North Korean Hackers Bridge Air-Gapped Systems With “Ruby Jumper” Malware Toolkit

Listen to this Post

Featured Image

A New Campaign Targets Isolated Networks

North Korean state-linked hackers have unveiled a highly sophisticated campaign designed to break one of cybersecurity’s strongest defenses: air-gapped systems. The operation, tracked under the name Ruby Jumper, reveals how removable media can be weaponized to quietly move data between disconnected computers. The campaign is attributed to APT37, a well-known espionage group also tracked under several aliases.

Why Air-Gapped Systems Matter

Air-gapped computers are intentionally isolated from external networks, including the public internet. This separation is common in military, research, and critical infrastructure environments where sensitive data must never touch online systems. While physical isolation removes Wi-Fi, Bluetooth, and Ethernet connections, organizations still rely on removable drives to transfer data. Ruby Jumper exploits this necessary weakness.

The Ruby Jumper Campaign Explained

Security researchers uncovered Ruby Jumper while analyzing malware designed to jump between connected and disconnected environments. The campaign focuses on covert persistence, stealthy data collection, and slow, reliable exfiltration using USB devices. According to the analysis, this is not a smash-and-grab operation but a patient espionage effort.

Researchers Behind the Discovery

The investigation was carried out by researchers at Zscaler, who identified a toolkit of five coordinated malicious components. Each tool plays a specific role in initial compromise, lateral spread, surveillance, and data extraction.

Initial Infection via LNK Files

The attack chain begins when a victim opens a malicious Windows shortcut file. This file triggers a PowerShell script that extracts hidden payloads directly from the shortcut itself. At the same time, a decoy document is launched to distract the user and lower suspicion.

Decoy Documents and Social Engineering

The decoy used in observed cases is an Arabic translation of a North Korean newspaper article discussing the Palestine-Israel conflict. Researchers believe this choice reflects careful targeting and an understanding of the victim’s interests and geopolitical focus.

RESTLEAF Establishes the First Foothold

Once executed, the PowerShell script deploys the first malware implant, RESTLEAF. This component establishes communication with the attacker’s command infrastructure using Zoho WorkDrive, allowing traffic to blend in with legitimate enterprise activity.

Encrypted Payload Delivery

RESTLEAF retrieves encrypted shellcode from the command server. This shellcode is responsible for downloading the next stage of the attack, a Ruby-based loader called SNAKEDROPPER. Encryption ensures that network monitoring tools struggle to detect malicious content.

Weaponizing the Ruby Runtime

SNAKEDROPPER installs a full Ruby runtime environment, including libraries and package management tools. To avoid suspicion, this environment is disguised as a harmless USB utility named usbspeed.exe, making it appear related to removable media performance.

Persistence Through Scheduled Tasks

The loader modifies a core RubyGems file so that malicious code executes automatically whenever the Ruby interpreter starts. A scheduled task named rubyupdatecheck ensures the process runs every five minutes, guaranteeing persistence even after reboots.

THUMBSBD Takes Control of USB Drives

Another component, THUMBSBD, functions as the campaign’s primary backdoor. It collects system information, stages command files, and prepares stolen data for extraction. Its most critical role is interacting with removable drives.

Turning USB Devices Into Covert Relays

THUMBSBD creates hidden directories on inserted USB drives and copies selected files into them. This transforms ordinary removable media into a two-way covert command channel. Commands move into air-gapped systems, and stolen data moves out without any network connection.

Bridging the Air Gap

By relying on removable media as an intermediary, the malware quietly bridges isolated network segments. This technique allows attackers to bypass physical isolation without triggering traditional intrusion detection systems.

VIRUSTASK Spreads the Infection

The VIRUSTASK module focuses on propagation. It hides legitimate files on removable drives and replaces them with malicious shortcuts. When opened, these shortcuts launch the embedded Ruby interpreter and infect new air-gapped machines.

Conditional Execution for Stealth

To avoid noisy failures, VIRUSTASK only activates if the inserted removable drive has at least 2GB of free space. This condition reduces errors and helps the malware blend into normal usage patterns.

FOOTWINE Expands Surveillance

THUMBSBD also deploys FOOTWINE, a spyware backdoor disguised as an Android application package file. Despite the disguise, it runs on Windows and enables extensive surveillance capabilities.

Full Spyware Capabilities

FOOTWINE supports keylogging, screenshot capture, audio and video recording, file manipulation, registry access, and remote shell execution. This turns infected systems into comprehensive intelligence collection platforms.

BLUELIGHT Confirms Attribution

Researchers also observed BLUELIGHT, a known backdoor previously linked to APT37 operations. Its presence strengthens confidence in attribution and ties Ruby Jumper to earlier campaigns by the same actor.

Indicators Point to APT37

The use of malicious LNK files, multi-stage shellcode delivery, familiar command infrastructure, and known malware families all align with APT37’s historical tradecraft. These overlaps leave little doubt about the campaign’s origin.

Target Profiles and Strategic Intent

The choice of decoy material suggests that victims are interested in North Korean media narratives. This aligns with APT37’s long-standing focus on political, military, and research organizations tied to regional security issues.

What Undercode Say:

Air Gaps Are No Longer Absolute

Ruby Jumper demonstrates that air-gapped systems are not impenetrable. As long as humans move data with removable drives, attackers will find ways to exploit that behavior. Physical isolation alone is no longer a guarantee of safety.

Removable Media Remains a Critical Weak Point

Despite years of warnings, USB drives remain deeply embedded in secure workflows. This campaign shows how attackers design malware specifically around operational realities, not theoretical defenses.

Living Off Trusted Tools

By abusing legitimate cloud services and installing full scripting runtimes, attackers reduce their footprint and evade detection. This mirrors a broader trend toward living off trusted platforms rather than custom infrastructure.

Espionage Over Destruction

Ruby Jumper is clearly an intelligence-gathering operation, not a destructive one. The focus on persistence, stealth, and surveillance suggests long-term access is more valuable than immediate impact.

Tradecraft Is Becoming Modular

Each component in this campaign has a clearly defined role. This modular design allows attackers to swap tools, update capabilities, and reuse infrastructure across operations.

USB-Based C2 Is Hard to Monitor

Traditional security monitoring focuses on networks. USB-mediated command channels fall outside many detection strategies, creating blind spots that sophisticated actors exploit.

Human Behavior Is the Real Target

The weakest link remains the user who opens a file or plugs in a drive. Ruby Jumper succeeds by aligning perfectly with expected user actions rather than forcing unusual behavior.

Implications for Critical Infrastructure

Organizations running isolated environments must rethink their threat models. Monitoring removable media usage and enforcing strict controls may now be as important as network defense.

Detection Requires Context, Not Signatures

Signature-based defenses struggle against campaigns like Ruby Jumper. Behavioral analysis and contextual awareness are essential to spot subtle anomalies over time.

Strategic Patience From State Actors

This campaign reflects patience and discipline. It is designed to operate quietly for months or years, gathering intelligence without triggering alarms.

Fact Checker Results

Attribution to APT37

The campaign shows multiple indicators consistent with known APT37 activity. ✅

Use of Removable Media for C2

Researchers confirmed USB drives were used as bidirectional command channels. ✅

Targeting of Air-Gapped Systems

All observed tools and techniques are specifically designed to breach isolated environments. ✅

Prediction

Increased Focus on USB Monitoring 🔍

Organizations will accelerate investment in removable media controls and logging.

More Modular State Malware 🧩

Future campaigns will continue using interchangeable components for flexibility.

Air-Gap Security Redefined ⚠️

Physical isolation will no longer be treated as a standalone defense but as one layer among many.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon