• Home
  • cyber
  • Government entities aligned with DPRK interests: APT37 Targets Air-Gapped Networks With Novel Malware Strain
cyber Cyber Attack

Government entities aligned with DPRK interests: APT37 Targets Air-Gapped Networks With Novel Malware Strain

Dec 1, 2025 3 min read
Government entities aligned with DPRK interests: APT37 Targets Air-Gapped Networks With Novel Malware Strain

APT37’s "Ruby Jumper" Campaign Targets Air-Gapped Networks with Novel Malware Toolkit

In December 2025, cybersecurity researchers uncovered a sophisticated cyber-espionage campaign by APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima). Dubbed "Ruby Jumper," the operation introduces a new malware toolkit designed to infiltrate air-gapped environments highly secure, isolated networks via removable media, marking a significant evolution in the group’s tactics.

Attack Chain and Key Innovations

The campaign begins with a malicious Windows shortcut (LNK) file, which triggers a multi-stage infection process:

  1. Initial Execution – The LNK file launches PowerShell, extracting embedded payloads, including encrypted shellcode and the RESTLEAF implant.
  2. Cloud-Based C2 Abuse – RESTLEAF communicates with attackers via Zoho WorkDrive, the first observed use of this platform by APT37 for command-and-control (C2) operations.
  3. In-Memory Payload Deployment – Additional malware components are executed reflectively, minimizing forensic traces.

A standout feature is the deployment of a full Ruby runtime environment (v3.3.0) via SNAKEDROPPER, disguised as a legitimate executable (usbspeed.exe). The malware replaces a standard Ruby file with malicious code, ensuring persistence through a scheduled task.

Bridging the Air Gap

Two critical components enable lateral movement into isolated networks:

  • THUMBSBD – A backdoor that uses USB drives as covert C2 channels, creating hidden folders ($RECYCLE.BIN) to transfer encrypted commands and exfiltrate data.
  • VIRUSTASK – Propagates infections by replacing legitimate files on removable media with malicious shortcuts, executing shellcode when opened.

Later stages deploy:

  • FOOTWINE – A surveillance backdoor (disguised as an Android APK) with capabilities for keylogging, screenshots, audio/video capture, and remote shell access.
  • BLUELIGHT – A previously documented backdoor leveraging cloud storage for C2 communications.

Impact and Significance

The campaign highlights APT37’s refined tactics, combining:

  • LNK-based social engineering
  • In-memory shellcode execution
  • Cloud infrastructure abuse
  • USB-driven lateral movement

This toolkit represents a complete framework for breaching air-gapped systems, posing a severe threat to government entities, journalists, and organizations aligned with DPRK interests. The use of legitimate platforms (Zoho WorkDrive, Ruby runtime) and minimal forensic artifacts further complicates detection.

Key indicators include unusual Ruby installations, hidden directories on USB drives, and suspicious scheduled tasks. The campaign underscores the growing sophistication of state-aligned threat actors in targeting high-security environments.

Source: https://cyberpress.org/apt37-air-gap-breach-campaign/

Mandiant (part of Google Cloud) cybersecurity rating report: https://www.rankiteo.com/company/mandiant

"id": "MAN1772447486",
"linkid": "mandiant",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"
{'affected_entities': [{'industry': ['Government', 'Media', 'Defense'],
                        'type': ['Government entities',
                                 'Journalists',
                                 'Organizations aligned with DPRK interests']}],
 'attack_vector': ['Malicious LNK file',
                   'Removable media (USB drives)',
                   'Cloud-based C2 (Zoho WorkDrive)'],
 'data_breach': {'data_exfiltration': 'Yes (via USB drives and cloud-based C2)',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Keylogging data',
                                              'Screenshots',
                                              'Audio/Video recordings',
                                              'Remote shell access logs']},
 'date_detected': '2025-12',
 'description': 'In December 2025, cybersecurity researchers uncovered a '
                'sophisticated cyber-espionage campaign by APT37 (also known '
                "as ScarCruft, Ruby Sleet, and Velvet Chollima). Dubbed 'Ruby "
                "Jumper,' the operation introduces a new malware toolkit "
                'designed to infiltrate air-gapped environments via removable '
                'media, marking a significant evolution in the group’s '
                'tactics. The campaign begins with a malicious Windows '
                'shortcut (LNK) file, triggering a multi-stage infection '
                'process involving cloud-based C2 abuse (Zoho WorkDrive), '
                'in-memory payload deployment, and lateral movement into '
                'isolated networks using USB drives. The toolkit includes '
                'RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and '
                'BLUELIGHT, enabling surveillance, data exfiltration, and '
                'persistence in high-security environments.',
 'impact': {'data_compromised': 'Sensitive surveillance data (keylogging, '
                                'screenshots, audio/video capture), remote '
                                'shell access',
            'operational_impact': 'Compromised high-security environments, '
                                  'potential data exfiltration from isolated '
                                  'networks',
            'systems_affected': ['Air-gapped networks',
                                 'Windows systems with removable media']},
 'initial_access_broker': {'backdoors_established': ['RESTLEAF',
                                                     'THUMBSBD',
                                                     'FOOTWINE',
                                                     'BLUELIGHT'],
                           'entry_point': 'Malicious LNK file',
                           'high_value_targets': ['Air-gapped networks',
                                                  'Government entities',
                                                  'Journalists']},
 'lessons_learned': 'The campaign highlights the growing sophistication of '
                    'state-aligned threat actors in targeting high-security '
                    'environments, including air-gapped networks. The use of '
                    'legitimate platforms (Zoho WorkDrive, Ruby runtime) and '
                    'minimal forensic artifacts complicates detection. '
                    'Organizations should monitor for unusual Ruby '
                    'installations, hidden directories on USB drives, and '
                    'suspicious scheduled tasks.',
 'motivation': 'Cyber Espionage',
 'post_incident_analysis': {'corrective_actions': ['Implement strict removable '
                                                   'media policies',
                                                   'Monitor for unusual cloud '
                                                   'service usage',
                                                   'Enhance detection for '
                                                   'in-memory malware '
                                                   'execution',
                                                   'Conduct regular security '
                                                   'training for high-risk '
                                                   'targets'],
                            'root_causes': ['Use of malicious LNK files for '
                                            'initial access',
                                            'Abuse of legitimate cloud '
                                            'platforms (Zoho WorkDrive) for C2',
                                            'Lateral movement via removable '
                                            'media (USB drives)',
                                            'In-memory payload execution to '
                                            'evade detection']},
 'recommendations': ['Enhance monitoring for unusual Ruby runtime '
                     'installations and scheduled tasks.',
                     'Implement strict controls on removable media usage in '
                     'air-gapped environments.',
                     'Monitor for hidden directories (e.g., $RECYCLE.BIN) on '
                     'USB drives.',
                     'Deploy advanced threat detection for in-memory payloads '
                     'and cloud-based C2 abuse.',
                     'Conduct regular security audits of high-security '
                     'networks.'],
 'references': [{'source': 'Cybersecurity Research Report'}],
 'threat_actor': 'APT37 (ScarCruft, Ruby Sleet, Velvet Chollima)',
 'title': "APT37’s 'Ruby Jumper' Campaign Targets Air-Gapped Networks with "
          'Novel Malware Toolkit',
 'type': 'Cyber Espionage'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.