Zscaler ThreatLabz attributes a Ruby Jumper campaign to North Korea–linked ScarCruft that uses a malicious LNK file and embedded PowerShell to carve multiple payloads and deploy a multi-stage toolset including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT. Notably, RESTLEAF abuses Zoho WorkDrive for C2 communications while THUMBSBD and VIRUSTASK weaponize removable media to bridge internet-connected and air-gapped systems for surveillance and data exfiltration. #ScarCruft #ZohoWorkDrive
Keypoints
- The attack chain begins with a malicious LNK file that runs a PowerShell script to extract and launch multiple embedded payloads.
- RESTLEAF executes in memory and uses Zoho WorkDrive for command-and-control to download and inject shellcode.
- SNAKEDROPPER installs a Ruby runtime, creates persistence via a scheduled task, and drops additional components.
- THUMBSBD leverages removable media to relay commands, exfiltrate data, and deploy FOOTWINE and BLUELIGHT for surveillance.
- VIRUSTASK focuses on weaponizing removable media to spread to and compromise air-gapped systems.
Read More: https://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.html