Executive Summary
In December 2025, the North Korean state-sponsored group APT37, also known as ScarCruft, launched the 'Ruby Jumper' campaign targeting air-gapped networks. The attack began with victims opening malicious Windows shortcut (LNK) files, which executed PowerShell scripts to deploy a series of malware tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. These tools facilitated initial infection, established command-and-control via Zoho WorkDrive, and enabled lateral movement through removable media, ultimately compromising isolated systems. The campaign underscores the evolving tactics of APT37 in breaching highly secure environments. (bleepingcomputer.com)
This incident highlights a significant advancement in cyber-espionage techniques, demonstrating the capability to infiltrate air-gapped systems. Organizations with critical infrastructure should reassess their security protocols to mitigate such sophisticated threats.
Why This Matters Now
The 'Ruby Jumper' campaign exemplifies the increasing sophistication of nation-state actors in targeting isolated networks, emphasizing the need for enhanced security measures to protect sensitive environments from evolving cyber threats.
Attack Path Analysis
APT37 initiated the attack by delivering a malicious LNK file that, when executed, deployed a PowerShell script to extract and execute embedded payloads. The script launched RESTLEAF, which established communication with the C2 server to download additional malware components. Using removable media, the malware spread to air-gapped systems by copying itself onto USB drives and executing upon connection. The malware established command and control channels through covert methods, including using removable media as a relay. Sensitive data was collected and exfiltrated via the same removable media channels. The attack resulted in unauthorized access to sensitive information and potential disruption of critical systems.
Kill Chain Progression
Initial Compromise
Description
APT37 delivered a malicious LNK file that, when executed, deployed a PowerShell script to extract and execute embedded payloads.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
User Execution: Malicious Link
Command and Scripting Interpreter: PowerShell
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Proxy: Internal Proxy
Obfuscated Files or Information
Archive Collected Data: Archive via Utility
Exfiltration Over Physical Medium: USB
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Data Protection
Control ID: Pillar 3: Data
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Defense/Space
APT37's air-gapped network breach capabilities directly threaten military systems, classified data, and critical defense infrastructure requiring comprehensive zero trust segmentation and egress security controls.
Government Administration
State-backed threat actors targeting air-gapped government networks pose severe risks to sensitive operations, requiring enhanced multicloud visibility, threat detection, and encrypted traffic monitoring capabilities.
Oil/Energy/Solar/Greentech
Critical infrastructure sectors face heightened risks from removable media-based attacks that can bridge air-gapped operational technology systems, necessitating robust anomaly detection and segmentation controls.
Research Industry
Research facilities using air-gapped systems for intellectual property protection are vulnerable to Ruby-based malware campaigns that weaponize USB drives for covert data exfiltration and surveillance.
Sources
- APT37 hackers use new malware to breach air-gapped networkshttps://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/Verified
- North Korea’s APT37 Expands Toolkit to Breach Air-Gapped Networkshttps://www.infosecurity-magazine.com/news/north-korea-apt37-expands-toolkit/Verified
- APT37 Adds New Capabilities for Air-Gapped Networkshttps://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networksVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to execute unauthorized scripts may be constrained, reducing the likelihood of initial payload deployment.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may be limited, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally may be constrained, reducing the spread of malware to other systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish covert command and control channels may be limited, reducing unauthorized communications.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may be constrained, reducing data loss.
The attacker's ability to access sensitive information and disrupt systems may be limited, reducing overall impact.
Impact at a Glance
Affected Business Functions
- Research and Development
- Intellectual Property Management
- Data Security
- Operational Continuity
Estimated downtime: 7 days
Estimated loss: $500,000
Confidential research data and intellectual property related to critical infrastructure and defense sectors.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malware within the network.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to malicious activities promptly.
- • Utilize Inline IPS (Suricata) to detect and prevent known exploit patterns and malicious payloads.
- • Establish Multicloud Visibility & Control to gain comprehensive insights into network traffic and enforce centralized security policies.
