Security
APT37 Strikes Again: Advanced Malware Penetrates Air-Gapped Networks
North Korean APT37 Hackers Deploy New Malware to Breach Air-Gapped Networks
In a recent development, North Korean hackers belonging to the state-backed group APT37, also known as ScarCruft, Ricochet Chollima, and InkySquid, have been identified deploying a new set of tools to transfer data between internet-connected and air-gapped systems. The campaign, dubbed Ruby Jumper, involves the use of malicious tools to conduct covert surveillance and move data via removable drives.
Air-gapped networks, commonly found in critical infrastructure, military, and research sectors, are physically disconnected from external networks like the public internet. This isolation is achieved through a combination of hardware-level disconnection and software-defined controls, such as VLANs and firewalls.
Researchers at cloud security company Zscaler conducted an analysis of the malware used in the Ruby Jumper campaign and identified a toolkit comprising five malicious tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE.
Understanding the Attack Chain
The attack chain begins with the victim opening a malicious Windows shortcut file (LNK), triggering the deployment of a PowerShell script that extracts payloads embedded in the LNK file. The script also launches a decoy document to divert attention. Notably, this decoy document is an Arabic translation of a North Korean newspaper article on the Palestine-Israel conflict.
Subsequently, the PowerShell script loads the first malware component, RESTLEAF, which acts as an implant communicating with APT37’s command-and-control (C2) infrastructure via Zoho WorkDrive. RESTLEAF fetches encrypted shellcode from the C2 to download the next-stage payload, SNAKEDROPPER, a Ruby-based loader disguised as a legitimate USB utility named usbspeed.exe.
SNAKEDROPPER is executed by replacing the RubyGems default file operating_system.rb with a maliciously modified version that automatically loads when the Ruby interpreter starts. The attack progresses with the installation of the Ruby 3.3.0 runtime environment and the deployment of THUMBSBD and VIRUSTASK malware components.
THUMBSBD, a backdoor malware, is responsible for collecting system information, staging command files, and preparing data for exfiltration. It creates hidden directories on USB drives and turns removable storage devices into a covert command-and-control relay, enabling the threat actor to deliver commands to air-gapped systems and extract data from them.
Source: Zscaler
VIRUSTASK, on the other hand, aims to propagate the infection to new air-gapped machines by weaponizing removable drives. It hides legitimate files and replaces them with malicious shortcuts that trigger the embedded Ruby interpreter upon opening.
Additionally, THUMBSBD delivers FOOTWINE, a Windows spyware backdoor disguised as an Android package file (APK) capable of keylogging, screenshot capture, audio and video recording, file manipulation, registry access, and remote shell commands. Another observed malware in the campaign is BLUELIGHT, a comprehensive backdoor previously linked to the North Korean threat group.
Zscaler attributes the Ruby Jumper campaign to APT37 based on indicators such as the use of BLUELIGHT malware, LNK files as the initial vector, two-stage shellcode delivery technique, and typical C2 infrastructure associated with this threat actor. The researchers also highlight the target’s interest in North Korean media narratives, aligning with the victim profile of APT37.
Conclusion
The Ruby Jumper campaign underscores the evolving tactics employed by threat actors to breach air-gapped networks and conduct covert surveillance. By leveraging removable drives as an intermediary transport layer, APT37 has successfully bridged otherwise isolated network segments, highlighting the persistent threat posed by sophisticated cyber adversaries.
Modern IT infrastructure moves faster than manual workflows can handle. Learn how to reduce hidden manual delays, improve reliability through automated response, and build intelligent workflows on existing tools in the new Tines guide.
Bugatti’s Ultimate W-16 Masterpiece Shines in Gold
Upgrade Your Entertainment Experience with the Fire TV Stick 4K Plus
APT37 Strikes Again: Advanced Malware Penetrates Air-Gapped Networks
Steam Deck OLED Prices Set to Increase in Asia: A Sign of Rising Costs Worldwide?
Encord Secures €50 Million Funding for Expansion of Physical AI Deployment in London
The Need for Enhanced Security Measures in Enterprise MCP Adoption
Apple Refutes Claims of Fraud Involving Siri AI and App Store
I bought the CHEAPEST Tech in the World 🌍
The 2026 Porsche 911 GT3: Unleashing the True Power of Porsche
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook and Instagram to Reduce Personalized Ads for European Users
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Breaking Updates: Meta Connect 2025 Unveils Latest Developments
I bought the CHEAPEST Tech in the World 🌍
How Tech Companies Manipulate the Media ft. MKBHD
What you didn’t know about Tesla.
iPhone 13 – What was Apple Thinking?
iPhone 13 Unboxing – Are they ACTUALLY Good!?
iPhone 13 Pro Max vs Samsung Galaxy S21 Ultra CAMERA TEST 🔥
iPhone 13 Pro Max vs 13 Pro / 13 / 13 Mini / 12 / 11 / SE – Battery Life DRAIN TEST
iPhone 13 PRO Review – The Final Verdict.
Vivo X70 Pro Plus – SO MUCH Camera 😂
-
Facebook4 months agoEU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
-
Facebook5 months agoWarning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
-
Facebook5 months agoFacebook Compliance: ICE-tracking Page Removed After US Government Intervention
-
Facebook5 months agoInstaDub: Meta’s AI Translation Tool for Instagram Videos
-
Facebook3 months agoFacebook’s New Look: A Blend of Instagram’s Style
-
Facebook3 months agoFacebook and Instagram to Reduce Personalized Ads for European Users
-
Facebook3 months agoReclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
-
Apple4 months agoMeta discontinues Messenger apps for Windows and macOS
