NORTH Korea-linked APT37 has been observed using a multi-stage chain dubbed Ruby Jumper to infiltr air-gapped networks, beginning with LNK files that deploy PowerShell and load backdoors such as RESTLEAF in memory. The campaign relies on Zoho WorkDrive for command-and-control and authenticates with hardcoded tokens, with Zscaler ThreatLabz documenting the full attack chain as discovered in December 2025.
The backdoor suite includes SNAKEDROPPER, which drops a rogue Ruby runtime disguised as a USB utility and helps establish persistence, and THUMBSBD, a tool designed to bridge air-gapped networks via removable media to stage data for exfiltration. VIRUSTASK spreads infection by replacing files on USB drives with malicious shortcuts, while BLUELIGHT leverages cloud services like Google Drive, Microsoft OneDrive, pCloud and BackBlaze for covert C2 communications.
ThreatLabz attributes the Ruby Jumper campaign to APT37 with high confidence, noting the use of LNK infection chains, cloud-based C2 and a two-stage shellcode as consistent with past activity.