Executive Summary
In December 2025, the North Korean state-sponsored group ScarCruft (APT37) launched the 'Ruby Jumper' campaign, deploying sophisticated malware to infiltrate air-gapped networks. The attack began with malicious LNK files that, when executed, initiated a multi-stage infection chain. This chain utilized Zoho WorkDrive for command-and-control communications and leveraged removable media to bridge air-gapped systems, enabling data exfiltration and command execution. The campaign introduced new malware tools, including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE, each designed to facilitate various stages of the attack, from initial compromise to surveillance and data theft. (thehackernews.com)
This incident underscores the evolving tactics of nation-state actors in targeting isolated networks, highlighting the need for enhanced security measures to protect sensitive environments. The use of legitimate cloud services for C2 communications and the exploitation of removable media to breach air-gapped systems represent significant advancements in cyber-espionage techniques, posing increased risks to critical infrastructure and sensitive data repositories. (bleepingcomputer.com)
Why This Matters Now
The 'Ruby Jumper' campaign demonstrates a significant escalation in cyber-espionage tactics, with nation-state actors now effectively breaching air-gapped networks using sophisticated methods. This development necessitates immediate attention to bolster defenses against such advanced threats, particularly in sectors relying on air-gapped systems for security.
Attack Path Analysis
The attack began with a malicious LNK file that, when opened, executed a PowerShell script to deploy multiple payloads, including RESTLEAF, which used Zoho WorkDrive for command-and-control communications. RESTLEAF downloaded and executed additional payloads, leading to the installation of SNAKEDROPPER, which established persistence and deployed THUMBSBD and VIRUSTASK. THUMBSBD utilized removable media to relay commands and transfer data between internet-connected and air-gapped systems, facilitating lateral movement. The malware established command and control through legitimate cloud services, enabling remote execution of commands and data exfiltration. Sensitive data was exfiltrated from compromised systems via the established command-and-control channels. The attack culminated in the deployment of surveillance tools like FOOTWINE, capable of keylogging and audio/video capture, leading to significant data compromise.
Kill Chain Progression
Initial Compromise
Description
The attack began with a malicious LNK file that, when opened, executed a PowerShell script to deploy multiple payloads, including RESTLEAF, which used Zoho WorkDrive for command-and-control communications.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
User Execution: Malicious File
Command and Scripting Interpreter: PowerShell
Proxy: Internal Proxy
Obfuscated Files or Information: Software Packing
Replication Through Removable Media
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management
Control ID: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
APT attacks targeting air-gapped networks pose critical national security risks, compromising classified systems through USB malware and cloud service abuse for C2 communications.
Defense/Space
ScarCruft's air-gap bypass capabilities using removable media threaten secure defense networks, enabling surveillance malware deployment and data exfiltration from isolated systems.
Financial Services
Advanced persistent threats leveraging legitimate cloud services for command-and-control bypass traditional security controls, threatening sensitive financial data and regulatory compliance requirements.
Health Care / Life Sciences
USB-based malware propagation and surveillance capabilities violate HIPAA compliance requirements, threatening patient data confidentiality in air-gapped medical research and clinical environments.
Sources
- ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networkshttps://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.htmlVerified
- APT37 Adds New Capabilities for Air-Gapped Networkshttps://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networksVerified
- APT37 hackers use new malware to breach air-gapped networkshttps://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to establish command-and-control channels through legitimate cloud services may have been constrained, reducing the effectiveness of their initial foothold.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and deploy additional malware components could have been limited, reducing the scope of their control.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally between systems may have been constrained, limiting their reach within the network.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain command and control over compromised systems could have been limited, reducing their operational effectiveness.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, reducing the impact of the data breach.
The deployment of surveillance tools and subsequent data compromise could have been limited, reducing the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- Data Security
- Network Security
- System Administration
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data, including intellectual property and confidential communications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malware within the network.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
- • Utilize Threat Detection & Anomaly Response mechanisms to identify and mitigate malicious activities promptly.
- • Apply Inline IPS (Suricata) to detect and prevent known exploit patterns and malicious payloads in network traffic.
