IntroductionIn December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, download a payload that delivers FOOTWINE and BLUELIGHT, which enable surveillance on a victim’s system.In this blog post, ThreatLabz examines how these tools function, including their notable use of Ruby to load shellcode-based payloads. We also explore how the Ruby Jumper campaign leverages removable media to infect and pass commands and information between air-gapped systems.Key Takeaways In December 2025, ThreatLabz discovered Ruby Jumper, a campaign orchestrated by APT37, a DPRK-backed threat group.ThreatLabz discovered RESTLEAF, an initial implant that uses Zoho WorkDrive for C2 communications to fetch additional payloads, like SNAKEDROPPER.ThreatLabz discovered SNAKEDROPPER, a next-stage loader that installs the Ruby runtime, establishes persistence, and drops THUMBSBD and VIRUSTASK.ThreatLabz discovered THUMBSBD, a backdoor that uses removable media to relay commands and transfer data between internet-connected and air-gapped systems.ThreatLabz discovered VIRUSTASK, a removable media propagation tool that infects removable media by replacing files with malicious LNK shortcuts.ThreatLabz discovered FOOTWINE, a backdoor delivered later in the attack chain with surveillance capabilities such as keylogging and audio/video capturing.BackgroundAPT37 has used Chinotto for years to target individuals and government-related entities to steal sensitive data and conduct surveillance. The group also continues to use a separate infection chain that combines shellcode with in-memory Windows-based malware, similar to the Ruby Jumper campaign.Technical AnalysisThreatLabz details the Ruby Jumper campaign in the following sections, focusing on the specific malware employed, the deployment methods, and how the final payload is delivered to achieve the ultimate objective.Attack flowThe figure below illustrates the complete attack flow, from the initial vector to the infection of newly attached removable media and the deployment of FOOTWINE and BLUELIGHT.Figure 1: APT37 Ruby Jumper campaign attack flow.RESTLEAFAPT37 has abused LNKs as an initial vector for years. In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it launches a PowerShell command and scans the current directory to locate itself based on file size. Then, the PowerShell script launched by the LNK file carves multiple embedded payloads from fixed offsets within that LNK, including a decoy document, an executable payload, an additional PowerShell script, and a batch file, as listed in the table below. FilenameFile typePurposefind.batWindows Batch fileLaunches PowerShell (## search.dat).search.datPowerShellLoads the shellcode file (viewer.dat) into memory.viewer.datShellcode with payloadLoads the embedded payload after decrypting it.Table 1: Files dropped by APT37’s Ruby Jumper campaign LNK file and their purpose.The decoy document displays an article about the Palestine-Israel conflict, translated from a North Korean newspaper into Arabic, as shown in the figure below.Figure 2: Arabic language decoy document leveraged in the Ruby Jumper campaign by APT37.Each payload created by the LNK file works in tandem, ultimately spawning a Windows executable payload in memory that ThreatLabz identifies as a RESTLEAF. RESTLEAF uses Zoho WorkDrive cloud storage for C2 communications. To our knowledge, this is the first time APT37 has abused Zoho WorkDrive. RESTLEAF retrieves a valid access token by exchanging embedded refresh token credentials, enabling subsequent API operations with the Zoho WorkDrive infrastructure. The table below lists the hardcoded token information associated with RESTLEAF.TypeValueclient_id1000.3GYW7TSOWPQUNLVY1SK3Y6TWIUNAFHrefresh_token1000.57dac5f7d21da2454d0fbefdced80bf3.ed54cf1ebffbfc1c8ae1ccdd2c681012client_secretffc7ebe0a8e68df69b9bc391cd7589e596865d42a9Table 2: RESTLEAF Hardcoded Zoho WorkDrive token information.Following successful authentication, RESTLEAF attempts to download a file containing shellcode named AAA.bin from the Zoho WorkDrive repository. If the download succeeds, the shellcode is executed through a classic process injection technique. RESTLEAF allocates executable memory, copies the downloaded payload into this region, and transfers execution to the entry point of the shellcode. After the shellcode execution completes, RESTLEAF creates timestamped beacon files in a folder named Second on the Zoho WorkDrive that signal to the cloud-based C2 that the infection is active and operational. This beaconing mechanism generates unique filenames following the pattern lion [timestamp], where the timestamp
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: