ScarCruft Deploys Six Malware Families in Ruby Jumper Campaign to Breach Air-Gapped Networks via USB Propagation

North Korean threat actor ScarCruft has deployed a fresh arsenal of six malware families in a campaign codenamed Ruby Jumper that targets air-gapped networks through USB-based propagation and abuses Zoho WorkDrive as command-and-control infrastructure — the first time the group has used this cloud service in its operations.

The campaign, discovered by Zscaler ThreatLabz in December 2025, combines cloud-based C2, a self-contained Ruby execution environment, and removable media weaponization to bridge the gap between internet-connected systems and isolated networks used by high-value targets.

Multi-Stage Infection Chain

The attack begins with a malicious LNK file containing an embedded PowerShell command that scans its own directory to locate itself by file size, then carves out multiple payloads from fixed offsets:

1. Decoy document — displays an article about the Palestine-Israel conflict translated from a North Korean newspaper into Arabic
2. RESTLEAF — spawned in memory, authenticates to Zoho WorkDrive using a valid access token to download shellcode via C2
3. SNAKEDROPPER — deployed via process injection from RESTLEAF's shellcode, installs the Ruby runtime, establishes persistence through a scheduled task, and drops the final implants

Six Malware Families

RESTLEAF — Initial backdoor that uses Zoho WorkDrive for C2 communications and payload retrieval. Marks ScarCruft's first abuse of this cloud storage platform.

SNAKEDROPPER — Installer component that deploys the Ruby runtime environment and establishes persistence via scheduled tasks.

THUMBSBD — The primary air-gap bridging implant, disguised as a Ruby file. Detects removable media and creates hidden folders to stage operator commands and store execution output for transfer between connected and isolated systems. Capabilities include system information harvesting, file exfiltration, payload downloading, and arbitrary command execution.

VIRUSTASK — A complementary USB propagation component focused exclusively on spreading malware to non-infected air-gapped systems via removable media. Unlike THUMBSBD which handles command execution and exfiltration, VIRUSTASK focuses solely on achieving initial access on isolated networks.

FOOTWINE — An encrypted surveillance payload delivered by THUMBSBD featuring keylogging, screenshot capture, and audio and video surveillance capabilities. Communicates over a custom binary protocol via TCP with support for nine command types including interactive shell (sm), file manipulation (fm), registry modification (rm), proxy tunneling (pxm), and DLL loading.

BLUELIGHT — A backdoor previously attributed to ScarCruft since 2021, weaponizing multiple legitimate cloud providers — Google Drive, Microsoft OneDrive, pCloud, and BackBlaze — for C2 communications.

How the Air-Gap Bridge Works

The USB propagation technique operates as a two-way relay:

• VIRUSTASK spreads to removable media to achieve initial infection on air-gapped systems
• THUMBSBD creates hidden folders on USB devices to stage commands from the operator and collect execution output
• When the USB device moves between an internet-connected system and an air-gapped target, commands and exfiltrated data transfer silently through the hidden staging folders
• FOOTWINE conducts surveillance on the isolated system, with captured audio, video, keystrokes, and screenshots staged for USB-based exfiltration

Cloud Services Abused

The campaign leverages multiple legitimate cloud platforms to blend C2 traffic into normal enterprise activity:

• Zoho WorkDrive (new for ScarCruft)
• Google Drive
• Microsoft OneDrive
• pCloud
• BackBlaze

Defender Recommendations

• Monitor USB device activity — alert on hidden folder creation on removable media and unexpected file staging patterns
• Restrict removable media on air-gapped systems — enforce strict USB device whitelisting and audit all media transfers
• Detect Ruby runtime deployment — Ruby interpreters appearing on Windows endpoints that don't require them are a strong anomaly indicator
• Block unauthorized cloud storage access — monitor and restrict connections to Zoho WorkDrive, pCloud, and BackBlaze from endpoints that don't have business justification
• Hunt for LNK-based initial access — flag PowerShell execution spawned from shortcut files that self-reference by file size
• Inspect scheduled tasks — look for persistence mechanisms that launch Ruby-based payloads
• Monitor for custom binary protocols — FOOTWINE's TCP-based C2 using a non-standard binary protocol should be detectable through protocol analysis