The Ruby Jumper campaign attributed to the North Korean threat group APT37 represents a notable advancement in nation-state intrusion capabilities by successfully targeting air-gapped environments using weaponized USB devices. The multi-stage toolkit is initiated through malicious Windows shortcut (LNK) files combined with PowerShell execution, enabling covert command-and-control, persistent monitoring, and data exfiltration even within physically isolated systems.
The campaign leverages removable storage devices as bidirectional communication relays while utilizing legitimate cloud services as command-and-control channels. This approach challenges the long-standing assumption that physical network isolation alone provides sufficient protection. The operation highlights increasing risks to critical infrastructure, defense organizations, and research institutions, emphasizing the need for stronger removable media controls and multi-layer monitoring mechanisms.
APT37’s Ruby Jumper campaign employs a multi-stage infection chain beginning with a malicious LNK file that launches a decoy document while executing embedded PowerShell commands to retrieve additional payloads. The first-stage implant, RESTLEAF, establishes command-and-control communication through Zoho WorkDrive and retrieves encrypted shellcode required to initiate the next stage.
The retrieved payload deploys SNAKEDROPPER, a Ruby-based loader that installs a full Ruby 3.3.0 runtime environment disguised as a legitimate utility. Persistence is achieved by modifying RubyGems’ operating_system.rb and creating a scheduled task named rubyupdatecheck that executes every five minutes to maintain the malicious runtime environment.
Subsequent payloads include VIRUSTASK, which propagates the infection by replacing legitimate files on USB devices with malicious shortcuts, and THUMBSBD, which gathers system information and converts removable storage devices into covert bidirectional command-and-control relays. The toolkit also installs FOOTWINE spyware, enabling keylogging, screen capture, audio and video recording, and remote shell access, thereby supporting persistent surveillance and data exfiltration in segmented and air-gapped environments. The details and technicalities of the attack campaign are discussed further
The campaign begins with the introduction of a malicious Windows shortcut (LNK) file into segmented environments through removable media or controlled file transfer methods. When executed, the LNK file opens a decoy document, reportedly an Arabic translation of a North Korean media article, to distract the user while executing embedded PowerShell commands that extract hidden payloads contained within the shortcut. The first-stage implant, RESTLEAF, then establishes outbound command-and-control communication through Zoho WorkDrive, allowing malicious traffic to blend with legitimate enterprise communications and evade detection mechanisms. The Infection chain was identified as follows,
The Ruby Jumper toolkit demonstrates a sophisticated modular architecture designed for cross-environment execution. By installing a full Ruby 3.3.0 runtime disguised as a legitimate USB performance utility, the malware enables flexible script-based payload deployment within restricted environments.
Persistence is maintained through modifications to RubyGems’ operating_system.rb file combined with a scheduled task that repeatedly executes the malicious runtime. The malware encrypts staged payloads and employs multi-stage shellcode loaders to evade static analysis and signature-based detection. Command-and-control communications are conducted through legitimate cloud infrastructure, specifically Zoho WorkDrive, allowing malicious traffic to blend with normal enterprise network activity.
A critical feature of the toolkit is its ability to transform removable media into covert bidirectional command relays, effectively bridging air-gapped environments. The THUMBSBD module creates hidden directories on USB devices used to store commands and exfiltrated data, while the VIRUSTASK component spreads the infection by replacing legitimate files with malicious shortcuts under specific execution conditions.
The FOOTWINE spyware module significantly expands operational capabilities by enabling keylogging, screenshot capture, audio and video recording, file manipulation, registry access, and remote shell execution. These features support sustained espionage and surveillance activities within physically isolated or segmented networks.
The Ruby Jumper campaign has been attributed with high confidence to APT37, also known as ScarCruft, Ricochet Chollima, and InkySquid. This assessment is based on overlaps in tooling, infrastructure usage, and operational tradecraft previously associated with the group.
Indicators such as the use of BLUELIGHT malware, staged shellcode delivery techniques, LNK-based initial access vectors, and cloud-based command-and-control methods align with previously documented APT37 operations. The introduction of a full Ruby runtime to support modular malware deployment and the deliberate design of USB-based air-gap bridging capabilities represent a notable evolution in the group’s operational maturity and indicate a strategic move toward highly controlled cross-network intrusion frameworks.
Although specific victims have not been publicly identified, contextual evidence suggests targeting of organizations involved in defense and geopolitical activities related to North Korea. Historically, APT37 operations have focused on South Korea, Japan, the Middle East, and other strategically significant regions.
The use of a decoy document written in Arabic suggests potential targeting of organizations operating within Middle Eastern environments or institutions monitoring regional conflicts. Given the focus on air-gapped networks, likely targets include military networks, critical infrastructure operators, research institutions, and government organizations operating segmented systems.
The Ruby Jumper campaign demonstrates that air-gapped networks are no longer inherently resilient against sophisticated nation-state attackers. By combining multi-stage loaders, runtime-based malware deployment, abuse of legitimate cloud services, and weaponized removable media, the attackers demonstrate a deliberate strategy to bypass both logical and physical segmentation controls.
This operation reflects a shift from opportunistic compromise toward carefully engineered cross-network persistence and controlled data movement within highly sensitive environments.
The Ruby Jumper campaign significantly increases the risk to organizations that rely on air-gapped networks for security. By weaponizing USB devices as covert communication channels, attackers can perform data exfiltration and command execution without direct network connectivity.
In addition to information theft, the integrated surveillance capabilities of the toolkit allow continuous monitoring of compromised systems through keylogging, screen capture, audio and video recording, and remote shell access. This highlights that physical network isolation alone is insufficient protection and underscores the importance of removable media controls, behavioral monitoring, and layered defence strategies.
https://cybersecuritynews.com/north-korean-apt37-hackers-leverages-novel-malware/
