A North Korea-linked threat actor tracked as APT37 has been observed using five new malicious tools in a recent campaign targeting air-gapped systems, Zscaler reports.
Also tracked as ScarCruft, Ruby Sleet, and Velvet Chollima, APT37 has been active since 2012, focusing on data theft and surveillance and mainly targeting entities in South Korea.
As part of a campaign discovered in December 2025, named Ruby Jumper, APT37 was seen using LNK files to execute a PowerShell script and deploy multiple payloads, including a decoy document in Arabic about the Palestine-Israel conflict.
The payloads work together to execute a payload in memory. Dubbed RestLeaf, it uses the Zoho WorkDrive cloud storage for command-and-control (C&C) and attempts to fetch a file containing shellcode from it.
The shellcode, which is executed in memory, acts as a launcher, fetching and decrypting second-stage shellcode that loads an embedded Windows executable, dubbed SnakeDropper.
The malware creates a working directory and installs the Ruby 3.3.0 runtime environment disguised as a USB speed monitoring utility, backdoors the Ruby interpreter, and creates a scheduled task to execute the interpreter every five minutes, establishing persistence.
Executed every time the Ruby interpreter starts, SnakeDropper drops ThumbsBD, a backdoor that uses removable drives to exfiltrate data from air-gapped systems, using them as bidirectional relays.
When detecting USB drives, the malware creates a hidden directory in their root folder, which is used to stage backdoor commands and data for exfiltration.
ThumbsBD also collects system information, downloads additional payloads, and executes shellcode from a specific directory.
SnakeDropper was also observed dropping VirusTask, a removable media propagation tool designed to infect air-gapped systems, which exclusively weaponizes USB drives for initial access.
It copies the payload executables to a folder in the drive’s root directory and enumerates files on the drive, replacing them with LNK files that lead to the execution of shellcode on the air-gapped systems when the user attempts to open those files.
“VirusTask complements ThumbsBD to form a complete air-gap attack toolkit. While ThumbsBD handles C&C communication and data exfiltration, VirusTask ensures the malware spreads to new systems through social engineering by replacing legitimate files with malicious shortcuts that victims trust and execute,” Zscaler explains.
The security firm also observed ThumbsBD deploying FootWine, an encrypted Android package file containing a shellcode launcher with surveillance capabilities, such as keystroke logging and audio and video capturing.
FootWine supports various surveillance-related commands, including file manipulation, shell management, and registry and process manipulation.
“ThumbsBD and VirusTask weaponize removable media to bypass network isolation and infect air-gapped systems. To maintain a strong security posture, the security community should focus on monitoring endpoint activity and physical access points to counter this threat and other campaigns led by APT37,” Zscaler notes.
Related: North Korean Hackers Distributed Android Spyware via Google Play
Related: North Korean Hackers Target macOS Developers via Malicious VS Code Projects
Related: FBI: North Korean Spear-Phishing Attacks Use Malicious QR Codes
Related: North Korea’s Digital Surge: $2B Stolen in Crypto as Amazon Blocks 1,800 Fake IT Workers
