嗯,用户让我帮忙总结一下这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。 首先,我需要快速浏览文章,抓住主要信息。文章讲的是APT37这个朝鲜相关的网络攻击组织,他们使用Zoho WorkDrive和USB恶意软件来入侵隔绝网络的系统,也就是air-gapped systems。攻击活动被命名为Ruby Jumper。 接下来,文章详细描述了攻击链:恶意LNK文件启动PowerShell,释放隐藏的payload,最终加载RESTLEAF后门。RESTLEAF利用Zoho WorkDrive进行C2通信。然后通过SNAKEDROPPER安装伪装成USB工具的恶意软件,并建立持久性。THUMBSBD后门用于跨越隔绝网络,收集系统数据,并通过USB驱动传递命令和窃取的数据。VIRUSTASK进一步传播感染,替换USB文件为恶意快捷方式。后期payload包括FOOTWINE(监视后门)和BLUELIGHT(利用云服务通信)。 Zscaler ThreatLabz发现并分析了这次活动,并确认是APT37所为。该组织过去活跃于针对韩国政府、国防、军事和媒体机构的攻击。 总结的时候要简洁明了,涵盖主要攻击手段、目标和组织信息。 所以最终的总结应该是:朝鲜关联的APT37通过Ruby Jumper活动利用Zoho WorkDrive和USB恶意软件入侵隔绝网络系统,部署多个后门进行监视和数据窃取。 </think> 朝鲜关联的APT37通过Ruby Jumper活动利用Zoho WorkDrive和USB恶意软件入侵隔绝网络系统,部署多个后门进行监视和数据窃取。 2026-3-2 12:38:26 Author: securityaffairs.com(查看原文) 阅读量:11 收藏
APT37 combines cloud storage and USB implants to infiltrate air-gapped systems
North Korea-linked APT 37 used Zoho WorkDrive and USB malware to breach air-gapped networks in the Ruby Jumper campaign.
North Korean group ScarCruft (aka APT37, Reaper, and Group123) deployed new tools in a campaign dubbed Ruby Jumper, using a backdoor that leverages Zoho WorkDrive for C2 and a USB-based implant to breach air-gapped systems. Zscaler ThreatLabz discovered the campaign in December 2025; the attacks relied on multiple malware families to conduct surveillance and deliver additional payloads.
The recent attacks begin with malicious LNK files and deploys multiple newly identified tools, including RESTLEAF and SNAKEDROPPER, to deliver backdoors such as FOOTWINE and BLUELIGHT for surveillance.
Zscaler ThreatLabz mapped the full “Ruby Jumper” attack chain used by North Korea’s APT37. The campaign starts with a malicious LNK file that runs PowerShell and extracts hidden payloads, ultimately loading a backdoor called RESTLEAF in memory. RESTLEAF abuses Zoho WorkDrive for command-and-control, authenticating with hardcoded tokens and downloading shellcode for execution via process injection.
The shellcode deploys SNAKEDROPPER, which installs a rogue Ruby runtime disguised as a USB utility, establishes persistence, and drops additional components. Among them is THUMBSBD, a backdoor designed to bridge air-gapped networks using removable media. It collects system data, stages files for exfiltration, and uses hidden folders on USB drives to pass commands and stolen data between isolated systems.
“THUMBSBD collects system information including hardware diagnostics (dxdiag), running processes, network configuration (ipconfig /all), recursive file system enumeration (complete file tree), and connectivity status via ping tests and netstat.” reads the report published by Zscaler. “THUMBSBD employed several working directories to stage data for exfiltration and for executing backdoor commands. The directories ThreatLabz observed are listed in the table below.”
VIRUSTASK spreads the infection further by replacing files on USB drives with malicious shortcuts, infecting new machines when users click them. Later-stage payloads include FOOTWINE, a surveillance backdoor with keylogging and audio/video capture capabilities, and BLUELIGHT, which leverages cloud services for covert C2 communications.
“THUMBSBD also delivers BLUELIGHT, a previously documented backdoor which leverages several legitimate cloud providers, including Google Drive, Microsoft OneDrive, pCloud, and BackBlaze for its C2 communication.” continues the report. “BLUELIGHT’s backdoor functionalities include executing arbitrary commands, enumerating the file system, downloading additional payloads, uploading files, and self-removal.”
Together, the tools form a sophisticated toolkit for espionage and air-gap compromise.
ThreatLabz attributes the Ruby Jumper campaign to APT37 with high confidence. The group’s use of LNK-based infection chains combining batch, PowerShell, and encrypted shellcode matches past activity. Previously linked malware like BLUELIGHT, its distinctive two-stage shellcode with custom API hashing, and reliance on cloud services for C2 all align with known tactics. The decoy content also fits APT37’s typical DPRK-focused targeting.
ScarCruft has been active since at least 2012, it made the headlines in early February 2018 when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users. Kaspersky first documented the operations of the group in 2016. Cyber attacks conducted by the APT37 group mainly targeted government, defense, military, and media organizations in South Korea.
“The Ruby Jumper campaign involves a mult-stage infection chain that begins with a malicious LNK file and utilizes legitimate cloud services (like Zoho WorkDrive, Google Drive, Microsoft OneDrive, etc.) to deploy a novel, self-contained Ruby execution environment.” concludes the report. “Most critically, THUMBSBD and VIRUSTASK weaponize removable media to bypass network isolation and infect air-gapped systems. To maintain a strong security posture, the security community should focus on monitoring endpoint activity and physical access points to counter this threat and other campaigns led by APT37.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT37)
如有侵权请联系:admin#unsafe.sh