# Ruby Jumper – A new malware campaign exploiting LNK and cloud C2 to control victim systems

### Introduction

In December 2025, researchers from Zscaler ThreatLabz discovered a new cyberattack campaign linked to the APT37 group—also known as **ScarCruft**, **Ruby Sleet**, and **Velvet Chollima**—a hacker group believed to be backed by North Korea. ThreatLabz named this campaign **Ruby Jumper**, where APT37 uses **Windows Shortcut (LNK)** files as the initial attack vector. The attack chain then deploys several newly discovered malware tools, including:

*   **RESTLEAF**
    
*   **SNAKEDROPPER**
    
*   **THUMBSBD**
    
*   **VIRUSTASK**
    

These components work together to download and deploy the final payloads, **FOOTWINE** and **BLUELIGHT**, allowing the attacker to conduct comprehensive surveillance of the victim's system. A notable aspect of the Ruby Jumper campaign is the exploitation of the Ruby language to load shellcode, along with the use of removable storage devices (USB, external hard drives) to transmit commands and data between air-gapped systems. APT37 has long used the **Chinotto** malware to attack individuals and government organizations to steal sensitive data and conduct espionage. Additionally, this group frequently deploys infection chains based on shellcode and memory-resident malware, similar to the techniques used in the Ruby Jumper campaign.

## Key Points

The Ruby Jumper campaign has several notable characteristics:

*   ThreatLabz discovered the Ruby Jumper campaign by APT37 in December 2025.  
    
*   **RESTLEAF** serves as the initial implant and uses **Zoho WorkDrive** as the Command-and-Control (C2) infrastructure.  
    
*   **SNAKEDROPPER** acts as a next-stage loader, installing the **Ruby runtime**, establishing persistence, and deploying the **THUMBSBD** and **VIRUSTASK** components.  
    
*   **THUMBSBD** is a backdoor capable of transmitting commands and data between online and air-gapped systems via removable storage devices.  
    
*   **VIRUSTASK** is responsible for infecting removable storage devices by replacing files with malicious LNK shortcuts.  
    
*   **FOOTWINE** is the final backdoor providing surveillance functions such as keylogging, audio recording, and video recording.
    

## Technical analysis

**Overall attack chain**

![](https://cdn.hashnode.com/uploads/covers/676511773cdd3c06f7b226ee/116a9c2d-e49e-410f-a46e-005afc63d50e.png align="center")

The attack chain begins with a malicious LNK file, which then downloads and executes various malware components, ultimately leading to:

*   infecting removable storage devices
    
*   deploying the **FOOTWINE** and **BLUELIGHT** backdoors
    
*   maintaining system surveillance capabilities
    

**RESTLEAF – Initial implant**

APT37 has used LNK files as an attack vector for many years.  
In the Ruby Jumper campaign:

1.  When the victim opens the malicious LNK file
    
2.  This file executes PowerShell
    
3.  The script will locate the LNK file based on its size
    
4.  Then it extracts multiple payloads embedded within the file.
    

The files created include:

| File | Type | Function |
| --- | --- | --- |
| find.bat | Batch | run PowerShell |
| search.dat | PowerShell | load shellcode |
| viewer.dat | shellcode | decode and execute payload |

Additionally, the campaign displays a decoy document in Arabic, discussing the Palestine-Israel conflict, translated from North Korean media.

![](https://cdn.hashnode.com/uploads/covers/676511773cdd3c06f7b226ee/d747a327-39ff-4211-958e-f454fd20e7d5.png align="center")

After execution, the payload will launch an executable in memory called **RESTLEAF**.

**RESTLEAF uses Zoho WorkDrive as C2**

RESTLEAF uses **Zoho WorkDrive** as the C2 infrastructure—this is the first time APT37 has been recorded exploiting this platform.

Operational process:

1.  RESTLEAF uses an embedded refresh token to obtain a valid access token
    
2.  Then accesses the Zoho WorkDrive API
    
3.  Downloads the shellcode file **AAA.bin**
    

Shellcode is then:

*   allocate memory for execution
    
*   copy payload
    
*   execute through process injection
    

After succeeding, RESTLEAF creates a beacon file in the cloud to notify the C2 that the system has been compromised.

**Two-stage shellcode mechanism**

APT37 uses a custom shellcode launcher.  
The execution sequence consists of two stages:

**Stage 1**

Launcher:

*   decode the second shellcode using XOR 1 byte
    
*   inject into a legitimate executable in
    

```plaintext
%WINDIR%\System32
%WINDIR%\SysWOW64
```

**Stage 2**

Second shellcode:

*   decode PE payload
    
*   load executable directly into memory (reflective loading)
    

This technique helps avoid detection by security tools.

**SNAKEDROPPER – Next-stage loader**

SNAKEDROPPER runs in a legitimate Windows process.  
Main activities:

1.  Extract the file **ruby3.zip**
    
2.  Install **Ruby 3.3 runtime**
    
3.  Located at:
    

```plaintext
%PROGRAMDATA%\usbspeed
```

4.  Rename interpreter:
    

```plaintext
rubyw.exe → usbspeed.exe
```

5.  Replace the file Ruby **operating\_system.rb** with malicious code
    
6.  Create a scheduled task:
    

```plaintext
rubyupdatecheck
```

runs every 5 minutes.

When the Ruby interpreter runs, the malicious script will:

*   load shellcode
    
*   execute the next modules.
    

**THUMBSBD – Backdoor for air-gapped systems**

THUMBSBD is disguised as the Ruby file **ascii.rb.**  
Main function:

*   transmit commands between air-gapped systems
    
*   exfiltrate data via USB
    

Malware collects system information such as:

*   username
    
*   hostname
    
*   Windows version
    
*   network configuration
    
*   files list
    
*   running processes
    

Working directories are created to store data.:

| Folder | Function |
| --- | --- |
| CMD | valid command |
| MCD | staging command |
| OCD | data for USB |
| PGI | downloaded payload |
| RST | data exfiltration |
| WRK | workspace |

**C2 Infrastructure**

THUMBSBD downloads payloads from domains:

```plaintext
philion.store
homeatedke.store
hightkdhe.store
```

During the research, **hightkdhe.store** was still active..

**Cầu nối USB cho hệ thống air-gapped**

When the USB is plugged in:  
THUMBSBD will:

1.  Create a hidden folder
    

```plaintext
$RECYCLE.BIN
```

2.  Copy the data for exfiltration
    
3.  Decrypt the file using XOR
    
4.  Execute commands from USB
    
5.  Write results back to USB
    

This mechanism turns the USB into an indirect C2 channel between two separate networks.

![](https://cdn.hashnode.com/uploads/covers/676511773cdd3c06f7b226ee/243c48db-852b-4ec2-bd8b-657ce3a4912c.png align="center")

**VIRUSTASK – Spread via USB**

VIRUSTASK is responsible for infecting new systems.  
Procedure:

1.  Check if the USB has more than 2GB free
    
2.  Create a hidden folder:
    

```plaintext
$RECYCLE.BIN.USER
```

3.  Copy payload to
    
4.  Scan victim's files
    
5.  Hide original file
    
6.  Replace with malicious LNK
    

When the user opens the file:

```plaintext
LNK → usbspeed.exe (Ruby interpreter)
```

Ruby will automatically load the malicious script and execute the shellcode.

**FOOTWINE – Surveillance backdoor**

FOOTWINE is distributed under the alias:

```plaintext
foot.apk
```

Although it has an Android extension, it is actually an encrypted Windows payload. FOOTWINE offers capabilities:

*   keylogging
    
*   screenshot
    
*   recording audio
    
*   recording video
    
*   file manipulation
    
*   shell control
    
*   proxy network
    

C2 communication uses:

*   TCP protocol
    
*   XOR-based encryption
    
*   A 32-byte session key is generated randomly
    

**BLUELIGHT**

BLUELIGHT is a previously documented backdoor of APT37. It uses various legitimate cloud services as C2, including:

*   Google Drive
    
*   Microsoft OneDrive
    
*   pCloud
    
*   Backblaze
    

Functions:

*   execute commands
    
*   download payload
    
*   upload data
    
*   self-delete
    

**Attribution**

ThreatLabz identifies APT37 as being behind this campaign with high confidence, based on:

*   Attack vector LNK + PowerShell + shellcode
    
*   Using BLUELIGHT malware
    
*   Two-stage shellcode technique
    
*   Using cloud services as C2
    
*   Targets aligned with DPRK interests
    

## Conclusion

Ruby Jumper is a complex multi-stage attack campaign, starting with a malicious LNK file, then deploying a complete Ruby environment to run malware.

In particular, the two tools THUMBSBD and VIRUSTASK allow:

*   attack air-gapped systems
    
*   transmit commands via USB
    
*   exfiltrate data from isolated networks
    

This is a particularly dangerous technique because it bypasses security measures based on network segmentation.

**FPT Threat Intelligence** provides the following recommendations:

*   Block or alert when users open LNK files from email, USB, or untrusted sources
    
*   Monitor LNK files executing PowerShell, cmd.exe, or script interpreters
    
*   Deploy EDR/XDR to detect behavior
    
*   Enable PowerShell Script Block Logging
    
*   Monitor unusual runtime installations such as Ruby, Python, NodeJS
    
*   Limit or disable USB storage
    
*   Implement Device Control Policy
    
*   Automatically scan for malware when USB is connected to the system
    
*   Monitor network traffic to cloud storage APIs
    
*   Detect unusual token authentication
    

## IOC

MD5 Hash:

| **Indicator** | **Filename** | **Description** |
| --- | --- | --- |
| 709d70239f1e9441e8e21fcacfdc5d08 |  | Windows shortcut |
| ad556f4eb48e7dba6da14444dcce3170 | viewer.dat | Binary (Shellcode+RESTLEAF) |
| 098d697f29b94c11b52c51bfe8f9c47d |  | Binary (Shellcode+SNAKEDROPPER) |
| 4214818d7cde26ebeb4f35bc2fc29ada | ascii.rb | Binary (Shellcode+ThmubsBD) |
| 5c6ff601ccc75e76c2fc99808d8cc9a9 | bundler\_index\_client.rb | Binary (Shellcode+VIRUSTASK) |
| 476bce9b9a387c5f39461d781e7e22b9 | foot.apk | Binary (Shellcode+FOOTWINE) |
| 585322a931a49f4e1d78fb0b3f3c6212 | footaaa.apk | Binary (Shellcode+BLUELIGHT) |

Network:

| **Indicator** | **Description** |
| --- | --- |
| philion.store | THUMBSBD C2 |
| homeatedke.store | THUMBSBD C2 |
| hightkdhe.store | THUMBSBD C2 |
| 144.172.106.66:8080 | FOOTWINE C2 |

## References

[APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz](https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks)

[APT37 combines cloud storage and USB implants to infiltrate air-gapped systems](https://securityaffairs.com/188767/apt/apt37-combines-cloud-storage-and-usb-implants-to-infiltrate-air-gapped-systems.html)
