Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
North Korean Hackers Exploit Novel Malware for Air-Gapped Systems

North Korean Hackers Exploit Novel Malware for Air-Gapped Systems

Posted on February 27, 2026 By CWS

In a significant cyber threat escalation, North Korean threat actor APT37 has launched a new campaign utilizing custom malware to compromise air-gapped systems. Known as ‘Ruby Jumper,’ this campaign showcases sophisticated methods to infiltrate isolated networks, traditionally seen as highly secure.

APT37’s Evolved Tactics

APT37, also identified as ScarCruft or Velvet Chollima, has a history of targeting entities linked to North Korean state interests. The group has previously relied on Chinotto malware for espionage activities. However, Ruby Jumper introduces five new malware components, including RESTLEAF and THUMBSBD, each playing a specific role in a multi-stage attack designed to breach air-gapped systems.

Analysts at Zscaler ThreatLabz uncovered this campaign in late 2025, revealing how APT37 has developed an infection chain capable of crossing network boundaries without internet connectivity. The attack commences with a deceptive Windows shortcut file (LNK), leading to a complex series of payloads.

Air-Gap Breaching Techniques

The Ruby Jumper campaign leverages a decoy document on the Palestine-Israel conflict, suggesting targets among Arabic-speaking individuals. The attack chain progresses from the initial LNK file through RESTLEAF as a first-stage downloader, followed by SNAKEDROPPER and THUMBSBD, which bridge air-gapped hosts via removable media.

THUMBSBD is particularly notable for its ability to turn removable media into covert communication channels, facilitating data exfiltration and command execution on air-gapped machines. The malware utilizes cloud services like Zoho WorkDrive and Google Drive as command-and-control infrastructure, blending malicious activities with regular business operations.

Security Measures and Recommendations

To mitigate this threat, organizations should enforce stringent controls on removable media, especially in high-security environments. Monitoring for unusual scheduled tasks and auditing cloud storage access are also critical. Ensuring vigilance over LNK files in emails and downloads can help identify initial attack vectors.

Security teams are advised to look for indicators such as hidden directories on removable drives and suspicious registry keys. Proactive monitoring of endpoint activity and physical access points is essential to counter this sophisticated threat.

As APT37 continues to evolve its capabilities, organizations managing air-gapped environments must remain vigilant and adopt robust security practices to safeguard against such advanced cyber threats.

Cyber Security News Tags:air-gapped systems, APT37, cloud storage abuse, command-and-control, cyber attack, cyber espionage, cyber threat, Cybersecurity, data security, Malware, North Korea, Ruby Jumper, THUMBSBD, USB malware, Zscaler

Post navigation

Previous Post: Chilean Cybercrime Suspect Extradited to the US
Next Post: ManoMano Data Breach Affects 38 Million Users

Related Posts

ChatGPT Go Launched for  USD/month With Support for Ads ChatGPT Go Launched for $8 USD/month With Support for Ads Cyber Security News
Operation Silk Lure Weaponizing Windows Scheduled Tasks to Drop ValleyRAT Operation Silk Lure Weaponizing Windows Scheduled Tasks to Drop ValleyRAT Cyber Security News
New Web3 Phishing Attack Leverages Fake AI Platforms to Steal Usernames and Passwords New Web3 Phishing Attack Leverages Fake AI Platforms to Steal Usernames and Passwords Cyber Security News
SquareX Reveals That Employees Are No Longer The Weakest Link, Browser AI Agents Are SquareX Reveals That Employees Are No Longer The Weakest Link, Browser AI Agents Are Cyber Security News
Threat Actors Allegedly Listed iOS 26 Full‑Chain 0‑Day Exploit on Dark Web Threat Actors Allegedly Listed iOS 26 Full‑Chain 0‑Day Exploit on Dark Web Cyber Security News
22.2 Tbps DDoS Attack Breaks Internet With New World Record 22.2 Tbps DDoS Attack Breaks Internet With New World Record Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Qilin Ransomware Exploits Active Directory with DCSync
  • Critical Flaws in Claude for Chrome Allow Unauthorized Access
  • Old Microsoft UEFI Shims Pose Secure Boot Risk
  • July 2026 SAP Security Updates Address Critical Flaws
  • US, Allies Alert on Russian Cyber Threats to Key Infrastructure

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Qilin Ransomware Exploits Active Directory with DCSync
  • Critical Flaws in Claude for Chrome Allow Unauthorized Access
  • Old Microsoft UEFI Shims Pose Secure Boot Risk
  • July 2026 SAP Security Updates Address Critical Flaws
  • US, Allies Alert on Russian Cyber Threats to Key Infrastructure

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark