APT37 Deploys Five New Tools to Breach Air-Gapped Networks

North Korean threat actors are deploying five previously undocumented malware tools to infiltrate air-gapped networks, according to new research from security firm Kaspersky. The campaign, tracked as Ruby Jumper, demonstrates APT37's continued investment in techniques for compromising isolated systems that lack direct internet connectivity.

The newly documented toolkit includes RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE, alongside the group's existing BLUELIGHT backdoor.

TL;DR

• What happened: APT37 developed new malware specifically designed to bridge air-gapped networks via USB drives
• Who's affected: Organizations using network isolation for sensitive systems, particularly in South Korea
• Severity: High - bypasses air-gap defenses; enables covert surveillance
• Action required: Enforce strict USB policies; monitor for LNK file abuse

How Ruby Jumper Crosses the Air Gap

The campaign was discovered in December 2025 and documented in a report published February 26, 2026. APT37—also known as ScarCruft, Ricochet Chollima, Ruby Sleet, and InkySquid—has been active since 2012, primarily targeting South Korean entities for intelligence collection.

The attack chain begins with the group's signature technique: malicious Windows shortcut (LNK) files. When executed on an internet-connected system, the LNK drops a cascade of payloads that establish persistence and prepare for lateral movement.

The critical innovation is how the malware propagates to isolated systems. THUMBSBD and VIRUSTASK specifically weaponize removable media—USB drives that employees might carry between connected and air-gapped networks.

When an infected USB connects to an air-gapped system, the malware activates without requiring user interaction. Data collection begins immediately, with stolen files staged on the USB for exfiltration when it returns to an internet-connected machine.

The New Malware Arsenal

RESTLEAF serves as the campaign's primary implant, notable for its abuse of Zoho WorkDrive for command and control. This marks APT37's first documented use of this cloud service, adding another legitimate platform to their C2 repertoire.

THUMBSBD and VIRUSTASK handle USB propagation. They monitor for removable media insertion and deploy payloads designed for air-gapped execution. The malware creates hidden directories on USB drives to store collected data.

FOOTWINE provides comprehensive surveillance capabilities:

• Interactive shell access
• File and registry manipulation
• Keystroke logging
• Screenshot capture
• Audio and video monitoring
• Encrypted communication channels

SNAKEDROPPER functions as a loader, deploying additional payloads as needed based on the target environment.

Cloud Services as C2 Infrastructure

APT37's adoption of Zoho WorkDrive follows a broader trend of abusing legitimate cloud services for command and control. By routing traffic through trusted platforms, attackers avoid blocklisting and blend with normal business operations.

This technique mirrors patterns we've tracked across multiple campaigns. The Salt Typhoon operation targeting telecommunications providers similarly leveraged legitimate infrastructure to maintain persistent access.

For defenders, the challenge is distinguishing malicious cloud API calls from legitimate usage. Network monitoring that flags all cloud storage traffic generates too much noise; attackers count on this.

Why Air-Gapped Networks Matter

Organizations implement air gaps—physical network isolation—to protect their most sensitive systems. Nuclear facilities, military systems, classified government networks, and critical infrastructure often operate without direct internet connectivity.

But air gaps create operational friction. Data must move somehow, typically via removable media. APT37's Ruby Jumper specifically targets this transfer mechanism.

The CISA ICS advisories for Siemens and Schneider systems highlighted similar risks to industrial control systems. Air-gapped doesn't mean unreachable—it means the attack path runs through physical media and maintenance laptops.

Historical Context

APT37 has operated continuously since 2012, focusing primarily on South Korean government agencies, defectors, journalists, and human rights organizations. The group supports North Korean intelligence priorities, including monitoring dissidents and collecting political intelligence.

The Ruby Jumper campaign represents a capability upgrade rather than a strategic shift. Air-gapped targeting has been part of APT37's repertoire, but the new toolkit suggests recent development investment.

For comparison, North Korea's Lazarus Group has previously deployed similar USB-propagating malware against financial institutions. The techniques overlap with the Spotify data scraping operation in terms of bulk data exfiltration, though targeting and objectives differ significantly.

Defending Isolated Networks

Organizations relying on air gaps should implement multiple defensive layers:

1. USB device control - Whitelist approved devices and block unauthorized media
2. Endpoint monitoring on isolated systems - Deploy agents that log activity without requiring network connectivity
3. Regular USB scanning - Check removable media on dedicated scanning stations before connecting to sensitive systems
4. LNK file restrictions - Block execution of shortcut files from removable media
5. Behavioral analysis - Monitor for processes accessing USB drives immediately after insertion

The reality is that perfect air-gap security requires eliminating USB usage entirely. Most organizations can't achieve this, making compensating controls essential.

Why This Matters

Air-gapped networks represent some of the most sensitive systems in existence. The Ruby Jumper campaign demonstrates that nation-state actors invest specifically in capabilities to reach these targets.

The toolkit's sophistication—five new malware families with cloud C2, USB propagation, and comprehensive surveillance—suggests ongoing development rather than opportunistic tooling. APT37 expects to need these capabilities repeatedly.

For organizations operating air-gapped environments, the message is clear: physical isolation provides defense in depth, not immunity. USB policies deserve the same attention as network security controls.