The notorious North Korean cyber group, ScarCruft, has been identified as the force behind a sophisticated cyber campaign using novel tools to infiltrate highly secure networks. Recent findings reveal the use of Zoho WorkDrive for command-and-control (C2) operations, allowing the group to deploy malware even in environments isolated from the internet.
ScarCruft’s New Cyber Tools
Dubbed ‘Ruby Jumper’ by Zscaler ThreatLabz, this campaign employs a series of malware families designed for surveillance and data exfiltration. Among these are RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT, each playing a specific role in compromising victims’ systems. The operation was first uncovered by cybersecurity experts in December 2025.
According to Seongsu Park, a security researcher, the attack begins when a victim executes a malicious LNK file. This triggers a PowerShell command that scans the directory to locate the file by size. The PowerShell script then extracts various payloads, including decoy documents and executable files, from the LNK file.
Exploiting Cloud and Removable Storage
The Zoho WorkDrive service is misused for the first time by ScarCruft in these attacks. RESTLEAF, a Windows executable payload, accesses Zoho WorkDrive using a valid token to download and execute additional shellcode. This leads to the deployment of SNAKEDROPPER, which installs the Ruby runtime environment, ensuring persistence with scheduled tasks, and further spreads THUMBSBD and VIRUSTASK.
THUMBSBD is particularly versatile, leveraging removable media to relay commands and move data between connected and isolated systems. This malware can collect system information, download secondary payloads, and execute commands. If removable media is detected, it creates hidden folders to store and execute commands.
Advanced Surveillance Capabilities
One of the payloads, FOOTWINE, is engineered with keylogging and audio-video capture capabilities, communicating with a command server using a custom protocol. This payload supports numerous commands, including shell interaction, file manipulation, and surveillance activities.
Furthermore, THUMBSBD facilitates the distribution of BLUELIGHT, a backdoor associated with ScarCruft since 2021. This malware utilizes popular cloud services like Google Drive and OneDrive for C2 activities, executing commands, and transferring files.
Implications and Future Outlook
The campaign highlights the persistent threat posed by state-sponsored cyber actors like ScarCruft, who continuously evolve their tactics to breach secure networks. By exploiting cloud services and removable media, these actors demonstrate a sophisticated understanding of bypassing security measures.
As these threats continue to grow, organizations must enhance their cybersecurity strategies, particularly in protecting air-gapped and sensitive environments from such advanced threats.
