Ethical Hacking News
APT37 hackers have deployed a sophisticated new malware campaign aimed at breaching air-gapped networks using removable storage drives as an intermediary transport layer. The "Ruby Jumper" campaign utilizes a toolkit of five malicious tools, including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. The attack demonstrates a significant level of sophistication and highlights the importance of maintaining robust cybersecurity measures to counter state-sponsored cyberattacks.
Apt37 has launched a new malware campaign called "Ruby Jumper" aimed at breaching air-gapped networks.The campaign uses a toolkit of five malicious tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE.The malware utilizes removable storage drives as an intermediary transport layer to bridge air-gapped network segments.The infection chain begins with a malicious Windows shortcut file (LNK) that deploys a PowerShell script.The campaign features a two-stage shellcode delivery technique and communication with APT37's command-and-control (C2) infrastructure using Zoho WorkDrive.
APT37, a state-backed group known for its sophisticated cyberattacks, has recently deployed a new malware campaign aimed at breaching air-gapped networks. The malicious activity, dubbed "Ruby Jumper," leverages a toolkit of five malicious tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE.
The Ruby Jumper campaign utilizes removable storage drives as an intermediary transport layer to bridge air-gapped network segments. This allows the threat actor to deliver commands to air-gapped systems as well as extract data from them. The malware is designed to be highly sophisticated, utilizing a two-stage shellcode delivery technique and communication with APT37's command-and-control (C2) infrastructure using Zoho WorkDrive.
The infection chain begins when the victim opens a malicious Windows shortcut file (LNK), which deploys a PowerShell script that extracts payloads embedded in the LNK file. The script also launches a decoy document to divert attention, and then loads the first malware component, called RESTLEAF, an implant that communicates with APT37's C2 infrastructure.
RESTLEAF fetches encrypted shellcode from the C2 to download the next-stage payload, a Ruby-based loader named SNAKEDROPPER. The attack continues with installing the Ruby 3.3.0 runtime environment, disguised as a legitimate USB-related utility named usbspeed.exe. This allows the malware to prime SNAKEDROPPER for execution by replacing the RubyGems default file operating_system.rb with a maliciously modified version that is automatically loaded when the Ruby interpreter starts.
The THUMBSBD backdoor is downloaded as a Ruby file named ascii.rb, while VIRUSTASK malware is delivered as the bundler_index_client.rb file. The role of THUMBSBD is to collect system information, stage command files, and prepare data for exfiltration, effectively turning removable storage devices "into a bidirectional covert C2 relay."
VIRUSTASK's role is to spread the infection to new air-gapped machines by weaponizing removable drives, hiding legitimate files, and replacing them with malicious shortcuts that execute the embedded Ruby interpreter when opened. The module will only trigger an infection process if the inserted removable media has at least 2GB of free space.
Another piece of malware observed in the APT37's RubyJumper campaign is BLUELIGHT, a full-fledged backdoor previously associated with this North Korean threat group. Zscaler reports that they have high confidence attributing the RubyJumper campaign to APT37 based on several indicators, including the use of BLUELIGHT malware, initial vector relying on LNK files, two-stage shellcode delivery technique, and C2 infrastructure typically observed in attacks from this actor.
The researchers also note that the decoy document indicates that the target of the RubyJumper activity is interested in North Korean media narratives, which aligns with the victim profile of this threat group. The attack demonstrates a significant level of sophistication, showcasing APT37's continued efforts to develop and deploy highly effective malware campaigns aimed at breaching even the most secure air-gapped networks.
The discovery of the Ruby Jumper campaign highlights the evolving nature of state-sponsored cyberattacks and the importance of maintaining robust cybersecurity measures to counter these threats. As threat actors continue to adapt and innovate, it is essential for organizations to stay vigilant and implement effective security protocols to prevent similar breaches in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Apt37-Hackers-Unleash-Sophisticated-Malware-Campaign-to-Breach-Air-Gapped-Networks-ehn.shtml
https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/
https://cybersecuritynews.com/north-korean-apt37-hackers-leverages-novel-malware/
https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks
https://www.infosecurity-magazine.com/news/north-korea-apt37-expands-toolkit/
https://simplysecuregroup.com/north-korean-apt37-hackers-leverages-novel-malware-to-infect-airgapped-systems/
https://www.virustotal.com/
https://www.malwarefox.com/identify-malware-in-task-manager/
https://attack.mitre.org/software/S0657/
https://malpedia.caad.fkie.fraunhofer.de/details/win.bluelight
https://www.threatintelreport.com/2026/02/26/articles/apt37-ruby-jumper-campaign-bridges-air-gapped-networks-using-usb-and-a-portable-ruby-runtime/
https://securityboulevard.com/2025/09/apt37-targets-windows-with-rust-backdoor-and-python-loader/
https://arxiv.org/html/2409.11415v1
https://attack.mitre.org/groups/
Published: Fri Feb 27 14:48:23 2026 by llama3.2 3B Q4_K_M
