New Multi-Stage Toolkit Leverages Removable Media to Bridge Air-Gapped Systems
Air-gapped environments are often treated as the highest form of segmentation-based defense. But a newly uncovered campaign attributed to North Korean threat group APT37 challenges that assumption.
The operation, dubbed Ruby Jumper, demonstrates how removable media workflows and staged malware loaders can be weaponized to move data between internet-connected systems and physically isolated networks.
What Is Ruby Jumper?
Ruby Jumper is a multi-stage malware campaign attributed to APT37, also known as ScarCruft, Ruby Sleet, and Velvet Chollima. The operation focuses on transferring data between internet-connected machines and physically isolated systems via removable drives.
Air-gapped environments typically eliminate Wi-Fi, Bluetooth, and Ethernet connectivity at the hardware level, relying on manual data transfer methods such as USB drives. Ruby Jumper weaponizes that exact workflow.
The Infection Chain
Researchers at Zscaler identified five core components: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. Additionally, BLUELIGHT, a previously known APT37 backdoor, was observed in the campaign.
The attack begins with a malicious Windows shortcut (LNK) file. When opened, it executes a PowerShell script embedded within the file while simultaneously launching a decoy document to distract the victim.
From there, the infection unfolds in stages. RESTLEAF communicates with attacker infrastructure via Zoho WorkDrive, retrieving encrypted shellcode that executes in memory and deploys SNAKEDROPPER, a Ruby-based loader. SNAKEDROPPER then establishes persistence by installing a disguised Ruby 3.3.0 runtime (usbspeed.exe) and modifying RubyGems’ operating_system.rb to ensure execution through a scheduled task running every five minutes.
This technique allows attackers to embed malicious functionality directly into the runtime environment, a stealthy persistence mechanism not commonly seen in traditional enterprise malware.
Bridging the Air Gap
The most concerning component of Ruby Jumper is THUMBSBD.
THUMBSBD stages data onto removable drives, creating hidden directories and transforming USB devices into a bidirectional transport layer. This allows attackers to deliver commands into air-gapped environments and extract data from isolated systems without direct internet connectivity.
By leveraging removable media as an intermediary transport layer, APT37 effectively bridges otherwise segmented network environments.
Lateral Spread and Surveillance Capabilities
The VIRUSTASK component weaponizes removable drives to propagate infection across additional air-gapped systems. It hides legitimate files and replaces them with malicious shortcuts that trigger execution of the embedded Ruby interpreter.
Another module, FOOTWINE, operates as a Windows spyware backdoor delivered using an Android APK filename as cover to evade detection. Its capabilities include: keylogging, screenshot capture, audio and video recording, file manipulation, registry access, and remote shell execution.
The presence of BLUELIGHT, previously associated with APT37, further strengthens attribution confidence.
Attribution and Targeting
Zscaler attributes the Ruby Jumper campaign to APT37 with high confidence, based on several converging indicators: the use of LNK files as an initial vector, a two-stage shellcode delivery technique, reuse of the BLUELIGHT backdoor previously linked to the group, and C2 infrastructure consistent with APT37’s known pattern of abusing cloud storage platforms.
The decoy document, an Arabic translation of a North Korean newspaper article about the Palestine-Israel conflict, suggests targets with an interest in North Korean media narratives, consistent with APT37’s historical focus on individuals and entities aligned with DPRK state interests.
Why This Matters for Security Leaders
This campaign blends physical transfer workflows with logical exploitation, turning routine USB data movement into attack infrastructure. If removable media is part of how your organization operates, segmentation alone is not a sufficient assurance, the workflows that bridge those environments need to be tested.
Air gaps reduce exposure, but they do not eliminate attack paths. Ruby Jumper challenges three rarely validated assumptions:
• That removable media usage is tightly controlled and monitored.
• That persistence mechanisms inside isolated systems would be detected.
• That segmentation boundaries are regularly adversarially tested.
If those controls have not been explicitly validated, isolation becomes a policy assumption rather than a proven defense.
