The latest threat analysis from Zscaler ThreatLabz reveals a sophisticated campaign orchestrated by the DPRK‑backed group APT37, also known as ScarCruft, Ruby Sleet, and Velvet Chollima. Published on March 1, 2026, the report details a multi‑stage infection chain that leverages malicious Windows shortcut (LNK) files, a custom Ruby runtime, and removable media to compromise both internet‑connected and air‑gapped environments. The campaign, dubbed Ruby Jumper, introduces new tools—RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT—that expand APT37’s attack surface and persistence capabilities.
Initial Vector and Execution Flow
APT37’s attack begins with a deceptively innocuous LNK file. When a user opens the shortcut, a PowerShell command is silently executed, scanning the current directory for itself by file size. The script then carves multiple embedded payloads from fixed offsets within the LNK, including a decoy document, an executable payload, an additional PowerShell script, and a batch file. The decoy, a translated article about the Palestine‑Israel conflict, distracts while the embedded shellcode is extracted and decrypted in memory.
RESTLEAF and Cloud‑Based Command & Control
RESTLEAF is the first implant that initiates communication with the command and control infrastructure. It abuses Zoho WorkDrive—an atypical cloud service for APT37—by embedding hard‑coded OAuth credentials. RESTLEAF authenticates, retrieves a shellcode payload (AAA.bin), and injects it into a randomly chosen system executable from %WINDIR%\System32 or %WINDIR%\SysWow64. After execution, RESTLEAF creates timestamped beacon files in a Zoho WorkDrive folder named Second, signaling to the cloud‑based C2 that the implant is active.
SNAKEDROPPER: Installing a Ruby Runtime
Once RESTLEAF has established the first stage, SNAKEDROPPER is spawned. It extracts a ruby3.zip archive to %PROGRAMDATA%\usbspeed, disguising the Ruby 3.3.0 interpreter as a legitimate USB‑speed monitoring utility. The main interpreter executable, rubyw.exe, is renamed usbspeed.exe. SNAKEDROPPER then replaces the default RubyGems file operating_system.rb with a malicious script that loads shellcode on every interpreter start. A scheduled task named rubyupdatecheck runs usbspeed.exe every five minutes, ensuring persistence across reboots.
THUMBSBD: Removable Media Backdoor
THUMBSBD is the centerpiece of the air‑gap strategy. Dropped as ascii.rb, it monitors the registry key HKCU\SOFTWARE\Microsoft\TnGtp to avoid duplicate instances. The malware creates a configuration file in %LOCALAPPDATA%\TnGtp\TN.dat, collecting system information, processes, network configuration, and a recursive file enumeration. THUMBSBD uses several working directories—CMD, MCD, OCD, PGI, RST, UEE, and WRK—to stage commands, payloads, and exfiltration data. When a removable drive is attached, THUMBSBD copies staged files into a hidden $RECYCLE.BIN folder on the media, encrypts them with a single‑byte XOR key, and dispatches commands based on a leading byte identifier.
VIRUSTASK: Propagation Through Malicious Shortcuts
VIRUSTASK complements THUMBSBD by weaponizing removable media to spread the infection. When a drive with at least 2 GB of free space is detected, VIRUSTASK creates a hidden folder $RECYCLE.BIN.USER and copies its payload executables—usbspeed.exe, usbspeedupdate.exe—and a Ruby persistence script into the drive. It then scans the drive, replaces legitimate files with malicious LNK shortcuts that point to usbspeed.exe. When a user opens a hijacked file, the Ruby interpreter loads the malicious operating_system.rb, which in turn executes shellcode, infecting the host system.
FOOTWINE: Surveillance Payload
FOOTWINE is delivered via a file named foot.apk, an Android package extension that actually contains an encrypted shellcode launcher. The launcher establishes a custom XOR‑based key exchange with a TCP C2 server, using random padding and size obfuscation to evade pattern matching. Once the session key is negotiated, FOOTWINE supports a rich set of commands: interactive shell (sm), file manipulation (fm), registry manipulation (rm), process enumeration (pm), screenshot capture (dm), keylogging, and audio/video surveillance (cm). The payload can also receive and execute batch scripts via the s_d command.
BLUELIGHT: Cloud‑Based Exfiltration
BLUELIGHT is a legacy backdoor reused by APT37. It leverages multiple cloud providers—Google Drive, Microsoft OneDrive, pCloud, and BackBlaze—for command and data exfiltration. BLUELIGHT can execute arbitrary commands, enumerate the file system, download additional payloads, upload data, and self‑remove. The use of legitimate cloud services obscures traffic and complicates detection.
Key Takeaways
- APT37 introduces new tools—RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT—to target both internet‑connected and air‑gapped systems.
- The attack chain relies heavily on malicious LNK files, PowerShell, and a two‑stage XOR‑encrypted shellcode launcher.
- Removable media is used as a covert C2 channel, allowing bidirectional command delivery and data exfiltration between isolated networks.
- Cloud services (Zoho WorkDrive, Google Drive, OneDrive, pCloud, BackBlaze) are abused for C2 communication and payload delivery.
- Persistent execution is achieved via scheduled tasks, registry keys, and disguised Ruby interpreters.
Recommendations for Security Analysts
- Monitor LNK File Activity: Implement file integrity monitoring for LNK files and flag suspicious PowerShell executions triggered by shortcuts.
Detect Cloud C2 Channels: Analyze outbound traffic to public cloud services (Zoho, Google, OneDrive, pCloud, BackBlaze) for anomalous patterns, such as repeated beacon files or large binary downloads.
Inspect Removable Media: Deploy endpoint detection that scans USB drives for hidden $RECYCLE.BIN directories, LNK shortcuts with executable targets, and encrypted payloads.
Enforce Ruby Runtime Restrictions: Block execution of unknown Ruby interpreters, especially those renamed to mimic legitimate utilities, and audit scheduled tasks for unfamiliar names.
Implement Network Segmentation and Air‑Gap Hardening: Strengthen physical security controls for removable media, enforce strict access policies, and consider hardware‑based isolation solutions.
Deploy Behavioral Analytics: Use behavioral EDR tools to detect process injection, reflective code loading, and XOR‑encrypted payload execution patterns.
Maintain Updated Threat Intelligence: Subscribe to feeds that include APT37 indicators, such as the hashed filenames listed in the report, and correlate them with internal logs.
Conclusion
The Ruby Jumper campaign demonstrates APT37’s evolving capabilities to compromise air‑gapped environments through a meticulously engineered chain of malware components. The use of legitimate cloud services for command and control, combined with removable media as a covert bridge, presents a formidable threat to organizations with stringent isolation requirements. Security teams must adopt a multi‑layered defense strategy—combining endpoint detection, cloud traffic analysis, physical media controls, and behavioral analytics—to detect and mitigate these sophisticated attacks before they compromise critical assets.

