Zscaler ThreatLabz has uncovered a sophisticated campaign by North Korean threat group APT37, introducing five new malware tools designed specifically to infiltrate and exfiltrate data from air-gapped systems through weaponized USB drives.
Campaign Overview
In December 2025, security researchers at Zscaler discovered the Ruby Jumper campaign, orchestrated by APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima). This DPRK-backed threat group has introduced a suite of newly discovered tools—RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE—designed to conduct surveillance on victims while specifically targeting air-gapped environments.
Key Findings
- Novel cloud C2 abuse: RESTLEAF uses Zoho WorkDrive for command-and-control communications—the first observed instance of APT37 abusing this platform
- Ruby-based execution: The campaign deploys a legitimate Ruby 3.3.0 runtime environment disguised as a USB utility to execute shellcode-based payloads
- Air-gap bridging: THUMBSBD and VIRUSTASK work in tandem to relay commands and exfiltrate data across air-gapped network segments via removable media
- Comprehensive surveillance: FOOTWINE delivers keylogging, audio capture, and video surveillance capabilities
Infection Chain
The attack begins with a malicious Windows shortcut (LNK) file that extracts embedded payloads including a decoy document, PowerShell scripts, and shellcode. The decoy displays an Arabic-language article about the Palestine-Israel conflict, translated from North Korean media—suggesting targets interested in DPRK perspectives.
The infection progresses through multiple stages:
- RESTLEAF establishes initial access and downloads additional payloads from Zoho WorkDrive
- SNAKEDROPPER installs a complete Ruby runtime environment, disguising the interpreter as “usbspeed.exe” to appear legitimate
- THUMBSBD monitors for removable media and uses hidden $RECYCLE.BIN directories to stage command and exfiltration data
- VIRUSTASK propagates by replacing legitimate files on USB drives with malicious shortcuts
- FOOTWINE and BLUELIGHT provide full surveillance capabilities and additional C2 channels
Air-Gap Attack Methodology
THUMBSBD’s bidirectional relay mechanism is particularly noteworthy. When removable media is connected:
- Creates hidden staging directories on the device
- Copies command files to/from the device for relay between systems
- Decrypts received commands using XOR (0x83 key)
- Stages exfiltration data for transfer to internet-connected systems
Meanwhile, VIRUSTASK ensures propagation to new victims by:
- Checking for at least 2GB free space before infection
- Creating hidden $RECYCLE.BIN.USER folders
- Hiding original files and replacing them with identically-named malicious shortcuts
- Configuring shortcuts to execute the disguised Ruby interpreter when victims attempt to open their files
Indicators of Compromise
Network Indicators:
- philion[.]store – THUMBSBD C2
- homeatedke[.]store – THUMBSBD C2
- hightkdhe[.]store – THUMBSBD C2 (active during investigation)
- 144.172.106.66:8080 – FOOTWINE C2
Host Indicators (MD5):
- 709d70239f1e9441e8e21fcacfdc5d08 – Windows shortcut
- ad556f4eb48e7dba6da14444dcce3170 – RESTLEAF
- 098d697f29b94c11b52c51bfe8f9c47d – SNAKEDROPPER
- 4214818d7cde26ebeb4f35bc2fc29ada – THUMBSBD
- 5c6ff601ccc75e76c2fc99808d8cc9a9 – VIRUSTASK
- 476bce9b9a387c5f39461d781e7e22b9 – FOOTWINE
- 585322a931a49f4e1d78fb0b3f3c6212 – BLUELIGHT
Why This Matters
Air-gapped networks are typically deployed for the most sensitive systems—nuclear facilities, classified government networks, critical infrastructure control systems, and defense industrial bases. APT37’s Ruby Jumper campaign demonstrates North Korea’s continued investment in bridging these security perimeters through physical access vectors that bypass network-based defenses.
The use of legitimate cloud services (Zoho WorkDrive, Google Drive, OneDrive, pCloud) for C2 communication further complicates detection, as this traffic blends with normal business operations.
Recommended Mitigations
- Implement strict USB device policies with allowlisting of authorized devices
- Deploy endpoint detection rules for LNK files executing PowerShell
- Monitor for suspicious Ruby interpreter installations (especially renamed executables)
- Inspect removable media for hidden directories and unexpected shortcut files
- Block or monitor connections to cloud storage services from sensitive systems
- Implement file integrity monitoring in system directories
