Ethical Hacking News

The ScarCruft Backdoor Campaign: A Detailed Analysis of the Ruby Jumper Threat

A new set of malicious tools and tactics attributed to ScarCruft, known as "Ruby Jumper," has been discovered by Zscaler ThreatLabz. The campaign involves the deployment of various malware families to facilitate surveillance on a victim's system. One of the payloads, THUMBSBD, uses removable media to relay commands and transfer data between internet-connected and air-gapped systems.

ScarCruft, a North Korean threat actor, has deployed malicious tools and tactics called "Ruby Jumper" to facilitate surveillance on systems.

The campaign uses various malware families, including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT.

The Ruby Jumper campaign involves deploying a malicious LNK file that launches a PowerShell command and scans for itself based on file size.

THUMBSBD installs the Ruby runtime, sets up persistence using a scheduled task, and drops THUMBSBD and VIRUSTASK.

THUMBSBD uses removable media to relay commands and transfer data between internet-connected and air-gapped systems.

The campaign demonstrates ScarCruft's ability to weaponize legitimate cloud providers to execute malicious commands and transfer data.

ScarCruft, a known North Korean threat actor, has been linked to a new set of malicious tools and tactics, codenamed "Ruby Jumper" by Zscaler ThreatLabz. This campaign involves the deployment of various malware families, including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT, to facilitate surveillance on a victim's system.

The Ruby Jumper campaign begins with the deployment of a malicious LNK file that launches a PowerShell command and scans the current directory for itself based on file size. The PowerShell script then carves multiple embedded payloads from fixed offsets within the LNK file, including a decoy document, an executable payload, another PowerShell script, and a batch file.

One of the lure documents used in the campaign displays an article about the Palestine-Israel conflict that's translated from a North Korean newspaper into Arabic. The remaining three payloads are then progressively used to move the attack to the next stage, with the batch script launching PowerShell, which is responsible for loading shellcode containing the payload after decrypting it.

The Windows executable payload, named RESTLEAF, is spawned in memory and uses Zoho WorkDrive for command-and-control (C2) communications to fetch more payloads. Once authenticated with the Zoho WorkDrive infrastructure by means of a valid access token, RESTLEAF downloads shellcode, which is then executed via process injection, eventually leading to the deployment of SNAKEDROPPER.

SNAKEDROPPER installs the Ruby runtime, sets up persistence using a scheduled task, and drops THUMBSBD and VIRUSTASK. THUMBSBD, disguised as a Ruby file, uses removable media to relay commands and transfer data between internet-connected and air-gapped systems. It's capable of harvesting system information, downloading a secondary payload from a remote server, exfiltrating files, and executing arbitrary commands.

If the presence of any removable media is detected, THUMBSBD creates a hidden folder and uses it to stage operator-issued commands or store execution output. One of the payloads delivered by THUMBSBD is FOOTWINE, an encrypted payload with an integrated shellcode launcher that comes fitted with keylogging and audio and video capturing capabilities to conduct surveillance.

FOOTWINE communicates with a C2 server using a custom binary protocol over TCP. The complete set of commands supported by the malware includes functions for harvesting system information, downloading secondary payloads, exfiltrating files, executing arbitrary commands, and more.

The Ruby Jumper campaign demonstrates the threat actor's ability to weaponize legitimate cloud providers, including Google Drive, Microsoft OneDrive, pCloud, and BackBlaze, to execute malicious commands and transfer data.

Furthermore, the use of removable media by THUMBSBD highlights the malware's capability to bypass network isolation and infect air-gapped systems. The campaign also shows that ScarCruft is adapting its tactics to exploit vulnerabilities in legitimate cloud services and software applications.

In conclusion, the Ruby Jumper campaign represents a significant threat to organizations with air-gapped systems, as it showcases the ability of ScarCruft to breach these networks using removable media and legitimate cloud providers.

Related Information:

https://www.ethicalhackingnews.com/articles/The-ScarCruft-Backdoor-Campaign-A-Detailed-Analysis-of-the-Ruby-Jumper-Threat-ehn.shtml

https://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.html

https://threatlibrary.zscaler.com/threats/d5387297-0d84-40a5-b9e3-1e36d936e892

https://malware.news/t/apt37-adds-new-capabilities-for-air-gapped-networks/104439

https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks

https://threatlibrary.zscaler.com/threats/d211afee-2f41-46d5-81cd-ba99c51acbf3

https://malwaretips.com/blogs/thumbs-db-what-it-is-how-to-fix-errors/

https://www.virustotal.com/

https://www.techbloat.com/how-to-identify-malicious-processes-in-task-manager.html

https://threatlibrary.zscaler.com/threats/c7363e67-1c41-4a38-a4dd-f9d5fc884e0c

https://gbhackers.com/north-korean-apt37/

https://attack.mitre.org/software/S0657/