Ethical Hacking News
APT37's Ruby Jumper campaign showcases a complex toolkit designed to infiltrate air-gapped networks using cloud storage services and USB implants. The campaign, attributed to North Korea-linked ScarCruft, leverages legitimate cloud providers for covert C2 communications and demonstrates the evolving nature of cyber threats. With its use of multiple malware families and novel tactics, the Ruby Jumper campaign serves as a reminder of the importance of continuous monitoring and security awareness in today's digital landscape.
North Korea-linked APT group ScarCruft deployed a sophisticated toolkit in the Ruby Jumper campaign to breach air-gapped networks. The campaign used cloud storage services and USB implants to spread malware, highlighting the evolving nature of cyber threats. Threat actors abused Zoho WorkDrive for command-and-control, collecting sensitive data and exfiltrating files. A backdoor called THUMBSBD was designed to bridge air-gapped networks using removable media, bypassing network isolation. Later-stage payloads included surveillance backdoors with keylogging and audio/video capture capabilities. BLUELIGHT leveraged cloud services for covert C2 communications, delivering functionalities such as executing arbitrary commands and downloading additional payloads. The Ruby Jumper campaign is attributed to APT37 with high confidence by Zscaler, citing matches in past activity.
North Korea-linked Advanced Persistent Threat (APT) group ScarCruft, also known as APT 37, Reaper, and Group123, has recently deployed a sophisticated toolkit in a campaign dubbed Ruby Jumper. The campaign utilized cloud storage services and USB implants to breach air-gapped networks, highlighting the evolving nature of cyber threats.
The recent attacks began with malicious LNK files that ran PowerShell and extracted hidden payloads, ultimately loading a backdoor called RESTLEAF in memory. RESTLEAF abused Zoho WorkDrive for command-and-control (C2), authenticating with hardcoded tokens and downloading shellcode for execution via process injection. The shellcode deployed SNAKEDROPPER, which installed a rogue Ruby runtime disguised as a USB utility, established persistence, and dropped additional components.
Among the components was THUMBSBD, a backdoor designed to bridge air-gapped networks using removable media. THUMBSBD collected system information, staged files for exfiltration, and used hidden folders on USB drives to pass commands and stolen data between isolated systems. A report published by Zscaler revealed that THUMBSBD employed several working directories to stage data for exfiltration and executing backdoor commands.
As the campaign progressed, VIRUSTASK spread the infection further by replacing files on USB drives with malicious shortcuts, infecting new machines when users clicked them. Later-stage payloads included FOOTWINE, a surveillance backdoor with keylogging and audio/video capture capabilities, and BLUELIGHT, which leveraged cloud services for covert C2 communications.
BLUELIGHT delivered additional functionalities, including executing arbitrary commands, enumerating the file system, downloading additional payloads, uploading files, and self-removal. The report stated that Zscaler attributes the Ruby Jumper campaign to APT37 with high confidence, citing matches in past activity such as the group's use of LNK-based infection chains combining batch, PowerShell, and encrypted shellcode.
ScarCruft has been active since at least 2012 and gained notoriety in early February 2018 when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users. Kaspersky first documented the operations of the group in 2016, with cyber attacks primarily targeting government, defense, military, and media organizations in South Korea.
The Ruby Jumper campaign involves a mult-stage infection chain that begins with a malicious LNK file and utilizes legitimate cloud services like Zoho WorkDrive, Google Drive, Microsoft OneDrive, etc. to deploy a novel, self-contained Ruby execution environment. Most critically, THUMBSBD and VIRUSTASK weaponize removable media to bypass network isolation and infect air-gapped systems.
To counter this threat and other campaigns led by APT37, the security community should focus on monitoring endpoint activity and physical access points. The recent attacks highlight the importance of staying vigilant in today's digital landscape, where sophisticated threats can emerge from seemingly unexpected sources.
Related Information:
https://www.ethicalhackingnews.com/articles/APT37s-Ruby-Jumper-Campaign-A-Sophisticated-Toolkit-for-Air-Gapped-Network-Infiltration-ehn.shtml
Published: Mon Mar 2 07:56:18 2026 by llama3.2 3B Q4_K_M
