A North Korea‑linked threat actor tracked as APT37 has been observed using five new malicious tools in a campaign targeting air‑gapped systems, according to SecurityWeek’s report. The operation, part of a December 2025 campaign named Ruby Jumper, utilised LNK files to run a PowerShell script and deploy multiple payloads, including a decoy document in Arabic.
The payloads work together to execute in memory, with RestLeaf using the Zoho WorkDrive cloud storage for C&C and to fetch shellcode, which then loads SnakeDropper, a second‑stage loader. SnakeDropper drops ThumbsBD, a backdoor that exploits removable drives to exfiltrate data from air‑gapped systems and uses a hidden directory on USB drives to stage commands and data.
The toolkit also includes VirusTask, a removable‑media propagation tool, and FootWine, an encrypted Android package with surveillance capabilities; together they weaponise removable media to bypass network isolation, according to Zscaler. ThumbsBD handles C&C and exfiltration while VirusTask drives further spread through social engineering by replacing legitimate files with malicious shortcuts, as noted by SecurityWeek’s coverage. according to Zscaler.