Ruby Jumper: ScarCruft takes advantage of LNK, PowerShell and cloud to infiltrate isolated networks

The security community recently put the magnifying glass back on a North Korean-related group known in the world as ScarCruft or APT37. Zscaler researchers gave a complex and well-worked campaign that they have named "Ruby Jumper" and that, according to the report published in late 2025, combines traditional social engineering techniques with modern tricks: use of legitimate cloud services as a command and control channel and a curious strategy to jump isolated networks by means of removable means.

The attack begins with something that, in appearance, can go unnoticed: a malicious LNK file. When you open it, you run a PowerShell chain that not only tries to persist, but also removes several binaries and scripts embedded within your own direct access. Among these elements is a decoy document - in one case, an article translated into Arabic on the Palestinian conflict - Israel - and several devices that are being activated in a chain to bring the intrusion to ever deeper stages.

One of the most striking components is an executable that researchers called RESTLEAF. This binary is run in memory and, for the first time in the campaigns attributed to this actor, uses Zoho WorkDrive as a C2 mechanism (command and control). RESTLEAF is authenticated with the service using a valid token, download shelcode lodged there and inject it into processes to run later stages without leaving too many traces on the disk.

The use of cloud storage platforms as a C2 vector is not new, but it does draw attention to persistent actors starting to exploit less massive services to pass under the radar. If you want to consult the technical analysis and the evidence published by the discoverers, the Zscaler report is available on your research blog ( Here.), and Zoho WorkDrive's official page helps to understand the service that was used in the attack ( Zoho WorkDrive).

After the initial execution, RESTLEAF deploys a installer to which the researchers called SNAKEDROPPER. This component sets up an autonomous Ruby execution environment in the compromised machine, creates persistence through a scheduled task and drops several modules written in Ruby, including THUMBSBD and VIRUSTASK. The design of that "mini-platform" Ruby allows operators to activate advanced features even in systems that did not have Ruby installed previously.

THUMBSBD is probably the most concerned part of operational security teams. It is presented as a Ruby file and its specialty is the spread and placement of systems connected to the Internet and isolated (air-gapped) equipment by USB drives and other removable means. If you detect the presence of an removable memory, create hidden folders to store commands issued by the operators or to leave results that will then be recovered by a computer connected to the network.

From this position, THUMBSBD can collect system information, download additional charges from remote servers, exfiltration files and execute arbitrary orders. One of the secondary binaries that it installs is FOOTWINE, an encrypted charge that includes a shellcode launcher and surveillance features: key recording, audio and video capture, and communication with a C2 server through a custom binary protocol on TCP. In addition, the campaign also spreads a backdoor known as BLUELIGHT, which has been seen to be linked to this actor for years and which also abuses cloud suppliers (Google Drive, OneDrive, pCloud, BackBlaze) to receive orders and transfer files.

VIRUSTASK, on the other hand, repeats Ruby's pattern and focuses specifically on converting removable units into infection vectors for off-network systems. While THUMBSBD acts as an operating arm (running and exfiltration), VIRUSTASK seeks to maximize the ability of USB memories to enter malware into network segments that, by design, are isolated.

What makes this case clear is the combination of usual methods with modern resources: human decoy (false documents), abuse of Windows's administrative functionality through PowerShell and LNK, the concealment of memory loads and the exploitation of cloud services as legitimate conduits. The result is a chain of attack in several stages designed to be resilient and difficult to eradicate without a coordinated response.

From a defensive point of view, attention should be given to several points: monitoring and analysing the unusual behavior of processes that run PowerShell or manipulate LNK files, monitoring the use of tokens and access to cloud storage APIs, strictly controlling policies and access to removable means and disabling automatic execution where possible. It is also essential that SOC and incident response teams integrate memory and network telemetry detections to identify communications with cloud services that are not common in the organization.

If you want to read a press release summarizing the campaign from the information point of view, specialized media such as BleepingComputer have also covered the finding and amplify the technical conclusions of the report ( additional information on BleepingComputer).

Ruby Jumper reminds us that the attackers combine technical creativity with known tactics to draw defenses.

The recommendation for managers and security officials is not to underestimate the threat posed by removable units and the possibility of cloud services being used as a control gateway by persistent actors. Early detection, network segmentation, proper credentials management and the tightening of implementation policies (especially in workstations with access to external documents) remain key measures to mitigate such campaigns.