APT37’s Ruby Jumper: Bridging Air-Gapped Networks with Modular Malware
APT37, a threat group with a reputation for inventive cyber-espionage, has raised the stakes with its Ruby Jumper campaign—an operation that turns the concept of air-gapped security on its head. By weaponizing everyday USB drives, APT37’s malware suite covertly bridges the divide between internet-connected and physically isolated systems, using removable media as a stealthy command-and-control (C2) relay. This isn’t just a theoretical risk: the campaign has been observed leveraging cloud services like Zoho WorkDrive for initial payload delivery, then pivoting to USB-based propagation to infiltrate even the most isolated environments.
What sets Ruby Jumper apart is its modular design and technical finesse. The attackers deploy a full Ruby runtime disguised as a legitimate utility, enabling rapid adaptation and the execution of sophisticated surveillance and exfiltration modules. With tactics ranging from hidden directories and malicious shortcuts to decoy documents and conditional execution, APT37 demonstrates a deep understanding of both human and technical defenses. The campaign’s targeting of individuals interested in North Korean media narratives adds a layer of social engineering, making the threat as much about psychology as technology.
How Ruby Jumper Bridges the Air Gap: Malware Tactics and Technical Wizardry
Exploiting Removable Media as a Covert Communication Channel
APT37’s Ruby Jumper campaign demonstrates a sophisticated approach to bridging air-gapped networks—systems physically isolated from the internet and other external networks—by leveraging removable storage devices as covert communication channels. The malware suite transforms USB drives into bidirectional command-and-control (C2) relays, enabling both the delivery of attacker instructions and the exfiltration of sensitive data from isolated environments.
The infection process is initiated when a compromised system, typically internet-connected, receives a malicious Windows shortcut (LNK) file. Upon execution, this LNK file triggers a PowerShell script that extracts embedded payloads and launches a decoy document to distract the victim. The script loads the initial implant, RESTLEAF, which communicates with the attacker’s C2 infrastructure using cloud-based services such as Zoho WorkDrive. This cloud-based communication is critical for staging the next steps of the attack, but the true innovation lies in how subsequent malware modules manipulate USB drives to traverse the air gap.
The THUMBSBD and VIRUSTASK components are central to this bridging strategy. THUMBSBD is responsible for collecting system information, staging command files, and preparing exfiltrated data. It creates hidden directories on detected USB drives, copying files to these concealed locations. VIRUSTASK, on the other hand, weaponizes removable drives by hiding legitimate files and replacing them with malicious shortcuts that execute embedded Ruby interpreters when opened on new hosts. This process ensures that the infection can propagate to other air-gapped machines when the same USB drive is used, provided it has at least 2GB of free space.
Table 1: Key Malware Modules and Their Functions
| Module | Primary Function | Role in Air-Gap Bridging |
|---|---|---|
| RESTLEAF | Initial implant, C2 communication via cloud | Stages next payloads |
| SNAKEDROPPER | Ruby-based loader, sets up Ruby runtime | Prepares environment for further tools |
| THUMBSBD | Collects data, stages commands, creates hidden USB dirs | Enables covert data transfer |
| VIRUSTASK | Spreads infection via USB, weaponizes drives | Propagates malware to air-gapped hosts |
| FOOTWINE | Windows spyware/backdoor, surveillance | Maintains persistence and control |
This modular approach allows APT37 to maintain a persistent, covert channel between internet-connected and isolated systems, bypassing traditional network security controls designed to enforce physical or logical separation.
Multi-Stage Payload Delivery and Ruby Runtime Deployment
A notable technical feat of Ruby Jumper is its use of multi-stage payload delivery, culminating in the deployment of a full Ruby 3.3.0 runtime environment on the target system. This runtime is disguised as a legitimate USB utility (usbspeed.exe), evading suspicion during installation. The loader, SNAKEDROPPER, replaces the RubyGems default file operating_system.rb with a maliciously modified version, ensuring that the malware is automatically executed whenever the Ruby interpreter is launched.
The deployment process is orchestrated as follows:
- RESTLEAF fetches encrypted shellcode from the C2 server.
- The shellcode downloads and installs SNAKEDROPPER, which sets up the Ruby runtime.
- SNAKEDROPPER replaces core Ruby files with malicious versions.
- Scheduled tasks (e.g.,
rubyupdatecheck) ensure persistence by executing the malware every five minutes.
This approach enables the attackers to leverage the flexibility and extensibility of the Ruby language, allowing rapid development and deployment of additional malicious modules. The use of Ruby, rather than more commonly detected scripting languages, also aids in evading traditional endpoint security solutions.
Table 2: Multi-Stage Payload Delivery Sequence
| Stage | Component | Action Taken |
|---|---|---|
| 1 | RESTLEAF | Fetches shellcode, initiates C2 communication |
| 2 | SNAKEDROPPER | Installs Ruby runtime, modifies core files |
| 3 | THUMBSBD/VIRUSTASK | Deployed as Ruby scripts, establish USB-based C2 relay |
| 4 | Scheduled Tasks | Maintain persistence and periodic execution |
This technical wizardry ensures that once the initial breach occurs, the attackers can maintain a foothold and facilitate ongoing data movement across the air gap with minimal risk of detection.
Concealment and Evasion Techniques in Air-Gapped Environments
Ruby Jumper employs a range of concealment and evasion tactics specifically tailored to the unique challenges of air-gapped environments. Traditional network-based detection mechanisms are rendered ineffective, so the malware relies on stealthy file manipulation and deceptive user interface elements to avoid discovery.
Key evasion strategies include:
- Hidden Directories and Files: THUMBSBD creates hidden directories on USB drives, storing exfiltrated data and command files where they are unlikely to be noticed by users or basic antivirus scans.
- Malicious Shortcuts: VIRUSTASK replaces legitimate files on removable media with malicious shortcuts, ensuring that the infection process is triggered only when the shortcut is executed on a new host.
- Decoy Documents: The initial PowerShell script launches a decoy document (e.g., an Arabic translation of a North Korean newspaper article), distracting the victim from the underlying malicious activity.
- Conditional Execution: The malware checks for specific conditions, such as the presence of at least 2GB of free space on the USB drive, before initiating the infection process, reducing the likelihood of accidental activation or detection on unsuitable devices.
These tactics are designed to maximize the malware’s dwell time within the target environment, allowing APT37 to conduct prolonged surveillance and data theft operations without triggering alarms.
Command and Control Infrastructure Leveraging Cloud Services
A distinguishing feature of the Ruby Jumper toolkit is its use of legitimate cloud services as part of its C2 infrastructure. RESTLEAF, the initial implant, communicates with APT37’s C2 servers using Zoho WorkDrive, a widely used cloud storage and collaboration platform. This choice offers several advantages:
- Blending with Legitimate Traffic: By using a trusted cloud service, malicious communications are less likely to be flagged by network monitoring tools or firewalls.
- Global Accessibility: Cloud-based C2 channels remain accessible from both internet-connected and, indirectly, air-gapped systems via removable media.
- Encrypted Data Transfer: Cloud platforms typically use strong encryption for data in transit, further complicating interception and analysis by defenders.
The use of scheduled tasks to periodically check for new commands or upload exfiltrated data ensures that the attackers can maintain near-real-time control over infected systems, even when direct network connectivity is unavailable. This hybrid approach—combining cloud-based C2 for initial infection and USB-based relays for air-gapped communication—demonstrates a high level of operational sophistication.
Table 3: C2 Communication Methods
| Method | Used By | Purpose | Detection Difficulty |
|---|---|---|---|
| Zoho WorkDrive | RESTLEAF | Initial C2, payload staging | High |
| USB-based relay | THUMBSBD/VIRUSTASK | Air-gap bridging, command/data transfer | Very High |
| Scheduled Tasks | All modules | Persistence, periodic execution | Moderate |
This infrastructure allows APT37 to adapt to varying network conditions and maintain robust control over both connected and isolated systems.
Modular Architecture and Adaptability for Targeted Operations
The Ruby Jumper toolkit is characterized by its modular architecture, enabling APT37 to tailor its operations to specific target environments and objectives. Each module—RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE—performs a distinct function, but they are designed to operate in concert, providing flexibility and resilience against detection or remediation efforts.
- RESTLEAF acts as the initial foothold and C2 communicator.
- SNAKEDROPPER sets up the Ruby environment, enabling the execution of further modules.
- THUMBSBD and VIRUSTASK handle data collection, exfiltration, and lateral movement via USB.
- FOOTWINE provides advanced surveillance capabilities, including keylogging, screenshot capture, audio and video recording, file manipulation, registry access, and remote shell commands.
This modularity allows APT37 to rapidly adapt the toolkit for different targets, update individual components as needed, and deploy only the necessary functionality to minimize the risk of detection. The use of Ruby as the primary scripting language further enhances this adaptability, given its extensibility and the relative scarcity of Ruby-based malware in the wild.
Table 4: Modular Capabilities of Ruby Jumper
| Module | Surveillance | Data Exfiltration | Lateral Movement | Persistence | C2 Communication |
|---|---|---|---|---|---|
| RESTLEAF | No | No | No | Yes | Yes |
| SNAKEDROPPER | No | No | No | Yes | No |
| THUMBSBD | Yes | Yes | No | Yes | Yes |
| VIRUSTASK | No | Yes | Yes | Yes | Yes |
| FOOTWINE | Yes | Yes | No | Yes | Yes |
The campaign’s targeting of individuals interested in North Korean media narratives, as evidenced by the content of decoy documents, further underscores the precision with which APT37 can deploy and configure the Ruby Jumper toolkit for maximum effect in high-value, air-gapped environments.
Final Thoughts
Ruby Jumper is a wake-up call for anyone who believes air-gapped networks are immune to modern cyber threats. APT37’s campaign showcases how attackers can blend technical ingenuity with social engineering, leveraging both cloud infrastructure and physical media to maintain persistent, covert access to high-value targets. The use of a modular, Ruby-based toolkit not only complicates detection but also allows for rapid evolution in response to defensive measures. As organizations increasingly rely on air-gapped systems to protect their most sensitive data, understanding and mitigating these advanced tactics is more critical than ever.
Defenders must rethink traditional boundaries and invest in layered security strategies that account for both digital and physical vectors. Regularly auditing removable media usage, monitoring for unusual file system activity, and educating users about the risks of seemingly innocuous files are essential steps in staying ahead of sophisticated adversaries like APT37.
References
- BleepingComputer. (2026). APT37 hackers use new malware to breach air-gapped networks. https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/
