Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportThe Ruby Jumper campaign showcases APT37 at its most methodical and adaptive, chaining together stealth, cloud abuse, and air-gap bridging capabilities into a single cohesive espionage framework. First observed in December 2025, this APT37 operation attributed to the North Korean threat group also tracked as ScarCruft, Reaper, TEMP.Reaper, Ricochet Chollima, Cerium, Group 123, Red Eyes, Geumseong121, Venus 121, Hermit, InkySquid, ATK 4, ITG10, Ruby Sleet, Crooked Pisces, Moldy Pisces, Osmium, Opal Sleet, and TA-RedAnt demonstrates advanced capabilities targeting Windows platforms worldwide through sophisticated malware including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT.
The Ruby Jumper campaign by APT37 begins with weaponized LNK files that quickly unfold into multi-stage infection sequences carving hidden payloads, deploying the RESTLEAF implant, and leveraging Zoho WorkDrive for covert command-and-control communications. The APT37 operation escalates with in-memory shellcode injection, a disguised Ruby runtime environment for persistence mechanisms, and THUMBSBD’s innovative use of USB drives as bidirectional data relays, effectively transforming removable media into covert communication channels capable of bridging air-gapped networks. This Ruby Jumper capability represents a significant evolution in APT37’s tradecraft for targeting isolated systems.
The final backdoors deployed in the Ruby Jumper campaign, FOOTWINE and BLUELIGHT, provide APT37 operators with comprehensive surveillance and remote-control capabilities, enabling long-term monitoring even inside segmented or air-gapped environments. BLUELIGHT further enhances APT37’s operational resilience by leveraging multiple cloud platforms including Google Drive, Microsoft OneDrive, pCloud, and Backblaze for command-and-control infrastructure, enabling sustained espionage operations across diverse network architectures. The Ruby Jumper framework demonstrates APT37’s continued investment in advanced capabilities for compromising high-security environments and maintaining persistent access for intelligence collection operations aligned with North Korean strategic interests.
The newly observed Ruby Jumper campaign showcases a disciplined and modular intrusion chain attributed to APT37 threat actors. The Ruby Jumper operation begins with a weaponized Windows LNK file, a delivery vector repeatedly employed by APT37 in previous campaigns. When executed, the malicious shortcut launches a PowerShell routine that identifies itself by file size and extracts embedded payloads from fixed offsets within the LNK file. These Ruby Jumper components include a decoy document, an executable, a PowerShell script designated as search.dat, and a batch file named find.bat.
The lure document used in Ruby Jumper, an Arabic translation of a North Korean article discussing the Palestine-Israel conflict, suggests carefully profiled targeting by APT37 operators aligned with North Korean intelligence collection priorities. Together, these Ruby Jumper components systematically load the first-stage implant RESTLEAF directly into memory, minimizing disk-based artifacts that could alert endpoint security solutions.
RESTLEAF malware deployed in the Ruby Jumper campaign abuses Zoho WorkDrive cloud storage for command-and-control communications, marking a notable evolution in APT37 infrastructure strategy. The RESTLEAF implant authenticates using hardcoded refresh tokens embedded in the binary to generate valid API access tokens for Zoho WorkDrive, enabling encrypted communications that blend with legitimate cloud traffic. After establishing connectivity, RESTLEAF downloads a shellcode payload designated as AAA.bin and executes it through process injection techniques to maintain stealth.
Successful RESTLEAF infection in the Ruby Jumper campaign is signaled by uploading timestamped beacon files with naming convention “lion [timestamp]” to the attacker-controlled Zoho WorkDrive repository, providing APT37 operators with confirmation of compromise and enabling asynchronous command delivery through the cloud platform.
The injected shellcode in the Ruby Jumper campaign operates in two distinct stages designed to evade detection. Stage one decrypts and injects a secondary payload into a legitimate Windows process using a one-byte XOR encryption key. Stage two of the Ruby Jumper shellcode reflectively loads an embedded executable, also XOR-decoded, directly into memory. The loader incorporates APT37’s distinctive API hashing scheme utilizing ROR 11 for module resolution and ROR 15 for function resolution, providing high-confidence attribution to the North Korean threat group.
This second-stage payload, designated SNAKEDROPPER in the Ruby Jumper framework, deploys a portable Ruby 3.3.0 runtime environment, renames the legitimate rubyw.exe binary to usbspeed.exe for disguise, and replaces a legitimate RubyGems operating_system.rb file with malicious code to hijack execution flow. SNAKEDROPPER establishes persistence through a Windows scheduled task named “rubyupdatecheck” executed every five minutes, ensuring continued execution of Ruby Jumper components even after system reboots.
SNAKEDROPPER in the Ruby Jumper campaign also drops additional shellcode-bearing files disguised as Ruby scripts. A critical component, THUMBSBD malware saved as ascii.rb, is specifically designed to bridge air-gapped systems using removable media as a covert relay channel. THUMBSBD stores XOR-encrypted configuration data locally and collects detailed host reconnaissance information when activated on compromised systems.
When a USB drive is connected to a Ruby Jumper-infected system, THUMBSBD creates a hidden $RECYCLE.BIN directory and stages encrypted command-and-control files, effectively transforming removable media into a bidirectional covert communication channel. VIRUSTASK malware complements this Ruby Jumper capability by hiding legitimate files on the USB drive and replacing them with malicious LNK shortcuts to trigger execution when the drive is inserted into other systems, enabling propagation across air-gapped networks.
The final payloads deployed in the Ruby Jumper campaign, FOOTWINE and BLUELIGHT backdoors, provide APT37 operators with comprehensive backdoor functionality including surveillance capabilities and remote command execution. BLUELIGHT further enhances Ruby Jumper operational resilience by leveraging multiple cloud storage platforms including Google Drive, Microsoft OneDrive, pCloud, and Backblaze for command-and-control infrastructure, enabling sustained espionage operations even across segmented or isolated networks that restrict traditional C2 channels.
Configure Windows Group Policy to restrict the execution of shortcut files originating from external sources, particularly email attachments and removable media, to prevent the initial Ruby Jumper infection vector employed by APT37. Implement application whitelisting policies that prevent LNK files from executing PowerShell or other scripting interpreters commonly abused in Ruby Jumper attacks.
Implement PowerShell Constrained Language Mode and enable comprehensive Script Block Logging to detect and prevent the malicious PowerShell commands used by RESTLEAF malware to carve and execute embedded payloads from LNK files. Monitor for PowerShell execution that reads file offsets or performs binary carving operations characteristic of Ruby Jumper campaign techniques.
Evaluate and restrict outbound API communications to Zoho WorkDrive endpoints from non-authorized systems, as RESTLEAF malware in the Ruby Jumper campaign abuses this cloud service for command-and-control communications using hardcoded OAuth tokens. Implement cloud access security broker solutions to monitor and control access to cloud storage platforms used by APT37 for covert communications.
Deploy comprehensive endpoint policies that restrict auto-execution from removable media, disable LNK file execution from USB drives, and implement write-protection where operationally feasible to counter THUMBSBD and VIRUSTASK propagation mechanisms targeting air-gapped systems. For high-security environments, implement data diode solutions and enforce physical access controls for removable media to prevent Ruby Jumper air-gap bridging attempts.
Search enterprise endpoints for unexpected Ruby interpreter installations, specifically the presence of usbspeed.exe binaries in %PROGRAMDATA%\usbspeed directories, the scheduled task named “rubyupdatecheck,” and modified operating_system.rb files within Ruby library paths. These indicators represent high-confidence detection opportunities for Ruby Jumper SNAKEDROPPER compromise.
Deploy detection rules for the creation of scheduled tasks with names such as “rubyupdatecheck” or tasks executing binaries from %PROGRAMDATA% paths, which SNAKEDROPPER uses to maintain persistence in the Ruby Jumper framework. Alert on scheduled tasks created with suspicious frequency intervals or those executing interpreted languages like Ruby from non-standard locations.
Strengthen air-gap integrity by enforcing strict data transfer policies, deploying data diode solutions, and implementing rigorous physical access controls for removable media to prevent THUMBSBD from bridging isolated network segments. Regularly audit air-gapped systems for unauthorized Ruby interpreters, scheduled tasks, and modified system files that may indicate Ruby Jumper compromise.
Initial Access:
Execution:
Persistence:
Defense Evasion:
Discovery:
Command and Control:
Exfiltration:
Collection:
MD5:
SHA256:
Malicious Domains:
IPv4:Port:
Get through updates and upcoming events, and more directly in your inbox