"As part of a campaign discovered in December 2025, named Ruby Jumper, APT37 was seen using LNK files to execute a PowerShell script and deploy multiple payloads, including a decoy document in Arabic about the Palestine-Israel conflict. The payloads work together to execute a payload in memory. Dubbed RestLeaf, it uses the Zoho WorkDrive cloud storage for command-and-control (C&C) and attempts to fetch a file containing shellcode from it."
"The malware creates a working directory and installs the Ruby 3.3.0 runtime environment disguised as a USB speed monitoring utility, backdoors the Ruby interpreter, and creates a scheduled task to execute the interpreter every five minutes, establishing persistence. Executed every time the Ruby interpreter starts, SnakeDropper drops ThumbsBD, a backdoor that uses removable drives to exfiltrate data from air-gapped systems, using them as bidirectional relays."
"ThumbsBD also collects system information, downloads additional payloads, and executes shellcode from a specific directory. SnakeDropper was also observed dropping VirusTask, a removable media propagation tool designed to infect air-gapped systems, which exclusively weaponizes USB drives for initial access."
APT37, a North Korea-linked threat actor active since 2012, launched the Ruby Jumper campaign in December 2025 targeting air-gapped systems. The attack chain begins with LNK files executing PowerShell scripts that deploy multiple payloads, including a decoy document about the Palestine-Israel conflict. RestLeaf uses Zoho WorkDrive for command-and-control, fetching encrypted shellcode that loads SnakeDropper. SnakeDropper installs a backdoored Ruby 3.3.0 runtime disguised as a USB utility and establishes persistence through scheduled tasks. ThumbsBD, a backdoor dropped by SnakeDropper, exfiltrates data from air-gapped systems using removable drives as bidirectional relays. VirusTask propagates the malware exclusively through USB drives for initial access to isolated networks.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]