APT37's Ruby Jumper: How North Korea Built a Complete Toolkit to Break the Air Gap

The USB flash drive sitting in your drawer is not neutral. In the hands of North Korea's APT37, it is a precision instrument capable of extracting data from systems that have never touched the internet. The Ruby Jumper campaign, uncovered in December 2025 and publicly detailed in late February 2026, represents something the security community rarely sees: a fully realized, end-to-end toolkit built for one specific purpose — crossing the physical barrier of an air-gapped network.

Air-gapped systems exist because someone, somewhere, decided that certain data was too sensitive to trust to any network. Governments put nuclear facility controls behind air gaps. Defense contractors isolate weapons design environments. Research institutions wall off classified project data. The premise is simple: no network connection means no remote attacker. It is a physical security guarantee, and for decades it has held up reasonably well — until threat actors started treating the human being carrying a USB drive as the attack surface.

Ruby Jumper, a campaign attributed with high confidence to the North Korean state-sponsored group APT37 by researchers at Zscaler ThreatLabz, does not find a hole in a firewall or exploit an unpatched VPN. It finds the IT administrator who plugs the same thumb drive into both their office laptop and an isolated workstation. It finds the engineer who moves a file from a connected system to an air-gapped one. That is the attack surface, and APT37 has built an entire software toolkit around exploiting it.

Who Is APT37 and Why Does It Matter

APT37 is not a new name in threat intelligence. The group has been active since at least 2012 and operates under a collection of aliases — ScarCruft, Ruby Sleet, Velvet Chollima, Reaper, and Ricochet Chollima among them. Kaspersky first publicly documented the group's operations in 2016, and in early 2018 researchers revealed that APT37 had leveraged a zero-day vulnerability in Adobe Flash Player against South Korean targets. The group is widely attributed to North Korea's Reconnaissance General Bureau (RGB), the intelligence arm responsible for the country's offensive cyber program. The group's primary mission, as summarized consistently across Mandiant, Huntress, and Brandefense reporting, is cyberespionage in direct support of DPRK's military, political, and economic interests.

Historically, APT37 focused on South Korea: government officials, defectors, human rights organizations, journalists covering North Korean affairs, and defense contractors. Over time that scope broadened. The group has been tied to operations in Japan, Vietnam, Russia, the Middle East, China, Romania, and the United States. It has targeted missile technology firms, think tanks, academic researchers, and even other cybersecurity professionals.

"ScarCruft's focus on consumers of technical threat intelligence reports suggests an intent to gain insights into non-public cyber threat intelligence and defense strategies. This helps in identifying potential threats to their operations and contributes to refining their operational and evasive approaches." — SentinelLabs, via The Record (Recorded Future News)

That quote, from a SentinelLabs analysis published by Recorded Future News in January 2024, is worth sitting with. APT37 is not just stealing secrets from governments and defense companies. It is actively trying to understand how the security community tracks and hunts its own operations. The Ruby Jumper campaign represents the operational payoff of years of that intelligence gathering: a toolkit so technically mature that five of its six components had never been documented before Zscaler's February 2026 report.

The Ruby Jumper Toolkit: Six Tools, One Mission

What makes Ruby Jumper technically distinct is not any single component in isolation. It is the architecture: each tool is scoped to a specific role, and together they form a complete pipeline from initial infection on an internet-connected machine to persistent surveillance on an air-gapped one. Five of the six tools were previously unknown to the security community when Zscaler published its findings.

RESTLEAF — The Initial Implant

RESTLEAF is the first executable payload deployed after a victim opens a malicious LNK file. It is a Windows implant that uses Zoho WorkDrive for command-and-control (C2) communications — a first for APT37, which had previously abused services like Dropbox, Google Drive, OneDrive, and pCloud. RESTLEAF authenticates to Zoho WorkDrive using hardcoded OAuth refresh tokens embedded in the binary, profiles the compromised system, establishes persistence, and begins retrieving follow-on payloads. It signals active infections to operators by dropping timestamped beacon files with a naming pattern of "lion [timestamp]" inside a Zoho WorkDrive folder labeled "Second."

SNAKEDROPPER — The Loader

SNAKEDROPPER operates as a loader and staging environment. It extracts a ruby3.zip archive and installs a complete Ruby 3.3.0 runtime under %PROGRAMDATA%\usbspeed, renaming the Ruby interpreter executable (rubyw.exe) to usbspeed.exe to impersonate a legitimate USB utility. Its persistence mechanism is particularly precise: rather than simply scheduling an external task, it hijacks RubyGems' auto-loaded operating_system.rb file, replacing it with malicious logic that executes automatically every time the interpreter starts. A supplemental Windows scheduled task named rubyupdatecheck runs the disguised interpreter every five minutes, ensuring persistence that survives reboots even if the auto-load hijack is detected separately. The use of a self-contained Ruby runtime is a meaningful evasion choice: it does not rely on any pre-installed interpreter, creates a plausible process name, and reduces the footprint of detectable anomalies compared to leveraging existing scripting environments that may be monitored.

THUMBSBD — The Air-Gap Bridge

THUMBSBD is the centerpiece of the air-gap attack. It turns removable drives into covert, bidirectional C2 channels. When a USB device is connected to an infected internet-facing machine, THUMBSBD creates a hidden $RECYCLE.BIN directory at the root of the drive and writes staged command files into it. That directory is designed to visually blend in with the legitimate Windows Recycle Bin folder and remain invisible under default Explorer settings. When that same drive is later plugged into an air-gapped machine running a THUMBSBD instance, the implant reads the staged commands, decrypts them using a single-byte XOR key (0x83), executes them by parsing the command identifier from offset 0x0C, and writes stolen data back to the same hidden folder for retrieval when the drive returns to an internet-connected system.

Before staging any data for exfiltration, THUMBSBD builds a comprehensive profile of the host and stores it encrypted at %LOCALAPPDATA%\TnGtp\TN.dat using a single-byte XOR key. That profile includes hardware diagnostics via dxdiag, running processes, full network configuration via ipconfig /all, a recursive file system enumeration of the complete directory tree, and connectivity status via ping and netstat. The implant uses a victim identifier derived from disk metadata to determine whether a command package on a given drive is intended for the current host — preventing commands meant for one target from executing on an unintended machine. THUMBSBD also downloads additional payloads and executes shellcode from a specified directory path.

VIRUSTASK — The Propagation Engine

While THUMBSBD handles communication, VIRUSTASK handles expansion. Delivered as bundler_index_client.rb, its sole function is infecting new air-gapped machines by weaponizing removable drives. When a USB device with at least 2GB of free space is inserted into an infected system, VIRUSTASK executes a multi-stage infection routine: it creates a hidden $RECYCLE.BIN.USER directory on the drive, copies usbspeed.exe and the accompanying Ruby scripts into that structure, then enumerates all files on the drive, hides the legitimate versions, and replaces them with identically named LNK shortcuts. When a victim on an air-gapped machine clicks what appears to be their normal file, the disguised Ruby interpreter checks for the presence of the %PROGRAMDATA%\usbspeed directory and, finding the environment is not yet infected, executes shellcode from task.rb to infect the new host. VIRUSTASK tracks its execution state through the Windows registry key HKCU\Software\Microsoft\ActiveUSBPolicies.

"VirusTask complements ThumbsBD to form a complete air-gap attack toolkit. While ThumbsBD handles C&C communication and data exfiltration, VirusTask ensures the malware spreads to new systems through social engineering by replacing legitimate files with malicious shortcuts that victims trust and execute." — Zscaler ThreatLabz, February 2026

FOOTWINE — The Surveillance Backdoor

FOOTWINE is delivered by THUMBSBD and functions as a full surveillance platform. In an unusual obfuscation choice, it is delivered under the filename foot.apk — borrowing the Android package file extension — despite being a Windows backdoor with no Android functionality whatsoever. It is an encrypted payload with an integrated shellcode launcher. Upon execution, FOOTWINE parses an embedded configuration string using a double-asterisk (**) delimiter to extract its primary C2 IP address, then communicates using a custom binary protocol over TCP. A custom XOR-based key exchange protocol establishes the encrypted channel, with variable packet padding included to obscure traffic size. Its surveillance capabilities include keystroke logging, screenshot capture, audio recording via the system microphone, webcam and video capture, file manipulation including timestomping, registry access, process management, dynamic DLL loading, and remote shell command execution. A documented C2 server at 144.172.106.66:8080 was identified in Zscaler's analysis. FOOTWINE payloads are encoded with a random 32-byte XOR key.

BLUELIGHT — The Veteran

BLUELIGHT is the only previously documented component in the Ruby Jumper chain. Volexity first publicly attributed BLUELIGHT to APT37 in August 2021, following a watering-hole attack against Daily NK — a South Korean digital newspaper focused on North Korean affairs — in which the group injected malicious JavaScript into the site's jQuery libraries and exploited two Internet Explorer zero-day vulnerabilities (CVE-2020-1380 and CVE-2021-26411) to deliver BLUELIGHT as the attack's final payload. Kaspersky independently corroborated the attribution. In November 2022, ESET subsequently identified BLUELIGHT as a staging platform for a separate, more sophisticated backdoor named Dolphin, which ESET found had been manually deployed against only a small subset of high-value targets. In Ruby Jumper, BLUELIGHT communicates with cloud storage providers — specifically Google Drive, Microsoft OneDrive, pCloud, and BackBlaze — for C2 operations, and can execute commands, enumerate the file system, download additional payloads, upload files, and remove itself to reduce forensic artifacts. In internet-connected environments it handles active tasking and exfiltration directly. In air-gapped scenarios it facilitates data staging for delayed retrieval via USB.

The Attack Chain: From a Shortcut File to a Stolen Hard Drive

The infection begins with a malicious Windows shortcut file — an LNK file. This is not a new technique for APT37, which has relied on LNK-based initial access consistently across campaigns dating back years. What is new in Ruby Jumper is what happens after that click.

Opening the LNK file silently launches a PowerShell command that scans the current directory to locate itself by file size, then carves multiple embedded payloads from fixed offsets within the shortcut itself. The specific files dropped are find.bat, a Windows batch file that launches PowerShell; search.dat, a PowerShell script that loads shellcode into memory; and viewer.dat, the shellcode file containing the encrypted embedded payload. Among those payloads is a decoy document displayed to the victim to establish a veneer of legitimacy: an article about the Palestine-Israel conflict, translated from a North Korean newspaper into Arabic. The selection of this decoy is deliberate. Zscaler researchers noted that the victimology aligns with individuals interested in North Korean media narratives or perspectives — likely journalists, academics, analysts, or policy professionals covering the region.

While the victim reads the decoy document, the attack chain executes in the background through a two-stage shellcode process. Stage 1 injects shellcode into a randomly selected legitimate Windows executable from %WINDIR%\System32 or %WINDIR%\SysWow64, decrypting it using a single-byte XOR key. Stage 2 uses that shellcode to reflectively load an embedded Windows executable payload, also decoded with a one-byte XOR key. This in-memory execution approach minimizes artifacts written to disk, making the infection significantly harder to detect with traditional file-based scanning.

Once RESTLEAF loads in memory, it authenticates to Zoho WorkDrive using hardcoded OAuth refresh tokens and attempts to download a shellcode file specifically named AAA.bin from the WorkDrive repository. Execution of AAA.bin proceeds via classic process injection. RESTLEAF then signals an active infection to operators by creating timestamped beacon files with a naming pattern of "lion [timestamp]" inside a Zoho WorkDrive folder labeled "Second" — a documented and huntable operational signature.

Once SNAKEDROPPER stages the Ruby environment and persistence mechanism, any USB drive plugged into the infected machine becomes a potential carrier. THUMBSBD begins loading operator commands onto drives and reading exfiltrated data from them. VIRUSTASK weaponizes the contents of those drives to infect new machines on the air-gapped side. FOOTWINE deploys onto target systems and begins surveillance operations. BLUELIGHT provides an additional exfiltration and command pathway through cloud storage. The Zscaler ThreatLabz report documenting this campaign was authored by Seongsu Park, Staff Threat Researcher, and published February 26, 2026.

The chain is self-sustaining. Once the initial infection takes hold on a single internet-connected machine, it can propagate laterally across air-gapped networks indefinitely — as long as people keep using USB drives to move files, which in air-gapped environments is essentially the only way to move files at all.

The Bigger Picture: Cloud as a Weapon

One of the defining characteristics of APT37's recent evolution is the systematic abuse of legitimate cloud storage platforms for C2 infrastructure. This is not accidental — it is a calculated evasion strategy. Enterprise security tools are typically configured to allow traffic to Zoho, Google Drive, OneDrive, pCloud, Dropbox, and Yandex because these are widely used business services. Blocking them wholesale is not operationally practical for most organizations. APT37 exploits exactly that constraint.

The use of Zoho WorkDrive specifically in Ruby Jumper is a documented first for the group. Brandefense's 2025 APT37 profile noted that the group was already using cloud platforms not just for exfiltration but for persistence — abusing cloud authorization tokens for stealthy re-entry into compromised environments. Ruby Jumper extends that pattern: RESTLEAF uses hardcoded OAuth tokens to authenticate to Zoho WorkDrive, meaning the implant does not need to perform any credential harvesting or network reconnaissance to establish its C2 channel. The tokens are baked in at compile time.

"APT37 continues to utilize cloud services such as pCloud, Yandex, DropBox, Zoho, and Box for its C2 communication, a technique also observed in RESTLEAF and BLUELIGHT." — Zscaler ThreatLabz, February 2026

This matters for defenders because it shifts the detection problem. You cannot block Zoho WorkDrive without breaking your accounting team's workflow. You cannot block Google Drive without disrupting collaboration. The detection signal has to come from behavioral analysis of which processes are making those cloud requests, from where on the filesystem they are executing, and whether the file paths and process names match known legitimate applications. That is a significantly harder detection problem than blocking a known-malicious IP address.

What Makes Ruby Jumper Different from Everything Before It

Air-gap crossing attacks are not new to the threat intelligence record. Stuxnet, discovered in 2010 and widely attributed by researchers to a joint U.S.-Israeli operation, was the seminal demonstration that air-gapped industrial control systems could be compromised via USB propagation. Various nation-state actors have since developed their own air-gap bridging capabilities. What distinguishes Ruby Jumper from the historical record is the completeness and modularity of the toolkit.

Previous air-gap attacks were typically built around a single capability: a worm that spread via USB, or a backdoor that used removable media as a relay. Ruby Jumper is different in that APT37 engineered distinct, scoped components for each phase of the operation. VIRUSTASK handles only propagation. THUMBSBD handles only the bidirectional relay. FOOTWINE handles only surveillance. RESTLEAF handles only the initial C2 establishment. SNAKEDROPPER handles only the staging and persistence of the runtime environment. Each component does one job and does it in a way that minimizes its own footprint.

The use of Ruby — a relatively uncommon runtime in enterprise Windows environments — as the execution vehicle for shellcode is also notable. By bundling a self-contained Ruby 3.3.0 interpreter and renaming it to usbspeed.exe, APT37 avoids relying on any pre-installed scripting runtime that might be monitored, and creates a process name that plausibly belongs in a system with active USB device management. Defenders not specifically hunting for unexpected Ruby installations or scheduled tasks referencing Ruby are likely to miss it entirely.

There is also a psychological dimension to how this campaign is constructed that deserves attention. The decoy document is not generic. It is specifically tailored: a translated piece from North Korean state media about the Palestine-Israel conflict, rendered in Arabic. That level of targeting specificity suggests APT37 had a specific profile of victim in mind — likely an Arabic-speaking analyst, journalist, or policy professional engaged with North Korean media or foreign affairs research. The operational intelligence required to craft that lure does not come from nowhere. It is the product of years of reconnaissance against the community APT37 wants to penetrate.

What Defenders Need to Do Right Now

The Ruby Jumper campaign requires organizations that operate air-gapped environments to rethink several assumptions that have been comfortable for a long time.

The first assumption to revisit is that air gapping alone constitutes a security control. It does not. It is a risk reduction measure that shifts the attack surface from remote to physical. As long as any human being moves data between connected and isolated environments using removable media, the air gap has a bridge. The security control is the policy and technical enforcement around that bridge, not the gap itself.

Specific technical actions defenders should prioritize based on the Ruby Jumper indicators and attack chain include the following. All removable media should be scanned on a dedicated, isolated scanning station before being connected to any air-gapped system — not by the endpoint itself, but by a controlled transfer kiosk with logging and chain-of-custody procedures. Autorun and autoplay features must be disabled across all endpoints, including air-gapped ones. Device control policies should block unauthorized USB storage and enforce allowlists requiring managed, encrypted media for all legitimate workflows.

Endpoint detection should be tuned to alert on LNK file execution in email attachments and downloaded content; unexpected Ruby runtime processes; the process name usbspeed.exe or file path %PROGRAMDATA%\usbspeed; scheduled tasks named rubyupdatecheck; registry keys at HKCU\Software\Microsoft\TnGtp and HKCU\Software\Microsoft\ActiveUSBPolicies; the encrypted host profile at %LOCALAPPDATA%\TnGtp\TN.dat; files named find.bat, search.dat, or viewer.dat appearing together in a working directory; and hidden directories named $RECYCLE.BIN (used by THUMBSBD for C2 staging) or $RECYCLE.BIN.USER (used by VIRUSTASK for propagation) at the root of removable drives — either should be treated as confirmed compromise indicators and escalated immediately. For forensic scoping, collecting Prefetch, Amcache, and Shimcache evidence of usbspeed.exe execution is particularly valuable.

At the network level, organizations should implement behavioral monitoring of outbound cloud storage traffic, logging which processes are initiating connections to services like Zoho WorkDrive, and flagging executables in non-standard paths making those connections. Physical access to air-gapped systems should be logged and reviewed, including which personnel are permitted to connect removable media and when.

From a threat intelligence standpoint, any organization in the sectors historically targeted by APT37 — government, defense, academic research on North Korean affairs, media, critical infrastructure — should treat this campaign as directly relevant to their threat model and ensure detection rules for the documented IoCs are in place immediately.

Key Takeaways

1. Air gaps are not impenetrable: Ruby Jumper is a fully engineered system for bridging physical network isolation through USB removable media. Organizations relying on air gapping as a primary security control need to treat the human-and-USB vector as an active attack surface, not a theoretical one.
2. Five of the six tools were brand new: The depth of this toolkit — RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE all previously undocumented — signals sustained investment by APT37 in air-gap-specific offensive capability. This was not improvised. It was built.
3. Cloud C2 abuse is the detection problem of the moment: Legitimate cloud services including Zoho WorkDrive, Google Drive, OneDrive, pCloud, and Dropbox are being used as C2 infrastructure. Detection cannot rely on blocklists. It requires behavioral analysis of which processes are making those requests.
4. The decoy tells you something about the target: A translated Arabic-language article from North Korean state media is not a mass-phishing lure. It is a precision instrument aimed at a specific professional audience. Organizations serving that audience — policy research, foreign affairs media, Arabic-speaking analysts covering the Korean peninsula — should treat themselves as in-scope for this campaign.
5. APT37 is building for the long term: This group has been active since at least 2012. Ruby Jumper is not an isolated operation; it is the latest iteration of a multi-decade espionage program that continuously adapts its tooling in response to detection and remediation. Defenders need to treat it as an ongoing threat, not a one-time event.

The technical report from Zscaler ThreatLabz, authored by Seongsu Park (Staff Threat Researcher) and published February 26, 2026, is the primary source document for this campaign and contains the full set of indicators of compromise, MITRE ATT&CK mappings, and malware technical details. If you operate in a sector that has historically appeared in APT37's targeting scope, that report belongs in your read pile today.