A state-backed North Korean hacking group has been caught deploying a previously undocumented malware toolkit designed to infiltrate air-gapped systems and move data between isolated and internet-connected networks. The campaign, dubbed ‘Ruby Jumper,’ has been attributed to APT37 aka ScarCruft, Ricochet Chollima, and InkySquid.
Air-gapped computers, commonly used in military, research, and critical infrastructure environments, are physically or logically isolated from external networks to prevent cyber intrusions. Data transfers in such environments typically rely on removable storage devices.
According to Zscaler researchers, the Ruby Jumper campaign involves five key malicious components called RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE.
The infection chain is triggered when a victim opens a malicious Windows shortcut (LNK) file, launching a PowerShell script that extracts hidden payloads while simultaneously displaying a decoy document purporting to be an Arabic translation of a North Korean newspaper article discussing the Palestine-Israel conflict.
The first-stage implant called RESTLEAF communicates with the attackers’ command-and-control (C&C) infrastructure via Zoho WorkDrive. It retrieves encrypted shellcode that downloads the next-stage payload, which is the Ruby-based loader named SNAKEDROPPER.
Attackers install the Ruby 3.3.0 runtime environment disguised as a legitimate USB utility named usbspeed.exe to execute the malware. SNAKEDROPPER ensures persistence by modifying Ruby’s default operating_system.rb file so the malicious code automatically loads whenever the interpreter runs. A scheduled task named rubyupdatecheck executes every five minutes to maintain control.
Next, the THUMBSBD backdoor collects system information, stages command files, and prepares data for exfiltration. It creates hidden directories on detected USB drives and copies files into them, transforming removable media into a bidirectional covert command-and-control relay. This allows attackers to deliver commands into air-gapped environments and extract sensitive data.
An implant called VIRUSTASK facilitates lateral propagation by weaponizing removable drives. It hides legitimate files and replaces them with malicious shortcuts that execute the embedded Ruby interpreter when opened. The infection process only activates if the inserted drive has at least 2GB of free space, a likely attempt to avoid detection on smaller devices.
The THUMBSBD component also deploys FOOTWINE, a Windows spyware disguised as an Android APK file. The spyware supports keylogging, screenshot capture, audio and video recording, file manipulation, registry access, and remote shell execution. Researchers additionally observed BLUELIGHT, a previously documented backdoor linked to APT37.
Zscaler believes that Ruby Jumper is the work of APT37 based on the use of BLUELIGHT, the LNK-based infection vector, a two-stage shellcode delivery method, and C&C infrastructure consistent with the group’s past operations. Furthermore, the decoy document focused on North Korean media narratives, suggests that the campaign may target individuals or organizations with an interest in North Korean geopolitical messaging, aligning with APT37’s historical victim profile.