Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
ScarCruft Exploits Zoho WorkDrive for Air-Gapped Network Breach

ScarCruft Exploits Zoho WorkDrive for Air-Gapped Network Breach

Posted on February 27, 2026 By CWS

The notorious North Korean cyber group, ScarCruft, has been identified as the force behind a sophisticated cyber campaign using novel tools to infiltrate highly secure networks. Recent findings reveal the use of Zoho WorkDrive for command-and-control (C2) operations, allowing the group to deploy malware even in environments isolated from the internet.

ScarCruft’s New Cyber Tools

Dubbed ‘Ruby Jumper’ by Zscaler ThreatLabz, this campaign employs a series of malware families designed for surveillance and data exfiltration. Among these are RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT, each playing a specific role in compromising victims’ systems. The operation was first uncovered by cybersecurity experts in December 2025.

According to Seongsu Park, a security researcher, the attack begins when a victim executes a malicious LNK file. This triggers a PowerShell command that scans the directory to locate the file by size. The PowerShell script then extracts various payloads, including decoy documents and executable files, from the LNK file.

Exploiting Cloud and Removable Storage

The Zoho WorkDrive service is misused for the first time by ScarCruft in these attacks. RESTLEAF, a Windows executable payload, accesses Zoho WorkDrive using a valid token to download and execute additional shellcode. This leads to the deployment of SNAKEDROPPER, which installs the Ruby runtime environment, ensuring persistence with scheduled tasks, and further spreads THUMBSBD and VIRUSTASK.

THUMBSBD is particularly versatile, leveraging removable media to relay commands and move data between connected and isolated systems. This malware can collect system information, download secondary payloads, and execute commands. If removable media is detected, it creates hidden folders to store and execute commands.

Advanced Surveillance Capabilities

One of the payloads, FOOTWINE, is engineered with keylogging and audio-video capture capabilities, communicating with a command server using a custom protocol. This payload supports numerous commands, including shell interaction, file manipulation, and surveillance activities.

Furthermore, THUMBSBD facilitates the distribution of BLUELIGHT, a backdoor associated with ScarCruft since 2021. This malware utilizes popular cloud services like Google Drive and OneDrive for C2 activities, executing commands, and transferring files.

Implications and Future Outlook

The campaign highlights the persistent threat posed by state-sponsored cyber actors like ScarCruft, who continuously evolve their tactics to breach secure networks. By exploiting cloud services and removable media, these actors demonstrate a sophisticated understanding of bypassing security measures.

As these threats continue to grow, organizations must enhance their cybersecurity strategies, particularly in protecting air-gapped and sensitive environments from such advanced threats.

The Hacker News Tags:air-gapped networks, Backdoor, cloud storage, cyber threat, Cybersecurity, Malware, network security, North Korea, Ruby Jumper, ScarCruft, Surveillance, THUMBSBD, USB malware, VIRUSTASK, Zoho WorkDrive

Post navigation

Previous Post: Credential Theft Drives Brute-Force Attacks on SSO Systems
Next Post: 900 FreePBX Systems Compromised by Web Shell Attacks

Related Posts

CloudZ Malware Exploits Phone Link for Credential Theft CloudZ Malware Exploits Phone Link for Credential Theft The Hacker News
New Chrome Vulnerability Enables Cross-Origin Data Leak via Loader Referrer Policy New Chrome Vulnerability Enables Cross-Origin Data Leak via Loader Referrer Policy The Hacker News
SocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others SocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others The Hacker News
Xinbi Telegram Market Tied to .4B in Crypto Crime, Romance Scams, North Korea Laundering Xinbi Telegram Market Tied to $8.4B in Crypto Crime, Romance Scams, North Korea Laundering The Hacker News
TAG-140 Deploys DRAT V2 RAT, Targeting Indian Government, Defense, and Rail Sectors TAG-140 Deploys DRAT V2 RAT, Targeting Indian Government, Defense, and Rail Sectors The Hacker News
Miasma Malware Targets npm and GitHub in New Attack Miasma Malware Targets npm and GitHub in New Attack The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • UK Issues Alert on Russian Cyber Threats to Networks
  • SAP Addresses Major Security Flaws in NetWeaver and More
  • Canadian Cybersecurity Leaders Shine at Web Summit Vancouver
  • Valarian Secures $50M for Innovative Infrastructure Layer
  • npm Packages Exploited to Form DDoS Botnet

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • UK Issues Alert on Russian Cyber Threats to Networks
  • SAP Addresses Major Security Flaws in NetWeaver and More
  • Canadian Cybersecurity Leaders Shine at Web Summit Vancouver
  • Valarian Secures $50M for Innovative Infrastructure Layer
  • npm Packages Exploited to Form DDoS Botnet

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark