Cyber: Apt37 Hackers Use New Malware To Breach Air-gapped Networks 2026

North Korean hackers are deploying newly uncovered tools to move data between internet-connected and air-gapped systems, spread via removable drives, and conduct covert surveillance.

The malicious campaign has been named Ruby Jumper and is attributed to the state-backed group APT37, also known as ScarCruft, Ricochet Chollima, and InkySquid.

Air-gapped computers are disconnected from external networks, especially the public internet. Physical isolation is achieved at the hardware level by removing all connectivity (Wi-Fi, Bluetooth, Ethernet), while logical segregation relies on various software-defined controls, like VLANs and firewalls.

In a physical air-gap environment, typical in critical infrastructure, military, and research sectors, data transfer is done through removable storage drives.

Researchers at cloud security company Zscaler analyzed the malware employed in APT37's Ruby Jumper campaign and identified a toolkit of five malicious tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE.

The infection chain begins when the victim opens a malicious Windows shortcut file (LNK), which deploys a PowerShell script that extracts payloads embedded in the LNK file. To divert attention, the script also launches a decoy document.

Although the researchers did not specify any victims, they note that the document is an Arabic translation of a North Korean newspaper article about the Palestine-Israel conflict.

The PowerShell script loads the first malware component, called RESTLEAF, an implant that communicates with APT37's command-and-control (C2) infrastructure using Zoho WorkDrive.

RESTLEAF fetches encrypted shellcode from the C2 to download the next-stage payload, a Ruby-based loader named SNAKEDROPPER.

The attack continues with installing the Ruby 3.3.0 runtime environment - complete with the interpreter, standard libraries, and gem infrastructure - disguised as a legitimate USB-related utility named usbspeed.exe.

Source: BleepingComputer