A cyber espionage group associated with North Korea has been detected executing a new malicious campaign that utilizes removable media infection tools to infiltrate air-gapped systems.
The group, known as APT37, has been active since at least 2012 and is recognized under various aliases, including ScarCruft, Ruby Sleet, InkySquid, Ricochet Chollima, and Velvet Chollima.
Initially targeting both public and private sectors in South Korea, APT37 expanded its activities in 2017 to encompass Japan, Vietnam, and the Middle East. The group's focus also widened to include diverse industries such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.
In this latest campaign, identified by security researchers at Zscaler ThreatLabz and referred to as ‘Ruby Jumper,’ APT37 employed a suite of six malicious tools throughout the attack lifecycle, five of which had not been previously documented. These tools are known as Restleaf, SnakeDropper, ThumbSBD, VirusTask, and FootWine.
The group also utilized removable media to infect and facilitate the exchange of commands and information between air-gapped systems.
Understanding APT37’s Ruby Jumper Campaign
The Ruby Jumper campaign was uncovered by the ThreatLabz team in December 2025.
Documented in a report published on February 26, APT37 accessed systems using its traditional method of exploiting Windows shortcut (LNK) files.
When a victim opens a malicious LNK file, it executes a PowerShell command that scans the current directory to identify itself by file size. Subsequently, the PowerShell script, triggered by the LNK file, extracts multiple embedded payloads from fixed offsets within that LNK file. These payloads include a decoy document, an executable payload, an additional PowerShell script, and a batch file.
The decoy document presents an article about the Palestine-Israel conflict, translated from a North Korean newspaper into Arabic.
