Zscaler ThreatLabz reports a December 2025 campaign it tracks as Ruby Jumper, attributed with high confidence to APT37 (aka ScarCruft, Ruby Sleet, Velvet Chollima). The infection chain begins with a malicious Windows shortcut (LNK) that launches PowerShell and a multi-stage shellcode loader, then deploys new implants (RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK) and later-stage backdoors (FOOTWINE and BLUELIGHT). (zscaler.com)
The most operationally significant development is the pairing of: (1) cloud-based command and control (including Zoho WorkDrive) with (2) removable media workflows designed to relay commands and exfiltrate data between Internet-connected hosts and air-gapped systems. This tradecraft directly targets environments where network segmentation is assumed to be a primary control. (zscaler.com)
Context
APT37 is widely assessed as a North Korean state-sponsored cyber espionage group active since at least 2012, historically targeting South Korean interests and broader regional and sectoral objectives aligned with DPRK state priorities. (attack.mitre.org)
ThreatLabz notes APT37’s established preference for layered execution chains and surveillance tooling, and positions Ruby Jumper as a continuation of that pattern, with a clear shift towards tooling that supports operations across disconnected networks. (zscaler.com)
Technical Analysis
1) Initial access and execution: LNK-led chain
Ruby Jumper begins when a victim opens a malicious LNK which silently launches PowerShell and “carves” multiple embedded artefacts from fixed offsets inside the shortcut (including a decoy document, scripts and shellcode). The reported lure was an Arabic-language document about the Israel–Palestine conflict translated from North Korean media, which ThreatLabz uses as a victimology clue rather than definitive targeting proof. (zscaler.com)
2) RESTLEAF: Zoho WorkDrive used as cloud C2
ThreatLabz identifies RESTLEAF as an initial implant that uses Zoho WorkDrive for C2, including OAuth-style token exchange to enable API operations. ThreatLabz states this is the first time they have observed APT37 abusing Zoho WorkDrive. RESTLEAF then downloads additional shellcode (reported as AAA.bin) and executes it via process injection, followed by a beaconing mechanism that creates timestamped “lion”-prefixed files in a WorkDrive folder named Second. (zscaler.com)
3) SNAKEDROPPER: portable Ruby runtime + persistence
The next stage, SNAKEDROPPER, installs a self-contained Ruby 3.3.0 runtime into %PROGRAMDATA%\usbspeed, renaming rubyw.exe to usbspeed.exe to masquerade as a benign USB utility. Persistence is achieved via a scheduled task named rubyupdatecheck (running every five minutes) and by hijacking RubyGems’ auto-loaded operating_system.rb so the malicious logic executes whenever the interpreter starts. (zscaler.com)
4) THUMBSBD: command relay and exfiltration through removable media
THUMBSBD is the component purpose-built for air-gapped workflows. ThreatLabz describes it as a backdoor that:
- Writes host profiling data (user, computer, Windows version, working paths) to
%LOCALAPPDATA%\TnGtp\TN.dat(XOR-encrypted). - Collects extensive discovery output (e.g.
dxdiag,ipconfig /all,netstat, running processes, full file-tree enumeration). - Stages artefacts into multiple working directories and uses both network endpoints and removable media for transferring commands and data. (zscaler.com)
For the air-gap bridge, THUMBSBD creates or uses hidden Recycle Bin lookalike directories on removable media (e.g. $RECYCLE.BIN), encrypts staged files (single-byte XOR reported), and uses a victim identifier derived from disk metadata to decide whether to execute a command package on a given host. Output is then copied back to the removable drive for pickup by an Internet-connected system. (zscaler.com)
5) VIRUSTASK: USB propagation via file replacement and LNK hijacking
VIRUSTASK complements THUMBSBD by turning removable drives into an initial access vector for new, disconnected systems. ThreatLabz reports it:
- Requires at least 2GB free space on the removable drive.
- Creates a hidden
$RECYCLE.BIN.USERfolder. - Copies a renamed Ruby interpreter (
usbspeed.exe), an updater binary, and a persistence script. - Hides victims’ original files and replaces them with LNKs of identical names, configured to execute the interpreter when clicked, triggering shellcode execution on the new host if it is not already infected. (zscaler.com)
This is a practical social engineering design: users believe they are opening familiar files, but instead initiate the compromise chain.
6) Late-stage payloads: FOOTWINE and BLUELIGHT
ThreatLabz reports that THUMBSBD delivers:
- FOOTWINE, disguised as
foot.apkbut described as an encrypted payload with an integrated shellcode launcher. ThreatLabz attributes capabilities including command shell, file operations (including timestomping), registry and process manipulation, screenshot capture, keylogging, and audio/video capture. (zscaler.com) - BLUELIGHT, a previously documented backdoor family that can use multiple legitimate cloud providers for C2. Volexity previously reported BLUELIGHT leveraging Microsoft Graph/OneDrive-style workflows, and ESET described BLUELIGHT as a final payload in ScarCruft watering-hole activity, supporting ThreatLabz’s linkage. (zscaler.com)
Impact Assessment
Ruby Jumper is primarily an espionage-enabling intrusion chain. Its standout risk is operational: it is designed to succeed where defenders rely on segmentation alone, specifically by using removable media as a bidirectional command channel between connected and disconnected systems. (zscaler.com)
Organisations most exposed are those with:
- Air-gapped or intermittently connected enclaves (OT networks, lab environments, classified or sensitive R&D, regulated production networks).
- Routine operational use of removable media for data transfer, patching, or maintenance workflows.
Indicators of Compromise
ThreatLabz published a set of host and network indicators associated with the Ruby Jumper chain, including sample hashes and C2 infrastructure. Treat these as point-in-time indicators and prioritise behavioural detections around the artefacts and persistence mechanisms below. (zscaler.com)
| Type | Value | Context / Notes | Source | Confidence |
|---|---|---|---|---|
| Hash | 709d70239f1e9441e8e21fcacfdc5d08 | Malicious Windows shortcut (LNK) | ThreatLabz Ruby Jumper IOCs | Confirmed |
| Hash | ad556f4eb48e7dba6da14444dcce3170 | viewer.dat (shellcode + RESTLEAF) | ThreatLabz Ruby Jumper IOCs | Confirmed |
| Hash | 098d697f29b94c11b52c51bfe8f9c47d | Shellcode + SNAKEDROPPER | ThreatLabz Ruby Jumper IOCs | Confirmed |
| Hash | 4214818d7cde26ebeb4f35bc2fc29ada | ascii.rb (shellcode + THUMBSBD) | ThreatLabz Ruby Jumper IOCs | Confirmed |
| Hash | 5c6ff601ccc75e76c2fc99808d8cc9a9 | bundler_index_client.rb (shellcode + VIRUSTASK) | ThreatLabz Ruby Jumper IOCs | Confirmed |
| Hash | 476bce9b9a387c5f39461d781e7e22b9 | foot.apk (shellcode + FOOTWINE) | ThreatLabz Ruby Jumper IOCs | Confirmed |
| Hash | 585322a931a49f4e1d78fb0b3f3c6212 | footaaa.apk (shellcode + BLUELIGHT) | ThreatLabz Ruby Jumper IOCs | Confirmed |
| Domain | philion.store | THUMBSBD C2 | ThreatLabz Ruby Jumper IOCs | Confirmed |
| Domain | homeatedke.store | THUMBSBD C2 | ThreatLabz Ruby Jumper IOCs | Confirmed |
| Domain | hightkdhe.store | THUMBSBD C2 | ThreatLabz Ruby Jumper IOCs | Confirmed |
| IP:Port | 144.172.106.66:8080 | FOOTWINE C2 | ThreatLabz Ruby Jumper IOCs | Confirmed |
| File path | %PROGRAMDATA%\usbspeed\ | Ruby runtime install and masquerade location | ThreatLabz technical analysis | Confirmed |
| Scheduled task | rubyupdatecheck | Persistence for usbspeed.exe execution | ThreatLabz technical analysis | Confirmed |
| Registry key | HKCU\SOFTWARE\Microsoft\TnGtp | THUMBSBD mutex/instance control | ThreatLabz technical analysis | Confirmed |
| Registry key | HKCU\Software\Microsoft\ActiveUSBPolicies | VIRUSTASK execution tracking | ThreatLabz technical analysis | Confirmed |
Incident Response Guidance
Containment
- Immediately isolate infected endpoints and any removable media recently connected to them.
- Quarantine removable drives showing hidden
$RECYCLE.BIN.USERor unexpected LNK proliferation, and preserve them as forensic evidence. - Block the listed domains and IP:port at egress where feasible, noting APT37’s broader use of cloud platforms for C2 can limit the value of pure network blocking. (zscaler.com)
Eradication and recovery
- Remove persistence: delete the
rubyupdatecheckscheduled task, and investigate all scheduled tasks created or modified around initial infection windows. - Inspect and remove
%PROGRAMDATA%\usbspeed\and related dropped files, then validate no additional persistence has been established via other mechanisms. - Review and remediate registry artefacts tied to THUMBSBD and VIRUSTASK (
TnGtp,ActiveUSBPolicies) and validate%LOCALAPPDATA%\TnGtp\TN.datfor host profiling traces. (zscaler.com)
Forensics and scoping
- Collect the original LNK, dropped scripts (
find.bat,search.dat) andviewer.datwhere available, plus Prefetch/Amcache/Shimcache evidence ofusbspeed.exeexecution. - On removable media, capture directory listings and full contents (including hidden/system) to identify staged command and exfiltration files inside Recycle Bin lookalikes. (zscaler.com)
Threat Intelligence Context: ATT&CK mapping
ThreatLabz mapped Ruby Jumper activity to multiple ATT&CK techniques, reflecting a chain that blends user execution, script-based staging, stealthy in-memory loading, removable media C2 and surveillance collection. (zscaler.com)
| Tactic | Technique ID | Technique | Observed behaviour |
|---|---|---|---|
| Initial Access / Execution | T1204.001 | User Execution: Malicious Link | Victim launches malicious LNK |
| Execution | T1059.001 | PowerShell | LNK silently launches PowerShell to stage payloads |
| Persistence | T1053.005 | Scheduled Task | rubyupdatecheck runs disguised Ruby interpreter |
| Defence Evasion | T1574 | Hijack Execution Flow | Backdoored operating_system.rb auto-load path |
| Defence Evasion | T1027 | Obfuscated Files or Information | Embedded payload carving; XOR-decrypted shellcode |
| Defence Evasion | T1055 | Process Injection | Shellcode executed inside legitimate processes |
| Defence Evasion | T1620 | Reflective Code Loading | Reflective loading of PE payloads |
| Defence Evasion | T1036.005 | Masquerading | rubyw.exe renamed to usbspeed.exe; file-name matching LNKs |
| Defence Evasion | T1564.001 | Hidden Files and Directories | Hidden $RECYCLE.BIN and $RECYCLE.BIN.USER on removable media |
| Discovery | T1082 | System Information Discovery | THUMBSBD host profiling and recon |
| Discovery | T1057 | Process Discovery | Running process collection |
| Discovery | T1083 | File and Directory Discovery | Recursive file system enumeration |
| C2 | T1092 | Communication Through Removable Media | Command relay via USB between connected and air-gapped hosts |
| Exfiltration | T1052.001 | Exfiltration over USB | Data staged to USB for transfer out of air-gapped segments |
| Exfiltration | T1567.002 | Exfiltration to Cloud Storage | BLUELIGHT cloud-based upload workflows |
| Collection | T1056.001 | Keylogging | FOOTWINE keylogging; THUMBSBD data collection support |
| Collection | T1113 | Screen Capture | FOOTWINE screenshot commands |
| Collection | T1123 | Audio Capture | FOOTWINE microphone surveillance |
| Collection | T1125 | Video Capture | FOOTWINE camera/webcam surveillance |
Mitigation Recommendations
Prioritise removable media controls
- Implement strict device control: block unauthorised USB storage, enforce allow-lists, and require managed, encrypted media for legitimate workflows.
- Introduce scanning kiosks or controlled transfer stations for any data entering air-gapped enclaves, with logging and chain-of-custody for high-risk environments.
Harden against LNK-led staging
- Reduce LNK execution risk through user privilege controls and endpoint protections tuned to detect shortcut-driven PowerShell and embedded payload carving behaviours.
- Monitor for spikes in LNK creation on removable media paired with hidden-folder creation (Recycle Bin lookalikes), which is consistent with VIRUSTASK-style file replacement. (zscaler.com)
Detect the Ruby runtime masquerade
- Hunt for
%PROGRAMDATA%\usbspeed\,usbspeed.exe, and scheduled taskrubyupdatecheck. - Alert on unusual interpreter installs (Ruby) on endpoints where not expected, particularly when installed under ProgramData and executed on a tight schedule. (zscaler.com)
Constrain cloud service abuse
- Review enterprise use of Zoho WorkDrive and other cloud storage providers. Where use is not business-justified, consider restricting access and alerting on unexpected API token flows.
- For sanctioned cloud providers (e.g. Microsoft OneDrive), focus on endpoint telemetry and process lineage rather than destination-based blocking, given the use of legitimate services for C2. (zscaler.com)
Future Outlook
Likely near-term evolution includes broader reuse of “portable runtime” approaches (self-contained interpreters installed on disk to reduce dependency on target configurations) and continued expansion of cloud storage abuse for both stealth and operational resilience. The air-gap bridge components in Ruby Jumper suggest APT37 continues investing in tradecraft tailored for high-value targets where segmentation is expected to hinder collection operations. (zscaler.com)
Further Reading
- Zscaler ThreatLabz: APT37 adds new capabilities for air-gapped networks
- MITRE ATT&CK: APT37 (G0067)
- Volexity: InkySquid (ScarCruft/APT37) and the BLUELIGHT backdoor
- ESET: ScarCruft’s Dolphin and BLUELIGHT context
- Mandiant (via Google Cloud): APT37 (Reaper) background