APT37 Ruby Jumper Campaign Targets Air-Gapped Networks

North Korean state-sponsored hackers have developed a sophisticated multi-stage malware toolkit specifically designed to jump air-gaps and compromise isolated networks, according to new research from Zscaler ThreatLabz.

The campaign, tracked as "Ruby Jumper," represents a significant escalation in APT37's capabilities. Five of the six malware tools discovered had never been documented before, giving the threat actor fresh options for infiltrating high-security environments that rely on physical network isolation as their primary defense.

How the Attack Works

APT37 relies on its signature technique: malicious Windows shortcut (LNK) files that trigger a complex infection chain. When a victim opens the weaponized LNK, it launches PowerShell to extract multiple embedded payloads from fixed offsets within the file itself. This includes a decoy document, executable payload, additional scripts, and batch files that work together to establish persistence.

"The PowerShell script launched by the LNK file carves multiple embedded payloads from fixed offsets within that LNK," explained Seongsu Park, staff threat researcher at Zscaler.

The decoy documents shown to victims reference Palestine-Israel conflict articles translated from North Korean media into Arabic, suggesting APT37 is targeting Arabic-speaking individuals interested in North Korean geopolitical narratives. This aligns with the group's known targeting of government officials and journalists across Asia and the Middle East.

Six Malware Tools Working in Concert

The Ruby Jumper toolkit consists of six components that each serve a specific purpose in the attack chain:

RESTLEAF serves as the initial implant, using Zoho WorkDrive cloud storage for command-and-control communications. This marks the first time APT37 has abused Zoho's platform for C2, adding another cloud service to their arsenal alongside Google Drive, Microsoft OneDrive, pCloud, and BackBlaze.

SNAKEDROPPER installs a portable Ruby 3.3.0 runtime and establishes persistence through scheduled tasks. The Ruby runtime provides the execution environment for subsequent malicious scripts.

THUMBSBD handles the critical air-gap bridging functionality. When a USB drive connects to an infected internet-facing machine, THUMBSBD copies staged command files into a hidden $RECYCLE.BIN directory. When that same drive is plugged into an air-gapped machine running the THUMBSBD implant, the malware reads those hidden files, decrypts them using a single-byte XOR key, and executes the operator's commands.

VIRUSTASK focuses exclusively on propagation, infecting removable media by replacing legitimate files with malicious LNK shortcuts that point to the original content while silently executing malware in the background.

FOOTWINE provides extensive surveillance capabilities including interactive shells, file and registry manipulation, keystroke logging, screenshots, and audio/video monitoring. All communications are encrypted via a custom binary protocol over TCP.

BLUELIGHT rounds out the toolkit as a secondary backdoor leveraging multiple cloud providers for command execution and payload delivery. This tool has been previously documented in APT37 operations.

Attribution and Victimology

Zscaler ThreatLabz attributes Ruby Jumper to APT37 (also tracked as ScarCruft, Ruby Sleet, Ricochet Chollima, and Velvet Chollima) with high confidence. The attribution rests on characteristic techniques including LNK-based infection chains with batch and PowerShell scripts, encrypted shellcode with consistent API hashing patterns, reuse of BLUELIGHT, and victimology aligned with DPRK intelligence collection priorities.

APT37 initially focused on South Korean public and private sectors but expanded operations in 2017 to include Japan, Vietnam, and the Middle East. The group now targets a broad range of verticals including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare entities.

The Ruby Jumper campaign represents a natural evolution for North Korean cyber operators, who have increasingly diversified their attack methods beyond the Lazarus Group's headline-grabbing cryptocurrency heists. While Lazarus focuses on financial theft—stealing an estimated $1.3 billion in cryptocurrency in 2024 alone—APT37 concentrates on intelligence gathering from strategic targets.

Why This Matters

Organizations that rely on air-gapped networks as a security control need to recognize that physical isolation is not absolute protection. State-sponsored actors have invested years developing tradecraft to cross these gaps, and the Ruby Jumper campaign demonstrates how mature these techniques have become.

The pairing of cloud-based C2 with removable media workflows is particularly effective. Malicious traffic blends in with ordinary business activity when using legitimate cloud services, while USB propagation provides the bridge into segregated networks where network-based detection tools cannot reach.

Defensive Recommendations

Security teams should implement strict USB device controls on systems with access to sensitive networks. This includes disabling autorun functionality, using device control software to whitelist authorized removable media, and monitoring for suspicious LNK file creation.

Network defenders should also watch for indicators associated with this campaign:

• Domain indicators: philion[.]store, homeatedke[.]store, hightkdhe[.]store
• C2 IP: 144.172.106[.]66:8080 (FOOTWINE)
• File hash: 709d70239f1e9441e8e21fcacfdc5d08 (malicious LNK)

Organizations in targeted sectors should review their threat intelligence resources for additional IOCs and detection signatures. For those wanting deeper context on DPRK cyber operations, our recommended cybersecurity books include several titles covering North Korean threat actor evolution.