North Korean APT37 hackers are leveraging novel malware to infect air-gapped systems, marking a significant escalation in cyber warfare capabilities. The sophisticated Ruby Jumper campaign, uncovered by Zscaler ThreatLabz, demonstrates the group’s ability to bypass physical security measures, previously thought to render isolated networks immune to external infection. This development poses a considerable threat to organizations relying on air-gapped environments for their most sensitive data.
The APT37 group, also known by aliases such as ScarCruft and Velvet Chollima, has a history of state-sponsored cyber espionage targeting government entities and defense organizations. Historically, the group utilized the Chinotto malware family. However, the Ruby Jumper campaign introduces a suite of five previously undocumented malware components: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. Each component plays a distinct role in a multi-stage attack designed to place surveillance tools on computers completely isolated from the internet.
Zscaler ThreatLabz analysts identified the campaign in December 2025, revealing an intricate infection chain that transcends network boundaries. The attack commences with a seemingly innocuous malicious Windows shortcut file (LNK). Upon execution by a victim, this LNK file silently deploys and runs a sequence of payloads in the background. The decoy document presented to the user pertains to the Palestine-Israel conflict, translated from North Korean media into Arabic. This suggests APT37’s targets may include Arabic-speaking individuals interested in North Korean geopolitical narratives, aligning with the group’s known victimology.
How THUMBSBD Bridges the Air Gap
The technical ingenuity of the Ruby Jumper campaign lies in its ability to bridge isolated systems. The full attack chain begins with the initial LNK file, leading to RESTLEAF, which acts as the first-stage downloader. This is followed by SNAKEDROPPER for second-stage payload delivery. The critical step of bridging air-gapped hosts is achieved through THUMBSBD and VIRUSTASK, with the final surveillance capabilities delivered by FOOTWINE. This multi-stage approach ensures the malware can navigate and establish a presence on systems that lack any direct or indirect internet connectivity.
The campaign’s reach is amplified by its reliance on legitimate cloud services for command-and-control (C2) infrastructure. Zoho WorkDrive, Microsoft OneDrive, Google Drive, and pCloud are all being abused to mask malicious traffic, making it difficult to distinguish from normal business operations. This tactic allows the threat actors to maintain communication and control over compromised systems without triggering conventional network security alerts.
The most technically innovative component is THUMBSBD, a backdoor designed to transform removable media, such as USB drives, into a covert communication channel. When a USB drive is connected to an infected internet-facing machine, THUMBSBD copies staged command files into a hidden directory named `$RECYCLE.BIN` on the drive. This location is typically invisible in default Windows Explorer views. Subsequently, when the same USB drive is inserted into an air-gapped machine running the THUMBSBD implant, the malware reads these hidden files, decrypts them using a single-byte XOR key, and executes operator commands. These commands can range from data exfiltration and system reconnaissance to arbitrary code execution.
Complementing THUMBSBD is VIRUSTASK, which facilitates the spread of the infection. It achieves this by replacing legitimate files on the removable drive with malicious LNK shortcut files that share the same filenames. Users who click on these seemingly familiar files on a new machine unknowingly launch the malware’s Ruby-based execution environment, thereby infecting the new host. SNAKEDROPPER further supports this process by disguising a full Ruby 3.3.0 runtime environment as a USB speed utility named `usbspeed.exe`. It also establishes persistence by creating a scheduled task named `rubyupdatecheck` that runs every five minutes.
The final payload, FOOTWINE, equips the compromised systems with extensive surveillance capabilities. This includes keylogging, audio capture, video capture, and full shell access. All operations are conducted over an encrypted C2 channel that utilizes a custom XOR-based key exchange protocol. This ensures that sensitive data gathered from air-gapped systems can be exfiltrated securely, further enhancing APT37’s intelligence-gathering potential.
Security teams and organizations, particularly those managing air-gapped environments, are advised to implement enhanced security measures. This includes strictly restricting the use of removable media, especially on high-security or air-gapped systems, and enforcing hardware-level controls where feasible. Monitoring for unusual scheduled tasks, such as `rubyupdatecheck`, and auditing all newly created scheduled tasks on endpoints is also crucial. Additionally, auditing cloud storage access from endpoints and inspecting LNK files in email attachments and downloaded content can help detect early stages of compromise. Organizations should also proactively hunt for indicators of compromise, including specific file paths and registry keys identified by ThreatLabz, and enhance monitoring of endpoint activity and physical access points. The ongoing evolution of APT37’s tactics underscores the persistent threat posed by state-sponsored adversaries to even the most protected digital assets.