North Korean cyber threat group APT37, also known by aliases such as ScarCruft, Ruby Sleet, and Velvet Chollima, has been identified utilizing a suite of new malicious tools to infiltrate air-gapped systems, according to a report by Zscaler. Operating since 2012, APT37 focuses primarily on data theft and surveillance, with a primary target being South Korean entities.
APT37’s New Campaign: Ruby Jumper
In December 2025, a campaign dubbed ‘Ruby Jumper’ was uncovered, showcasing APT37’s use of LNK files to initiate a PowerShell script. This script deploys several payloads, including a decoy document in Arabic discussing the Palestine-Israel conflict. These payloads cooperate to execute an in-memory payload named RestLeaf, which leverages Zoho WorkDrive cloud storage for command and control operations.
RestLeaf retrieves a file containing shellcode, which acts as a launcher. This launcher decrypts a second-stage shellcode, loading an embedded Windows executable called SnakeDropper. The malware installs a Ruby 3.3.0 runtime environment disguised as a USB speed monitoring utility, creating a persistent threat through backdoors and scheduled tasks.
Techniques for Infiltrating Air-Gapped Systems
SnakeDropper further deploys ThumbsBD, a backdoor designed to exfiltrate data from air-gapped systems via removable drives. Upon detecting USB drives, it creates a hidden directory in their root folder to stage backdoor commands and facilitate data exfiltration. ThumbsBD is also capable of downloading additional payloads and executing shellcode from a specific directory.
The campaign also includes VirusTask, a tool for media propagation. VirusTask is tailored to infect air-gapped systems by weaponizing USB drives, copying payload executables, and replacing files with LNK shortcuts that execute shellcode. This method ensures the malware’s spread through social engineering tactics, as users are likely to open seemingly legitimate files.
Implications for Cybersecurity
To enhance its surveillance capabilities, APT37’s toolkit includes FootWine, an Android package that serves as a shellcode launcher with features like keystroke logging and audiovisual capture. It supports various commands for file and process manipulation. Zscaler emphasizes the need for the security community to monitor endpoint activity and physical access points to deter threats posed by APT37 and similar actors.
This campaign highlights the sophisticated techniques employed by North Korean cyber actors to breach network isolations and infiltrate secure systems. Continuous vigilance and robust security measures are critical to protecting sensitive information and infrastructure from such advanced persistent threats.
