Listen to this Post
Introduction: A New Phase in DPRK-Linked Cyber Espionage
In December 2025, cybersecurity researchers uncovered a sophisticated cyber-espionage operation that signaled a major evolution in tradecraft from APT37, a group also known in the security community as ScarCruft, Ruby Sleet, and Velvet Chollima. The campaign, internally tracked as Ruby Jumper, was not just another phishing operation or data-stealing malware deployment. Instead, it revealed a carefully engineered toolkit designed to infiltrate some of the most difficult targets in the world: air-gapped systems with no direct internet access.
This operation demonstrates how modern espionage groups are no longer constrained by network isolation. By combining social engineering, cloud abuse, memory-only execution, and USB-based command channels, APT37 showed that physical separation alone is no longer a reliable defense.
Summary of the Original Findings
The Ruby Jumper campaign introduces a new malware ecosystem purpose-built to bypass network isolation. APT37, historically known for targeting government agencies, journalists, and individuals connected to DPRK strategic interests, has expanded its capabilities with a modular, multi-stage infection chain.
The attack begins with a malicious Windows shortcut file. Once opened, the LNK file quietly launches PowerShell in the background and extracts multiple embedded payloads. These payloads include scripts and encrypted shellcode that eventually deploy an initial implant called RESTLEAF. All stages are designed to operate with minimal disk artifacts, relying heavily on in-memory execution.
RESTLEAF represents a notable shift in command-and-control strategy. Instead of using custom servers alone, the implant communicates through Zoho WorkDrive, marking the first documented case of APT37 abusing this cloud platform for C2 operations. Through this channel, RESTLEAF retrieves additional components and executes them via process injection.
The full infection flow follows a precise structure: the LNK file triggers PowerShell, which loads shellcode, installs RESTLEAF, deploys SNAKEDROPPER, and then introduces secondary components such as THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT. Each module has a specific role, ranging from propagation to surveillance.
One of the most striking elements of Ruby Jumper is the inclusion of a complete Ruby runtime environment. The SNAKEDROPPER component installs Ruby 3.3.0 into the ProgramData directory and renames the interpreter to “usbspeed.exe” to blend in with legitimate software. A modified Ruby file ensures persistent execution through a scheduled task.
All payloads in the campaign are encrypted using a simple one-byte XOR routine and executed reflectively in memory. This approach minimizes forensic traces and significantly complicates detection during incident response.
To breach air-gapped environments, APT37 relies on two specialized components. THUMBSBD functions as a backdoor and command relay, using removable media as a covert communication channel. It creates hidden directory structures inside $RECYCLE.BIN on USB drives, enabling encrypted command transfer and data exfiltration between isolated systems.
VIRUSTASK focuses on propagation. It infects removable drives by hiding legitimate files and replacing them with malicious shortcuts. When a user clicks what appears to be a normal document, the disguised Ruby interpreter executes embedded shellcode, spreading the infection to the new host.
Later stages deploy FOOTWINE, a powerful surveillance backdoor disguised as an Android package file. Despite the misleading extension, FOOTWINE targets Windows systems and supports keylogging, screenshot capture, audio recording, webcam access, file manipulation, and interactive shell commands. Communication with its command server is encrypted using a custom XOR-based protocol.
The campaign also delivers BLUELIGHT, a previously documented backdoor that relies on legitimate cloud storage services for command-and-control. According to Zscaler, Ruby Jumper highlights how APT37 continues to refine its techniques to defeat traditional security assumptions.
What Undercode Say: Strategic Analysis of Ruby Jumper
Ruby Jumper is less about a single piece of malware and more about a mindset shift in advanced persistent threats. APT37 is no longer simply exploiting network weaknesses. It is systematically targeting human behavior, operational gaps, and physical trust boundaries.
The use of LNK files as the initial vector is a calculated choice. Shortcut files remain widely trusted by users and are often overlooked by security controls. Combined with PowerShell, they provide a flexible and stealthy execution method that blends into normal system activity.
The deployment of a full Ruby runtime is particularly revealing. By embedding an entire scripting environment, APT37 gains portability, flexibility, and rapid development capability across infected hosts. Renaming the interpreter to a benign-sounding executable further demonstrates attention to operational security and deception.
Cloud abuse continues to be a recurring theme in modern espionage. By leveraging Zoho WorkDrive and other legitimate platforms, the attackers hide malicious traffic inside trusted services. This complicates detection for organizations that rely heavily on cloud collaboration tools.
The USB-based command channel is the most critical innovation. Air-gapped systems are often assumed to be secure by design, yet in practice they depend on removable media for updates, data transfer, and operational workflows. THUMBSBD and VIRUSTASK exploit this reality, turning USB drives into mobile C2 relays that move silently between isolated environments.
FOOTWINE’s surveillance capabilities indicate that the end goal is long-term intelligence collection rather than immediate disruption. Keylogging, audio capture, and webcam monitoring point to espionage priorities such as credential harvesting, meeting surveillance, and sensitive document access.
From a defensive perspective, Ruby Jumper exposes uncomfortable truths. Endpoint detection that focuses only on network traffic is insufficient. Physical access controls, removable media policies, and behavioral monitoring are now frontline defenses.
This campaign also underscores that simplicity can be powerful. The use of basic XOR encryption, scheduled tasks, and renamed binaries shows that advanced threats do not always rely on complex obfuscation. Instead, they rely on reliability, persistence, and blending into normal system noise.
Fact Checker Results
APT37’s use of malicious LNK files and PowerShell loaders aligns with previously documented campaigns. ✅
Abuse of Zoho WorkDrive as a C2 channel represents a newly observed tactic for this group. ✅
Ruby Jumper demonstrates confirmed capability to bridge air-gapped systems via removable media. ✅
Prediction: Where This Threat Is Heading Next
APT37 will likely expand its abuse of cloud productivity platforms beyond Zoho to evade enterprise monitoring. 🔮
Future variants may target Linux-based air-gapped systems used in industrial and research environments. 🔮
USB-borne malware frameworks like Ruby Jumper will become a standard tool among state-sponsored actors. 🔮
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
