North Korea's ScarCruft Jumps the Air Gap With USB Malware and Cloud C2

Air-gapped networks are supposed to be the digital equivalent of a moat around a castle. No internet connection, no problem, right? North Korea's ScarCruft hackers would like a word. The threat actor also known as APT37 has been caught running a sophisticated campaign that bridges the gap between internet-connected and isolated systems using weaponized USB drives and a clever abuse of legitimate cloud services. Security researchers at Zscaler ThreatLabz discovered the operation in December 2025 and dubbed it "Ruby Jumper" for reasons that become clear when you dig into the technical details.

The attack chain begins innocuously enough with a malicious LNK file, the kind of shortcut file that Windows users click without thinking twice. When opened, it triggers a PowerShell command that performs a neat trick, scanning its own directory to locate itself based on file size, then carving out multiple embedded payloads including a decoy document, executable payloads, additional PowerShell scripts, and a batch file. The decoy documents discovered so far include an Arabic-language article about the Palestine-Israel conflict translated from a North Korean newspaper, which gives some indication of the targeting priorities.

What makes Ruby Jumper particularly noteworthy is ScarCruft's first documented abuse of Zoho WorkDrive for command-and-control communications. The initial payload, a piece of malware called RESTLEAF, authenticates with Zoho's cloud storage infrastructure using a valid access token and downloads additional shellcode. From there, the infection progresses through several stages involving malware families with names that read like a hacker's playlist including SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and the veteran backdoor BLUELIGHT that researchers have tracked since 2021.

The air-gap jumping capability comes from THUMBSBD and VIRUSTASK, two components that weaponize removable media in slightly different ways. THUMBSBD handles the heavy lifting of command execution and data exfiltration by creating hidden folders on USB drives to stage commands and store execution output. When an infected USB drive gets plugged into an air-gapped system, it can harvest system information, download secondary payloads, exfiltrate files, and execute arbitrary commands. VIRUSTASK takes a more specialized approach, focusing exclusively on spreading the initial infection to non-compromised air-gapped systems via removable media.

The surveillance capabilities are where things get genuinely unsettling. FOOTWINE, delivered as an encrypted payload with an integrated shellcode launcher, comes equipped with keylogging along with audio and video capture functionality. It communicates with its command-and-control server using a custom binary protocol over TCP and supports an extensive command set covering everything from interactive shells and file manipulation to registry modification, process enumeration, and screenshot capture. The ability to record audio and video means attackers can conduct persistent surveillance on compromised systems even in supposedly secure environments.

ScarCruft has been in the game since at least 2012 and typically targets South Korean entities along with North Korean defectors, journalists, and human rights activists. However, their toolkit continues to evolve. The BLUELIGHT backdoor distributed through this campaign demonstrates their ongoing interest in weaponizing legitimate cloud providers, with documented abuse of Google Drive, Microsoft OneDrive, pCloud, and BackBlaze for command-and-control purposes. This makes detection significantly harder since traffic to these services looks completely normal.

The implications for organizations that rely on air-gapping as a security control are significant. The Ruby Jumper campaign demonstrates that physical isolation is not the impenetrable defense it once seemed. Attackers with sufficient motivation and resources can bridge that gap through carefully crafted malware that turns removable media into a two-way communication channel. Organizations operating air-gapped systems should implement strict removable media policies including scanning all USB devices before use on isolated systems, disabling autorun functionality, and monitoring for suspicious file creation patterns in hidden directories.

The use of Ruby as an execution environment is another interesting tactical choice. By deploying a self-contained Ruby runtime and disguising malware as Ruby files, the attackers reduce their reliance on system-installed interpreters and potentially evade detection rules focused on more common scripting languages like PowerShell alone. It is a reminder that sophisticated threat actors are constantly experimenting with new techniques to stay ahead of defenders.

For security teams, the key takeaways are straightforward even if implementation is not. Air-gapped networks require just as much monitoring and protection as internet-connected systems, perhaps more given the high-value nature of what they typically protect. USB security policies need teeth, not just paper. And when nation-state actors want in badly enough, they will find creative ways to jump the moat. The question is whether defenders can detect the splash.