"In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it launches a PowerShell command and scans the current directory to locate itself based on file size. Then, the PowerShell script launched by the LNK file carves multiple embedded payloads from fixed offsets within that LNK, including a decoy document, an executable payload, an additional PowerShell script, and a batch file."
"The Windows executable payload, named RESTLEAF, is spawned in memory, and uses Zoho WorkDrive for C2, marking the first time the threat actor has abused the cloud storage service in its attack campaigns. Once it's successfully authenticated with the Zoho WorkDrive infrastructure by means of a valid access token, RESTLEAF downloads shellcode, which is then executed via process injection, eventually leading to the deployment of SNAKEDROPPER."
ScarCruft, a North Korean threat actor, launched the Ruby Jumper campaign discovered in December 2025, deploying multiple malware families including RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT for system surveillance. The attack begins when victims open malicious LNK files that execute PowerShell commands, extracting embedded payloads from fixed offsets including decoy documents, executables, scripts, and batch files. RESTLEAF, a Windows executable payload, marks the first instance of ScarCruft abusing Zoho WorkDrive cloud storage for command-and-control communications. After authentication with valid access tokens, RESTLEAF downloads and executes shellcode via process injection, deploying SNAKEDROPPER, which establishes persistence through scheduled tasks and drops additional malware. The campaign uses lure documents featuring Palestine-Israel conflict articles translated from North Korean sources into Arabic.
#scarcruft #ruby-jumper-campaign #zoho-workdrive-abuse #malware-deployment #air-gapped-network-compromise
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]