy document (an Arabic-language article about the Palestine-Israel conflict, translated from a North Korean newspaper). The LNK extracts multiple payloads that work together to establish persistence and deploy the air-gap crossing tools.
A scheduled task runs the disguised Ruby interpreter every 5 minutes, which loads malicious scripts that monitor for connected USB drives. When removable media is attached, the malware:
- Creates a hidden
$RECYCLE.BINdirectory on the drive - Copies command files and collects reconnaissance data
- Stages exfiltration packages for transfer back to attacker infrastructure
Why This Matters
Air-gapped networks are typically reserved for the most critical systems — classified government networks, industrial control systems, research facilities, and financial infrastructure. APT37’s investment in developing dedicated tools for this purpose signals their intent to target high-value, well-defended environments.
The use of legitimate cloud services (Zoho WorkDrive) for C2 makes detection more difficult, as this traffic blends with normal business operations. Organizations should implement strict USB device policies and monitor for unusual Ruby runtime installations or scheduled tasks.
Indicators of Compromise
The following C2 domains were identified:
philion[.]storehomeatedke[.]storehightkdhe[.]store
ThreatLabz notes that hightkdhe[.]store was still operational during their investigation.
Source: Zscaler ThreatLabz – APT37 Adds New Tools For Air-Gapped Networks
