North Korea's APT37 Deploys 'Ruby Jumper' Malware to Steal Data from Air-Gapped Systems

Executive Summary

The North Korean state-sponsored threat group APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima) has been observed deploying a sophisticated new malware toolkit, dubbed 'Ruby Jumper,' to infiltrate and exfiltrate data from air-gapped networks. The campaign, detailed by researchers at Zscaler, leverages removable media as a bridge to cross the physical network isolation. The malware suite, active since at least December 2025, includes several custom tools designed for persistence, surveillance, and data staging, highlighting the group's focus on espionage against high-security targets.

Threat Overview

The primary objective of the 'Ruby Jumper' campaign is to steal sensitive information from organizations that rely on air-gapping as a primary security control, such as government, defense, and critical infrastructure sectors. The attack is initiated through social engineering, likely by introducing a compromised USB drive into the target environment. The malware then establishes a foothold, performs reconnaissance, and uses the same USB mechanism as a bidirectional channel to exfiltrate stolen data and receive new commands from its operators.

Technical Analysis

The attack chain is multi-staged and demonstrates considerable complexity:

1. Initial Access: The attack begins with a malicious LNK file on a removable USB drive. When a user clicks the file, it executes a T1059.001 - PowerShell script.
2. In-Memory Payload: The PowerShell script deploys a decoy document (e.g., an Arabic document on the Palestine-Israel conflict) to distract the user while it loads the RestLeaf payload in memory. RestLeaf uses the legitimate cloud service Zoho WorkDrive for command-and-control (C2) to fetch a shellcode payload.
3. Persistence and Backdoor: The shellcode loads SnakeDropper, a Windows executable that installs the Ruby 3.3.0 runtime environment, disguising it as a 'USB speed monitoring utility.' It then backdoors the Ruby interpreter to establish persistence.
4. USB Exfiltration Bridge: A backdoor named ThumbsBD is dropped. This component monitors for the insertion of USB drives. When a drive is detected, it creates a hidden directory on the device. It stages collected data in this directory for exfiltration and checks for new command files placed there by the attacker, effectively turning the USB drive into a data mule. This is a classic implementation of T1091 - Replication Through Removable Media.
5. Surveillance: Finally, the FootWine backdoor is deployed. This tool provides the attackers with extensive surveillance capabilities, including file system manipulation, remote shell access, and process/registry management.

The use of a legitimate programming language runtime (Ruby) and a public cloud service (Zoho WorkDrive) for C2 are sophisticated evasion tactics designed to blend in with normal activity and bypass simple network-based indicators.

Impact Assessment

This campaign poses a severe threat to organizations that depend on air gaps for security. A successful breach can lead to the loss of highly sensitive intellectual property, state secrets, or critical operational data. The persistent nature of the backdoors means that even after initial detection, a thorough and complex remediation effort is required to fully eradicate the threat from the isolated network. The incident forces a re-evaluation of security policies around removable media, which are often the weakest link in an air-gapped environment.

Cyber Observables for Detection

Security teams should hunt for the following observables:

Detection & Response

1. Removable Media Monitoring: Implement strict logging and alerting for all removable media events (insertion, file reads/writes). Use an EDR solution to inspect files being written to or executed from USB drives.
2. PowerShell Logging: Enable PowerShell Script Block Logging (Event ID 4104) and Module Logging. Hunt for suspicious scripts, especially those that are heavily obfuscated or perform network connections.
3. Network Egress Filtering: Even on internet-connected segments of the network, filter and monitor outbound traffic. Connections to legitimate but unusual services like Zoho WorkDrive should be investigated. This aligns with D3FEND Outbound Traffic Filtering (D3-OTF).
4. File Integrity Monitoring: Monitor critical system directories and the Ruby installation path for unauthorized modifications, which could indicate the backdoor being planted.

Mitigation

Tactical Mitigation

1. Restrict Removable Media: The most effective control is to disable or strictly control the use of USB drives and other removable media on high-security systems. Use technical controls to block all unauthorized devices.
2. Application Allowlisting: Implement application control policies (e.g., using AppLocker or WDAC) to prevent the execution of unauthorized software, including the rogue Ruby interpreter.
3. Attack Surface Reduction (ASR): Enable ASR rules on Windows to block untrusted and unsigned processes that run from USB, and to block execution of potentially obfuscated scripts.

Strategic Mitigation

1. Data Diodes: For truly critical air-gapped networks, consider using hardware-based data diodes for one-way data transfer out of the secure environment, which prevents the use of bidirectional C2 channels like the one used by ThumbsBD.
2. User Training: Conduct regular security awareness training focused on social engineering and the risks of using found or untrusted removable media.
3. Assume Breach in Secure Zones: Develop incident response playbooks specifically for air-gapped environments, assuming that the air gap can and will be breached.