APT 37, a North Korea-linked cyber espionage group, has been observed deploying a new campaign to breach air-gapped networks using removable media infection tools. The Ruby Jumper operation, dubbed by researchers, utilises six malicious tools across the attack lifecycle, five of which had not been previously documented, including Restleaf, SnakeDropper, ThumbSBD, VirusTask and FootWine, with removable media used to pass commands and data between air-gapped systems.
According to Zscaler ThreatLabz, theThreatLabz team discovered the campaign in December 2025, with a detailed report published on 26 February 2026 showing the group abusing Windows shortcut LNK files to gain initial access and then launching a PowerShell command to extract embedded payloads.
The operation also features BlueLight for command execution and data theft, while RestLeaf profiles the compromised system and retrieves follow-on components from Zoho WorkDrive for C2 communications, marking what researchers say is the first time APT37 has used Zoho WorkDrive.
ThumbSBD is specifically designed to propagate via removable media, enabling lateral movement into isolated environments, and subsequent components such as SnakeDropper and FootWine continue data collection and staged exfiltration via USB drives.