Threat Research

APT37 Adds New Capabilities for Air-Gapped Networks

ZScaler
APT37 Adds New Capabilities for Air-Gapped Networks

Zscaler ThreatLabz discovered the Ruby Jumper campaign in December 2025 and attributed it to DPRK-backed APT37, detailing a multistage infection that begins with malicious LNK files and uses newly identified tools RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT. The campaign abuses Zoho WorkDrive for C2, installs a self-contained Ruby runtime to load shellcode-based payloads, and weaponizes removable media to bridge air-gapped systems for command-and-control and exfiltration. #APT37 #RubyJumper

Keypoints

  • ThreatLabz discovered the Ruby Jumper campaign in December 2025 and attributed it to APT37 (ScarCruft/Ruby Sleet/Velvet Chollima).
  • The initial vector is a malicious LNK shortcut that launches PowerShell to carve and load embedded payloads and shellcode.
  • RESTLEAF is an initial implant that uses Zoho WorkDrive for C2, retrieves AAA.bin (shellcode), executes it via process injection, and creates timestamped “lion [timestamp]” beacons.
  • SNAKEDROPPER installs a bundled Ruby 3.3.0 runtime (renamed to usbspeed.exe), establishes persistence via a scheduled task, and injects shellcode through backdoored Ruby scripts.
  • THUMBSBD and VIRUSTASK weaponize removable media: THUMBSBD uses USB as a bidirectional covert C2/exfiltration relay for air-gapped systems, while VIRUSTASK propagates by replacing files with malicious LNK shortcuts.
  • FOOTWINE and BLUELIGHT provide surveillance and remote-control capabilities (keylogging, screenshots, audio/video capture, file and process manipulation) and use custom XOR-based protocols and cloud services for C2.

MITRE Techniques

  • [T1204.001 ] User Execution: Malicious Link – The infection chain is initiated when the victim launches a malicious LNK file. (‘The infection chain is initiated when the victim launches the malicious LNK file.’)
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – The LNK file launches a PowerShell script to continue the infection and carve embedded payloads. (‘The LNK file silently launches a PowerShell command line script to continue the infection.’)
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – SNAKEDROPPER creates a scheduled task named rubyupdatecheck to execute the disguised Ruby interpreter every 5 minutes. (‘SNAKEDROPPER creates a scheduled task named rubyupdatecheck to execute the disguised Ruby interpreter every 5 minutes.’)
  • [T1574 ] Hijack Execution Flow – SNAKEDROPPER replaces operating_system.rb (auto-loaded by RubyGems) to ensure the malicious code executes when the Ruby interpreter starts. (‘SNAKEDROPPER replaces operating_system.rb, a Ruby file automatically loaded by RubyGems, to ensure its payload executes every time the Ruby interpreter starts.’)
  • [T1027 ] Obfuscated Files or Information – Payloads are embedded within the LNK and decrypted with a 1-byte XOR key to evade detection. (‘Payloads are embedded and carved from fixed offsets within the LNK file, and the shellcode is 1-byte XOR decrypted.’)
  • [T1055 ] Process Injection – RESTLEAF allocates executable memory and injects downloaded shellcode into a process to execute payloads. (‘RESTLEAF allocates executable memory, copies the downloaded payload into this region, and transfers execution to the entry point of the shellcode.’)
  • [T1620 ] Reflective Code Loading – The second-stage shellcode reflectively loads an embedded Windows executable payload after decryption. (‘The decrypted second-stage shellcode reflectively loads an embedded Windows executable payload.’)
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – The Ruby interpreter rubyw.exe is renamed to usbspeed.exe to masquerade as a USB utility and VIRUSTASK replaces victim files with shortcuts of the same name. (‘The Ruby interpreter (rubyw.exe) is renamed to usbspeed.exe to masquerade as a legitimate USB speed monitoring utility. VIRUSTASK replaces the victim’s files with malicious shortcuts of the same name.’)
  • [T1564.001 ] Hide Artifacts: Hidden Files and Directories – VIRUSTASK and THUMBSBD create hidden $RECYCLE.BIN-like folders on removable media to conceal staged artifacts. (‘VIRUSTASK creates a hidden folder named $RECYCLE.BIN.USER on removable media. THUMBSBD uses a hidden $RECYCLE.BIN directory.’)
  • [T1082 ] System Information Discovery – THUMBSBD collects detailed host environment information (user, computer, OS, diagnostics). (‘THUMBSBD initializes a configuration file … containing information about the victim’s environment (e.g., user name, computer name, Windows version…).’)
  • [T1057 ] Process Discovery – THUMBSBD enumerates running processes via Windows APIs as part of reconnaissance. (‘THUMBSBD collects running processes via Windows API.’)
  • [T1083 ] File and Directory Discovery – THUMBSBD performs recursive file-system enumeration to stage data for exfiltration. (‘THUMBSBD performs recursive file system enumeration.’)
  • [T1132.002 ] Data Encoding: Non-Standard Encoding – FOOTWINE uses XOR and custom padding to encode keys and payloads in its key-exchange and communications. (‘FOOTWINE generates a 32-byte random key… obfuscates the transmitted packet size… and uses XOR-based validation.’)
  • [T1092 ] Communication Through Removable Media – VIRUSTASK uses removable media propagation to spread malware to air-gapped systems. (‘VIRUSTASK is a removable media propagation component designed to spread malware by infecting removable media.’)
  • [T1052.001 ] Exfiltration Over Physical Medium: Exfiltration over USB – THUMBSBD uses removable media as a covert C2 and exfiltration channel between segmented networks. (‘THUMBSBD uses removable media as a covert C2 channel to exfiltrate data from and send commands to air-gapped systems.’)
  • [T1567.002 ] Exfiltration Over Web Service: Exfiltration to Cloud Storage – BLUELIGHT and other components use cloud providers for C2 and data exfiltration. (‘BLUELIGHT uploads collected data and a specific file to the cloud storage C2.’)
  • [T1056.001 ] Input Capture: Keylogging – FOOTWINE supports keystroke capture and THUMBSBD stages collected data for exfiltration. (‘FOOTWINE performs keylogging and THUMBSBD provides a function for data collection.’)
  • [T1113 ] Screen Capture – FOOTWINE can capture screenshots on command. (‘FOOTWINE receives a dm command to take screenshots.’)
  • [T1123 ] Audio Capture – FOOTWINE can perform microphone surveillance via C2 commands. (‘FOOTWINE receives a cm command to perform microphone surveillance.’)
  • [T1125 ] Video Capture – FOOTWINE can perform camera/webcam surveillance via C2 commands. (‘FOOTWINE receives a cm command to perform camera/webcam surveillance.’)

Indicators of Compromise

  • [SHA256 Hash ] Host binaries and artifacts – 709d70239f1e9441e8e21fcacfdc5d08 (Windows shortcut), ad556f4eb48e7dba6da14444dcce3170 (viewer.dat), and 6 more hashes
  • [Domain ] THUMBSBD C2 infrastructure – philion.store, homeatedke.store, and 1 more domain (hightkdhe.store)
  • [IP Address ] FOOTWINE C2 – 144.172.106.66:8080
  • [File Names ] Payloads and dropped artifacts – foot.apk (FOOTWINE payload disguised as APK), usbspeed.exe (renamed Ruby interpreter used for persistence and removable-media execution)

Read more: https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks