DEV Community

DeepSeaX
DeepSeaX

Posted on

ScarCruft Ruby Jumper: How North Korean Hackers Breach Air-Gapped Networks via USB and Zoho WorkDrive in 2026

#scarcruft #apt37 #airgapped #malware

North Korea's ScarCruft (APT37) just raised the bar for air-gapped network attacks. Their new Ruby Jumper campaign, discovered by Zscaler ThreatLabz in December 2025, deploys six custom malware families — including a backdoor that abuses Zoho WorkDrive for C2 and USB-based implants that bridge isolated networks.

This is a masterclass in nation-state tradecraft. Here's the full technical breakdown.

The Infection Chain

Ruby Jumper starts with a malicious .LNK shortcut file. When opened, it triggers PowerShell to carve embedded payloads from fixed offsets within the LNK itself — a technique that avoids dropping files to disk initially.

The chain progresses through four stages:

Stage 1 — RESTLEAF (Initial Implant)

RESTLEAF executes entirely in memory via shellcode injection. What makes it notable: it uses Zoho WorkDrive as its C2 channel. The implant authenticates using hardcoded OAuth credentials, then downloads shellcode from a file called AAA.bin and creates beacon files with a lion [timestamp] pattern.

This is the first documented case of APT37 abusing Zoho WorkDrive — adding to their history of hijacking legitimate cloud services.

Stage 2 — SNAKEDROPPER (Persistence)

Once RESTLEAF pulls down the next payload, SNAKEDROPPER takes over. It:

  • Extracts an embedded Ruby 3.3.0 runtime from ruby3.zip
  • Installs it to %PROGRAMDATA%\usbspeed, renaming rubyw.exe to usbspeed.exe
  • Replaces Ruby's legitimate operating_system.rb with malicious code
  • Creates a scheduled task rubyupdatecheck that runs every 5 minutes

The masquerading is clever — disguising a full Ruby runtime as a USB utility.

Stage 3 — Air-Gap Bridge (THUMBSBD + VIRUSTASK)

This is where Ruby Jumper gets dangerous.

VIRUSTASK monitors for USB drive connections. When a removable drive with 2GB+ free space is detected, it:

  • Creates a hidden $RECYCLE.BIN.USER folder
  • Replaces victim files with LNK shortcuts pointing to usbspeed.exe
  • Checks c:\programdata\usbspeed to identify already-infected hosts

THUMBSBD turns USB drives into a bidirectional C2 channel. It creates hidden directories on removable media to stage commands (CMD, MCD) and exfiltrate data (RST). The implant encrypts its configuration with single-byte XOR (key 0x83) and targets specific victims using SHA-256 identifiers derived from volume serial numbers.

This allows operators to send commands and receive stolen data through the USB relay — no network connection required on the air-gapped target.

Stage 4 — FOOTWINE (Full Surveillance)

The final payload is FOOTWINE, a full-featured backdoor with:

  • sm — Interactive shell access
  • dm — Screenshot capture and keylogging
  • cm — Audio and video surveillance (microphone + webcam)
  • fm — File upload, download, and deletion
  • rm — Registry operations
  • pm — Process enumeration
  • pxm — Proxy relay for pivoting

FOOTWINE uses a custom binary protocol on port 8080 with random padding (32-846 bytes) and a 32-byte session key exchange to evade signature-based detection.

Indicators of Compromise

Network IOCs

Type Indicator
C2 Domain philion[.]store
C2 Domain homeatedke[.]store
C2 Domain hightkdhe[.]store
C2 IP 144.172.106.66:8080

File System Artifacts 

%PROGRAMDATA%\usbspeed\           # Ruby runtime (masquerading)
%PROGRAMDATA%\ruby3.zip            # Staging archive
%LOCALAPPDATA%\TnGtp\TN.dat        # THUMBSBD config (XOR encrypted)
Scheduled Task: rubyupdatecheck    # 5-minute persistence
Enter fullscreen mode Exit fullscreen mode

Registry Keys 

HKCU\SOFTWARE\Microsoft\TnGtp              # THUMBSBD marker
HKCU\Software\Microsoft\ActiveUSBPolicies  # VIRUSTASK state
Enter fullscreen mode Exit fullscreen mode

File Hashes (MD5)

Hash Description
709d70239f1e9441e8e21fcacfdc5d08 Malicious LNK
ad556f4eb48e7dba6da14444dcce3170 RESTLEAF shellcode
098d697f29b94c11b52c51bfe8f9c47d SNAKEDROPPER
4214818d7cde26ebeb4f35bc2fc29ada THUMBSBD (ascii.rb)
5c6ff601ccc75e76c2fc99808d8cc9a9 VIRUSTASK
476bce9b9a387c5f39461d781e7e22b9 FOOTWINE

MITRE ATT&CK Mapping

Technique ID Stage
User Execution: Malicious Link T1204.001 Initial Access
PowerShell T1059.001 Execution
Scheduled Task T1053.005 Persistence
Process Injection T1055 Defense Evasion
Masquerading T1036.005 Defense Evasion
Communication via Removable Media T1092 C2
Exfiltration over USB T1052.001 Exfiltration
Keylogging T1056.001 Collection
Screen Capture T1113 Collection
Audio Capture T1123 Collection
Video Capture T1125 Collection

Detection Opportunities

Sigma Rule — SNAKEDROPPER Persistence 

title: ScarCruft Ruby Jumper - SNAKEDROPPER Persistence
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection_path:
        Image|endswith: '\\usbspeed.exe'
        Image|contains: '\\ProgramData\\'
    selection_task:
        CommandLine|contains:
            - 'rubyupdatecheck'
            - 'operating_system.rb'
    condition: selection_path or selection_task
level: critical
tags:
    - attack.persistence
    - attack.t1053.005
    - attack.t1036.005
Enter fullscreen mode Exit fullscreen mode

Sigma Rule — THUMBSBD USB Staging 

title: ScarCruft Ruby Jumper - USB Air-Gap Relay
status: experimental
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '$RECYCLE.BIN.USER'
            - '\\MCD\\'
            - '\\OCD\\'
            - '\\RST\\'
    filter:
        TargetFilename|contains: '\\$Recycle.Bin\\S-'
    condition: selection and not filter
level: high
tags:
    - attack.command_and_control
    - attack.t1092
    - attack.t1052.001
Enter fullscreen mode Exit fullscreen mode

Network Detection

Monitor for:

  • Zoho WorkDrive API calls (workdrive.zoho.com) from non-browser processes
  • Custom binary protocol on port 8080 with random-length padding
  • DNS queries to philion.store, homeatedke.store, hightkdhe.store

Why This Matters

Air-gapped networks exist specifically to protect the most sensitive systems — military, intelligence, critical infrastructure. ScarCruft's Ruby Jumper demonstrates that nation-state actors are actively investing in tools to breach these isolated environments.

The combination of cloud-based C2 (Zoho WorkDrive) for internet-connected systems and USB relay for air-gapped targets creates a complete kill chain that's difficult to detect with traditional security tools.

Key takeaways for defenders:

  1. USB device control is not optional for sensitive environments
  2. Monitor for Ruby runtimes in unusual paths (%PROGRAMDATA%)
  3. Watch for scheduled tasks with suspicious names executing scripts
  4. Block or alert on Zoho WorkDrive API access from non-sanctioned applications
  5. Inspect $RECYCLE.BIN directories on removable media for hidden staging folders

Need help assessing your exposure to nation-state threats? Request a free penetration test — currently in open beta.

References:

Top comments (0)