ACCORDING to The Hacker News, the North Korean threat actor ScarCruft has been attributed to a fresh toolset, including a backdoor that uses Zoho WorkDrive for command-and-control communications to fetch payloads and an implant that uses removable media to relay commands and breach air-gapped networks.
The campaign, codenamed Ruby Jumper by Zscaler ThreatLabz, involves malware families such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to facilitate surveillance on a victim’s system, with discovery reported in December 2025.
In the Ruby Jumper chain, a malicious LNK file triggers a PowerShell command and searches the current directory to locate itself, then carves embedded payloads from fixed offsets within the LNK, including a decoy document, an executable payload, an additional PowerShell script, and a batch file.
RESTLEAF is the Windows executable payload that uses Zoho WorkDrive for C2 after authenticating with a valid access token to download shellcode, which is then executed via process injection before deploying the other components. THUMBSBD, disguised as a Ruby file, uses removable media to relay commands and transfer data between internet-connected and air-gapped systems, while FOOTWINE provides keylogging and audio/video capture and communicates with a C2 server using a custom binary protocol. The piece notes that THUMBSBD and VIRUSTASK weaponise removable media to bypass network isolation and infect air-gapped systems.