Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

Ruby Jumper – A new malware campaign exploiting LNK and cloud C2 to control victim systems

Published
7 min read
Ruby Jumper – A new malware campaign exploiting LNK and cloud C2 to control victim systems
V
Vũ Nhật Lâm
Part of seriesNewsletters-eng

Introduction

In December 2025, researchers from Zscaler ThreatLabz discovered a new cyberattack campaign linked to the APT37 group—also known as ScarCruft, Ruby Sleet, and Velvet Chollima—a hacker group believed to be backed by North Korea. ThreatLabz named this campaign Ruby Jumper, where APT37 uses Windows Shortcut (LNK) files as the initial attack vector. The attack chain then deploys several newly discovered malware tools, including:

  • RESTLEAF

  • SNAKEDROPPER

  • THUMBSBD

  • VIRUSTASK

These components work together to download and deploy the final payloads, FOOTWINE and BLUELIGHT, allowing the attacker to conduct comprehensive surveillance of the victim's system. A notable aspect of the Ruby Jumper campaign is the exploitation of the Ruby language to load shellcode, along with the use of removable storage devices (USB, external hard drives) to transmit commands and data between air-gapped systems. APT37 has long used the Chinotto malware to attack individuals and government organizations to steal sensitive data and conduct espionage. Additionally, this group frequently deploys infection chains based on shellcode and memory-resident malware, similar to the techniques used in the Ruby Jumper campaign.

Key Points

The Ruby Jumper campaign has several notable characteristics:

  • ThreatLabz discovered the Ruby Jumper campaign by APT37 in December 2025.

  • RESTLEAF serves as the initial implant and uses Zoho WorkDrive as the Command-and-Control (C2) infrastructure.

  • SNAKEDROPPER acts as a next-stage loader, installing the Ruby runtime, establishing persistence, and deploying the THUMBSBD and VIRUSTASK components.

  • THUMBSBD is a backdoor capable of transmitting commands and data between online and air-gapped systems via removable storage devices.

  • VIRUSTASK is responsible for infecting removable storage devices by replacing files with malicious LNK shortcuts.

  • FOOTWINE is the final backdoor providing surveillance functions such as keylogging, audio recording, and video recording.

Technical analysis

Overall attack chain

The attack chain begins with a malicious LNK file, which then downloads and executes various malware components, ultimately leading to:

  • infecting removable storage devices

  • deploying the FOOTWINE and BLUELIGHT backdoors

  • maintaining system surveillance capabilities

RESTLEAF – Initial implant

APT37 has used LNK files as an attack vector for many years.
In the Ruby Jumper campaign:

  1. When the victim opens the malicious LNK file

  2. This file executes PowerShell

  3. The script will locate the LNK file based on its size

  4. Then it extracts multiple payloads embedded within the file.

The files created include:

File Type Function
find.bat Batch run PowerShell
search.dat PowerShell load shellcode
viewer.dat shellcode decode and execute payload

Additionally, the campaign displays a decoy document in Arabic, discussing the Palestine-Israel conflict, translated from North Korean media.

After execution, the payload will launch an executable in memory called RESTLEAF.

RESTLEAF uses Zoho WorkDrive as C2

RESTLEAF uses Zoho WorkDrive as the C2 infrastructure—this is the first time APT37 has been recorded exploiting this platform.

Operational process:

  1. RESTLEAF uses an embedded refresh token to obtain a valid access token

  2. Then accesses the Zoho WorkDrive API

  3. Downloads the shellcode file AAA.bin

Shellcode is then:

  • allocate memory for execution

  • copy payload

  • execute through process injection

After succeeding, RESTLEAF creates a beacon file in the cloud to notify the C2 that the system has been compromised.

Two-stage shellcode mechanism

APT37 uses a custom shellcode launcher.
The execution sequence consists of two stages:

Stage 1

Launcher:

  • decode the second shellcode using XOR 1 byte

  • inject into a legitimate executable in

%WINDIR%\System32
%WINDIR%\SysWOW64

Stage 2

Second shellcode:

  • decode PE payload

  • load executable directly into memory (reflective loading)

This technique helps avoid detection by security tools.

SNAKEDROPPER – Next-stage loader

SNAKEDROPPER runs in a legitimate Windows process.
Main activities:

  1. Extract the file ruby3.zip

  2. Install Ruby 3.3 runtime

  3. Located at:

%PROGRAMDATA%\usbspeed
  1. Rename interpreter:
rubyw.exe → usbspeed.exe

  1. Replace the file Ruby operating_system.rb with malicious code

  2. Create a scheduled task:

rubyupdatecheck

runs every 5 minutes.

When the Ruby interpreter runs, the malicious script will:

  • load shellcode

  • execute the next modules.

THUMBSBD – Backdoor for air-gapped systems

THUMBSBD is disguised as the Ruby file ascii.rb.
Main function:

  • transmit commands between air-gapped systems

  • exfiltrate data via USB

Malware collects system information such as:

  • username

  • hostname

  • Windows version

  • network configuration

  • files list

  • running processes

Working directories are created to store data.:

Folder Function
CMD valid command
MCD staging command
OCD data for USB
PGI downloaded payload
RST data exfiltration
WRK workspace

C2 Infrastructure

THUMBSBD downloads payloads from domains:

philion.store
homeatedke.store
hightkdhe.store

During the research, hightkdhe.store was still active..

Cầu nối USB cho hệ thống air-gapped

When the USB is plugged in:
THUMBSBD will:

  1. Create a hidden folder
$RECYCLE.BIN

  1. Copy the data for exfiltration

  2. Decrypt the file using XOR

  3. Execute commands from USB

  4. Write results back to USB

This mechanism turns the USB into an indirect C2 channel between two separate networks.

VIRUSTASK – Spread via USB

VIRUSTASK is responsible for infecting new systems.
Procedure:

  1. Check if the USB has more than 2GB free

  2. Create a hidden folder:

$RECYCLE.BIN.USER

  1. Copy payload to

  2. Scan victim's files

  3. Hide original file

  4. Replace with malicious LNK

When the user opens the file:

LNK → usbspeed.exe (Ruby interpreter)

Ruby will automatically load the malicious script and execute the shellcode.

FOOTWINE – Surveillance backdoor

FOOTWINE is distributed under the alias:

foot.apk

Although it has an Android extension, it is actually an encrypted Windows payload. FOOTWINE offers capabilities:

  • keylogging

  • screenshot

  • recording audio

  • recording video

  • file manipulation

  • shell control

  • proxy network

C2 communication uses:

  • TCP protocol

  • XOR-based encryption

  • A 32-byte session key is generated randomly

BLUELIGHT

BLUELIGHT is a previously documented backdoor of APT37. It uses various legitimate cloud services as C2, including:

  • Google Drive

  • Microsoft OneDrive

  • pCloud

  • Backblaze

Functions:

  • execute commands

  • download payload

  • upload data

  • self-delete

Attribution

ThreatLabz identifies APT37 as being behind this campaign with high confidence, based on:

  • Attack vector LNK + PowerShell + shellcode

  • Using BLUELIGHT malware

  • Two-stage shellcode technique

  • Using cloud services as C2

  • Targets aligned with DPRK interests

Conclusion

Ruby Jumper is a complex multi-stage attack campaign, starting with a malicious LNK file, then deploying a complete Ruby environment to run malware.

In particular, the two tools THUMBSBD and VIRUSTASK allow:

  • attack air-gapped systems

  • transmit commands via USB

  • exfiltrate data from isolated networks

This is a particularly dangerous technique because it bypasses security measures based on network segmentation.

FPT Threat Intelligence provides the following recommendations:

  • Block or alert when users open LNK files from email, USB, or untrusted sources

  • Monitor LNK files executing PowerShell, cmd.exe, or script interpreters

  • Deploy EDR/XDR to detect behavior

  • Enable PowerShell Script Block Logging

  • Monitor unusual runtime installations such as Ruby, Python, NodeJS

  • Limit or disable USB storage

  • Implement Device Control Policy

  • Automatically scan for malware when USB is connected to the system

  • Monitor network traffic to cloud storage APIs

  • Detect unusual token authentication

IOC

MD5 Hash:

Indicator Filename Description
709d70239f1e9441e8e21fcacfdc5d08 Windows shortcut
ad556f4eb48e7dba6da14444dcce3170 viewer.dat Binary (Shellcode+RESTLEAF)
098d697f29b94c11b52c51bfe8f9c47d Binary (Shellcode+SNAKEDROPPER)
4214818d7cde26ebeb4f35bc2fc29ada ascii.rb Binary (Shellcode+ThmubsBD)
5c6ff601ccc75e76c2fc99808d8cc9a9 bundler_index_client.rb Binary (Shellcode+VIRUSTASK)
476bce9b9a387c5f39461d781e7e22b9 foot.apk Binary (Shellcode+FOOTWINE)
585322a931a49f4e1d78fb0b3f3c6212 footaaa.apk Binary (Shellcode+BLUELIGHT)

Network:

Indicator Description
philion.store THUMBSBD C2
homeatedke.store THUMBSBD C2
hightkdhe.store THUMBSBD C2
144.172.106.66:8080 FOOTWINE C2

References

APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz

APT37 combines cloud storage and USB implants to infiltrate air-gapped systems

#threat-intelligence#phishing#malware#malware-detection#lnk

Newsletters-eng

Part 12 of 50
Up next

Misuse of TLD .arpa: Exploiting DNS Infrastructure to Spread Phishing

Overview Current phishing email campaigns are very common, but the Infoblox research team has just discovered a completely new method, previously unreported, to bypass security controls. This techniqu

More from this blog

F

FPT IS Security

726 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.