Bridging the Gap: North Korean APT37 Deploys ‘Ruby Jumper’ to Infiltrate Isolated Air-Gapped Networks

In a sophisticated escalation of cyber espionage, the North Korean-linked threat group APT37 (also known as ScarCruft or Ruby Sleet) has been caught deploying a novel toolkit designed to leap over the ultimate security hurdle: the air-gap. A recent investigation by Zscaler ThreatLabz has unmasked a campaign dubbed “Ruby Jumper,” which uses a clever combination of popular cloud services and weaponized USB drives to infiltrate even the most isolated networks.

The attack begins with a familiar but effective tactic: a malicious Windows shortcut (LNK) file. Disguised with a decoy document—in one case, an Arabic translation of a North Korean newspaper article about the Palestine-Israel conflict—the file triggers a silent chain of events.

As the Zscaler report explains, “In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it launches a PowerShell command and scans the current directory to locate itself based on file size… Each payload created by the LNK file works in tandem, ultimately spawning a Windows executable payload.”

The malware drops a tool called SNAKEDROPPER, which installs a full Ruby 3.3.0 environment on the victim’s machine. To avoid suspicion, it renames the main Ruby interpreter to usbspeed.exe, masquerading as a harmless USB utility.

By using a legitimate programming environment to run its malicious scripts, APT37 makes detection much harder for standard security software.

The most alarming aspect of Ruby Jumper is its ability to compromise “air-gapped” systems—computers that are physically disconnected from the internet for security purposes. This is achieved through two newly discovered tools: THUMBSBD and VIRUSTASK.

THUMBSBD acts as a “bidirectional covert C2 relay.” When a user plugs an infected USB into an air-gapped machine, the malware uses a hidden folder to pass commands and steal data. Once that same USB is plugged back into an internet-connected computer, the stolen data is whisked away to the attackers’ servers.

VIRUSTASK, meanwhile, ensures the infection continues to spread. It scans removable media and replaces the victim’s original files with malicious shortcuts.

“While THUMBSBD handles C2 communication and data exfiltration, VIRUSTASK ensures the malware spreads to new systems through social engineering by replacing legitimate files with malicious shortcuts that victims trust and execute,” the report explains.

Once the bridge is built, the attackers deploy their final payloads: FOOTWINE and BLUELIGHT. These tools provide the “surveillance” stage of the operation. FOOTWINE is particularly invasive, capable of:

• Keylogging: Recording every keystroke.
• Audio/Video Capture: Turning on microphones and cameras.
• File Manipulation: Stealing, renaming, or deleting sensitive documents.

Zscaler attributes this campaign to APT37 with “high confidence,” noting the group’s signature use of cloud services like Zoho WorkDrive, Google Drive, and OneDrive for command-and-control.

The report concludes with a warning for the security community: “The Ruby Jumper campaign involves a mult-stage infection chain that begins with a malicious LNK file and utilizes legitimate cloud services… Most critically, THUMBSBD and VIRUSTASK weaponize removable media to bypass network isolation and infect air-gapped systems.”