The North Korean threat actor known as ScarCruft is said to be behind a new set of tools, including backdoors that use Zoho WorkDrive for command-and-control (C2) communications to retrieve more payloads, and implants that use removable media to relay commands and penetrate air-gapped networks.
The campaign, codenamed “Ruby Jumper” by Zscaler ThreatLabz, deploys malware families such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to facilitate monitoring of victims’ systems. It was discovered by a cybersecurity company in December 2025.
“In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it launches a PowerShell command that scans the current directory and locates itself based on file size,” said security researcher Seongsu Park. “The PowerShell script launched by the LNK file then cuts out multiple embedded payloads from a fixed offset within the LNK, including decoy documents, executable payloads, additional PowerShell scripts, and batch files.”
One of the decoy documents used in the campaign displays articles about the Palestinian-Israeli conflict translated into Arabic from a North Korean newspaper.
All three remaining payloads are used to incrementally advance the attack to the next stage. The batch script starts PowerShell. After PowerShell decrypts the payload, it loads the shellcode that contains the payload. A Windows executable payload named RESTLEAF is generated in memory and uses Zoho WorkDrive for C2. This is the first time threat actors have exploited cloud storage services in an attack campaign.
Once successfully authenticated with the Zoho WorkDrive infrastructure using a valid access token, RESTLEAF downloads shellcode and executes it via process injection, ultimately leading to the deployment of SNAKEDROPPER. This will install the Ruby runtime, set persistence using scheduled tasks, and drop THUMBSBD and VIRUSTASK.
THUMBSBD is disguised as a Ruby file and uses removable media to relay commands and transfer data between Internet-connected and air-gapped systems. It can collect system information, download secondary payloads from remote servers, extract files, and execute arbitrary commands. When the presence of removable media is detected, the malware creates hidden folders that it uses to stage operator-issued commands and to store execution output.
One of the payloads delivered by THUMBSBD is FOOTWINE. It is an encrypted payload with an integrated shellcode launcher with keylogging and audio and video capture capabilities for surveillance. Communicate with the C2 server using a custom binary protocol over TCP. The complete set of commands supported by this malware is:
sm, for interactive command shell fm, for working with files and directories gm, managing plugins and configurations rm, modifying the Windows registry pm, enumerating running processes dm, taking screenshots and capturing keystrokes cm, performing audio and video monitoring s_d, receiving the contents of the batch script from the C2 server, saving it to the file %TEMP%\SSMMHH_DDMMYYYY.bat, and running it pxm, setup proxy connections and bidirectional traffic relay.
[filepath]to load the specified DLL
THUMBSBD is also designed to distribute BLUELIGHT, a backdoor previously attributed to ScarCruft, at least since 2021. The malware weaponizes legitimate cloud providers such as Google Drive, Microsoft OneDrive, pCloud, and BackBlaze, allowing the C2 to execute arbitrary commands, enumerate file systems, download additional payloads, upload files, and delete itself.
VIRUSTASK, which is also delivered as a Ruby file, functions similarly to THUMBSBD in that it acts as a removable media propagation component that spreads malware to uninfected air-gapped systems. “Unlike THUMBSBD, which handles command execution and exfiltration, VIRUSTASK focuses solely on weaponizing removable media to achieve initial access in air-gapped systems,” Park explained.
“The Ruby Jumper campaign involves a multi-step infection chain that begins with a malicious LNK file and leverages legitimate cloud services (such as Zoho WorkDrive, Google Drive, and Microsoft OneDrive) to deploy a new self-contained Ruby execution environment,” Park said. “Most importantly, THUMBSBD and VIRUSTASK weaponize removable media to bypass network isolation and infect air-gapped systems.”
Source link
