North Korean APT37 Targets Air-Gapped Systems in Advanced “Ruby Jumper” Campaign

The North Korean threat group APT37 has launched a sophisticated campaign dubbed Ruby Jumper, specifically designed to infiltrate and extract data from air-gapped environments. The operation demonstrates a carefully engineered multi-stage attack chain leveraging newly identified tools, USB propagation mechanisms, and cloud-based command-and-control (C2) infrastructure.

The campaign begins with a malicious Windows shortcut (LNK) file delivered to targeted victims. When executed, the LNK file triggers a hidden PowerShell command that initiates the first stage of the compromise.

The LNK file is paired with a decoy Arabic-language document designed to distract victims while malicious code executes in the background. This social engineering tactic increases the likelihood of successful execution within high-value or regionally targeted environments.

APT37 deployed at least five newly identified tools in this campaign. The infection chain unfolds as follows:

1. RestLeaf Loader: Establishes communication with a remote server by abusing legitimate cloud infrastructure.
2. Cloud-Based C2 via Zoho WorkDrive: Retrieves encrypted shellcode payloads while blending malicious traffic with legitimate enterprise cloud activity.
3. SnakeDropper: Loads the shellcode directly into memory and installs a compromised Ruby runtime environment.
4. ThumbsBD & VirusTask: Enable USB-based propagation and data exfiltration from air-gapped systems.
5. FootWine: An Android surveillance component extending monitoring capabilities to mobile devices.

This modular approach allows attackers to maintain flexibility and adapt the payload depending on the target environment.

The most significant aspect of the Ruby Jumper campaign is its ability to target air-gapped systems. After initial compromise of an internet-connected machine, the malware prepares payloads that can spread through removable USB drives.

• ThumbsBD monitors removable media and automatically copies malicious components.
• VirusTask executes scheduled tasks on isolated systems once the infected USB device is inserted.
• Collected data is staged for later exfiltration when the USB device reconnects to an internet-enabled system.

This “bridge system” method effectively bypasses physical network isolation, enabling controlled data extraction from secured environments.

SnakeDropper installs a modified Ruby interpreter embedded with backdoor functionality. This technique provides a stealthy persistence mechanism, as Ruby environments are often overlooked by traditional security monitoring tools.

The backdoored runtime allows attackers to:

• Execute arbitrary commands
• Load additional payloads dynamically
• Maintain long-term access
• Operate fileless components in memory

The FootWine component extends the campaign beyond traditional desktop systems. It targets Android devices to enable surveillance activities such as:

• Call log monitoring
• SMS interception
• File collection
• Location tracking

This indicates a broader intelligence-gathering objective beyond simple data theft.

APT37 is historically associated with intelligence collection and strategic espionage operations aligned with North Korean state interests. The targeting of air-gapped systems suggests objectives such as:

• Military or defense data acquisition
• Critical infrastructure reconnaissance
• Policy and diplomatic intelligence gathering
• Technology or intellectual property theft

The Ruby Jumper campaign highlights several evolving threat trends:

• Abuse of legitimate cloud services for covert C2 communications
• Advanced USB-based propagation mechanisms
• Fileless shellcode execution to evade detection
• Cross-platform surveillance spanning Windows and Android

Organizations relying on air-gapped systems should not assume complete immunity from cyber threats and must enforce strict removable media controls and behavioral monitoring solutions.

• Disable or tightly restrict PowerShell execution policies
• Implement strict USB device control and logging
• Monitor for suspicious LNK file behavior
• Inspect outbound traffic to cloud storage services for anomalies
• Deploy endpoint detection and response (EDR) solutions capable of identifying in-memory shellcode execution

The Ruby Jumper campaign underscores the growing sophistication of APT37’s operations, particularly in targeting isolated environments traditionally considered secure. By combining social engineering, modular malware, USB propagation, and cloud-based C2 infrastructure, the group demonstrates a strategic capability to infiltrate even the most restricted networks.