CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ScarCruft (APT37) Expands Tactics with Ruby Jumper Campaign Targeting Air-Gapped Networks

First reported
Last updated
5 unique sources, 23 articles

Summary

Hide ▲

The **ScarCruft (APT37) Ruby Jumper campaign**, first discovered in **December 2025** and detailed in **February 2026**, marks a **significant expansion of tactics** to breach air-gapped networks and abuse legitimate cloud services for command-and-control (C2). The campaign deploys a **multi-stage infection chain** beginning with a malicious LNK file that drops a decoy document (e.g., an Arabic translation of a North Korean article on the Palestine-Israel conflict), an executable payload (**RESTLEAF**), a PowerShell script, and a batch file. RESTLEAF leverages **Zoho WorkDrive for C2**—the first known instance of ScarCruft using this service—to fetch shellcode, which then deploys **SNAKEDROPPER**. This implant installs a Ruby runtime, establishes persistence via a **scheduled task (`rubyupdatecheck`)** that replaces the RubyGems default file `operating_system.rb`, and drops **THUMBSBD** and **VIRUSTASK**, both designed to **weaponize removable media (USB drives)** for lateral movement into air-gapped systems. THUMBSBD supports **keylogging, audio/video surveillance, and file exfiltration**, while also creating **hidden directories on USB drives** to stage operator commands or store execution output. VIRUSTASK focuses on **initial access propagation** via USB drives, replacing legitimate files with malicious shortcuts that execute the Ruby interpreter when opened. The campaign also delivers **FOOTWINE**, a reconnaissance tool disguised as an APK file that harvests documents and monitors removable drive activity, and **BLUELIGHT**, a backdoor that adapts its C2 mode based on network connectivity (direct cloud communication or USB-based staging). This follows earlier ScarCruft operations, including **ransomware attacks (July 2025)**, **Operation HanKook Phantom (September 2025)**, and the **Contagious Interview campaign (February 2026)**, which targeted developers via malicious repositories and job-themed lures. The Ruby Jumper campaign underscores ScarCruft’s **expanded focus on air-gapped infiltration**, combining **cloud abuse with physical media exploitation** to evade network isolation and achieve persistent surveillance with minimal forensic traces. Zscaler ThreatLabz confirmed the use of **six distinct tools** in this campaign, five of which were previously undocumented.

Timeline

  1. 27.02.2026 14:43 3 articles · 1d ago

    ScarCruft Launches Ruby Jumper Campaign with Zoho WorkDrive C2 and USB-Based Air-Gap Breaches

    In **December 2025**, ScarCruft (APT37) launched the **Ruby Jumper campaign**, introducing **new tactics for breaching air-gapped networks** and abusing **Zoho WorkDrive for C2 communication**. The campaign employs a **multi-stage infection chain** starting with a malicious LNK file that drops a **decoy document** (an Arabic translation of a North Korean article on the Palestine-Israel conflict), an executable payload (**RESTLEAF**), a PowerShell script, and a batch file. The batch script triggers PowerShell, which decrypts and loads RESTLEAF in memory. RESTLEAF authenticates with Zoho WorkDrive using a valid access token to fetch shellcode, which is executed via process injection. This leads to the deployment of **SNAKEDROPPER**, which installs a **Ruby runtime environment** (Ruby 3.3.0) disguised as a USB utility (`usbspeed.exe`) and establishes persistence by replacing the RubyGems default file `operating_system.rb` with a malicious version. A scheduled task (`rubyupdatecheck`) ensures execution every five minutes. SNAKEDROPPER then drops two implants: **THUMBSBD** and **VIRUSTASK**, both Ruby-based and designed to **weaponize removable media (USB drives)**: - **THUMBSBD** creates hidden directories on USB drives to stage operator commands or store exfiltrated data, turning removable media into a **bidirectional covert C2 relay** for air-gapped systems. It supports **keylogging, audio/video capture, file manipulation, and registry modification**, and can distribute the **BLUELIGHT backdoor**. - **VIRUSTASK** acts as a lightweight backdoor that **stages exfiltrated data on USB drives** in hidden or obfuscated form for later retrieval, focusing on **propagating malware to air-gapped systems** via removable media. It replaces legitimate files with malicious shortcuts that execute the Ruby interpreter when opened, but only triggers if the media has **at least 2GB of free space**. SNAKEDROPPER also deploys **FOOTWINE**, a reconnaissance and collection utility disguised as an APK file that harvests documents and supports **keylogging, screenshot capture, audio/video recording, file manipulation, and remote shell commands**. The campaign includes **BLUELIGHT**, an encrypted payload with a shellcode launcher that enables **keylogging, audio/video surveillance, and custom TCP-based C2 communication**, adapting its mode based on network connectivity. The campaign was **discovered in December 2025** and **documented by Zscaler ThreatLabz in February 2026**, confirming the use of **six distinct tools**, five of which (**Restleaf, SnakeDropper, ThumbSBD, VirusTask, FootWine**) were previously undocumented. This represents ScarCruft’s first use of **Zoho WorkDrive for C2** and a **dedicated focus on air-gapped infiltration**, combining **cloud abuse with physical media exploitation** to evade network isolation and achieve persistent surveillance. The **decoy document** indicates targeting of individuals interested in North Korean media narratives, aligning with APT37’s historical victim profiles.

    Show sources
    Open in new tab
  2. 26.02.2026 12:35 1 articles · 2d ago

    GitLab Bans 131 Accounts Linked to Contagious Interview Campaign

    In February 2026, **GitLab banned 131 accounts** tied to the Contagious Interview campaign, citing their role in distributing **malicious code repositories** targeting developers. Analysis revealed that threat actors primarily used **consumer VPNs (80% of cases)** and **Gmail addresses (90%)** to create accounts, with intermittent use of **dedicated VPS infrastructure** and likely **laptop farms**. The actors leveraged **six legitimate services** to host malware payloads, including **Vercel (49 instances in 2025)**, **JSON Keeper**, **Mocki**, **npoint.io**, **Render**, and **Railway.app**, with Vercel remaining the most prevalent. A **private GitLab project** controlled by the group was also discovered, containing **financial and personnel records** for a North Korean IT worker cell. The records showed **earnings exceeding $1.64 million** between Q1 2022 and Q3 2025, with **detailed spreadsheets tracking quarterly income performance** for individual team members. The project highlighted the operation’s **structured enterprise model**, including **hierarchical oversight**, **defined revenue targets**, and **global facilitator networks** for money laundering and operational resiliency. GitLab’s findings corroborate broader trends in the campaign, including the use of **VS Code tasks**, **obfuscated payloads in fake font files**, and **multi-stage droppers** to evade detection. The platform’s takedown underscores the campaign’s **sustained infrastructure** and **adaptive hosting strategies**, as actors rotate between services to maintain persistence.

    Show sources
    Open in new tab
  3. 10.11.2025 22:29 4 articles · 3mo ago

    Konni Exploits Google's Find Hub for Remote Data Wiping

    North Korean threat actors, including Konni APT (APT37/Kimsuky), have weaponized Google’s Find Hub service to remotely reset Android devices in South Korea, marking the first confirmed instance of a nation-state APT abusing this feature for destructive operations. The campaign, discovered in November 2025, involves a two-stage attack: initial spear-phishing (since July 2024) targeting Android devices via spoofed entities (e.g., National Tax Service), followed by secondary malware distribution through compromised KakaoTalk PC sessions. Attackers compromised the account of a psychological counselor for North Korean defectors on September 5, 2025, using it to distribute a digitally signed MSI installer ('Stress Clear.msi') disguised as a stress-relief program. The installer deployed AutoIt loaders that established persistence via scheduled tasks and C2 communication, fetching RATs like RemcosRAT, QuasarRAT, and RftRAT. Using stolen Google credentials, attackers tracked victim locations via Find Hub and triggered remote wipes when targets were away, delaying discovery and severing communication channels. The attack chain also involved prolonged internal reconnaissance, exfiltration of PII and webcam captures, and exploitation of Find Hub’s location tracking to execute remote resets. This tactic combines device sabotage, credential theft, and social engineering to erase forensic evidence and amplify the campaign’s reach through trusted contacts. The MSI installer’s setup routine deleted traces to hinder analysis, while AutoIt scripts maintained continuous C2 communication.

    Show sources
    Open in new tab
  4. 25.09.2025 16:14 12 articles · 5mo ago

    North Korean Threat Actors Launch Contagious Interview Campaign

    The **Contagious Interview campaign**, attributed to North Korean actors including **Lazarus/BlueNoroff**, has expanded with **new tactics observed in February 2026**, where **malicious Next.js repositories** are used as lures to deliver **in-memory JavaScript malware** via **three distinct execution paths**: 1. **VS Code workspace execution**: Projects with workspace automation configuration (`runOn: "folderOpen"` in `tasks.json`) auto-execute malicious code from Vercel or GitHub gists when the developer opens and trusts the project. 2. **Build-time execution**: Modified JavaScript libraries (e.g., `jquery.min.js`) embedded in repositories activate during `npm run dev`, fetching and executing a JavaScript loader hosted on attacker-controlled infrastructure. 3. **Server startup execution**: Backend modules or route files exfiltrate process environment variables to an external server and execute JavaScript responses in memory within the Node.js server process. The payloads **profile the host**, register with a C2 server for a unique `instanceId`, and deploy a **second-stage controller** that maintains persistence, supports operator-driven discovery/exfiltration, and minimizes disk traces. Microsoft Defender flagged the activity via suspicious outbound Node.js connections, linking it to a broader cluster of threats using **job-themed lures** to blend into developer workflows. This evolution follows the **January 2026 deployment of malicious VS Code projects** and the **December 2025 EtherRAT campaign**, which exploited **React2Shell (CVE-2025-55182)**. The group continues to refine its **multi-stage infection chains**, now leveraging **alternative staging infrastructure** (GitHub gists, URL shorteners, blockchain-based NFT contracts) and **collaborating with North Korea’s fraudulent IT workers (WageMole)**. The campaign remains focused on **cryptocurrency/Web3 developers**, **global tech sectors**, and **espionage-driven financial theft**. **Additional developments** include: - A **malicious npm package (`eslint-validator`)** fetching obfuscated BeaverTail payloads from Google Drive. - A **Windows-specific infection chain** using batch scripts to download Node.js and deploy PyArmor-protected Python malware via `certutil`. - **GitLab’s ban of 131 accounts** tied to the campaign, with threat actors primarily using consumer VPNs, Gmail addresses, and legitimate services (Vercel, JSON Keeper, Mocki) to host payloads. - Discovery of a **private GitLab project** tracking a North Korean IT worker cell’s earnings ($1.64M between Q1 2022–Q3 2025), revealing structured financial oversight and hierarchical operations. - **Okta’s observation** that actors are refining interview tactics, with some scheduling hundreds of interviews to improve success rates in bypassing screening.

    Show sources
    Open in new tab
  5. 10.09.2025 16:04 1 articles · 5mo ago

    ZynorRAT RAT Targets Windows, Linux, and macOS Systems

    A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT is a Go-based remote access trojan that uses a Telegram bot for command and control. The malware supports a wide range of functions, including file exfiltration, system enumeration, screenshot capture, and arbitrary command execution. The Windows version of ZynorRAT is near-identical to its Linux counterpart, indicating ongoing development. ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin.

    Show sources
    Open in new tab
  6. 10.09.2025 14:59 2 articles · 5mo ago

    ChillyHell macOS Backdoor Resurfaces with New Version

    ChillyHell is written in C++ and developed for Intel architectures. The malware is attributed to an uncategorized threat cluster dubbed UNC4487, active since at least October 2022. UNC4487 is a suspected espionage actor that has compromised Ukrainian government websites to deploy ChillyHell. The malware establishes persistence using LaunchAgent, LaunchDaemon, and modifying the user's shell profile. It uses timestomping to modify file timestamps to evade detection. ChillyHell supports commands to launch a reverse shell, download new versions, fetch additional payloads, enumerate user accounts, and conduct brute-force attacks. The malware was notarized by Apple, highlighting that not all malicious code comes unsigned.

    Show sources
    Open in new tab
  7. 01.09.2025 11:26 1 articles · 6mo ago

    Scarcruft (APT37) Launches Operation HanKook Phantom Targeting South Korean Academics

    In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation.

    Show sources
    Open in new tab
  8. 14.08.2025 03:00 2 articles · 6mo ago

    Scarcruft (APT37) Launches Ransomware Campaign Targeting South Korea

    In July 2025, the North Korean threat group Scarcruft (APT37) initiated a new campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. The campaign is notable for its use of ransomware by a nation-state actor, combining espionage with financial and psychological pressure tactics.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Lazarus Group Linked to Medusa Ransomware Attacks on U.S. Healthcare

North Korean state-backed hackers from the Lazarus group are targeting U.S. healthcare organizations and entities in the Middle East with Medusa ransomware in financially motivated extortion attacks. The Medusa ransomware-as-a-service (RaaS) operation has impacted over 366 organizations since its launch in 2023, with at least four additional healthcare and non-profit organizations in the U.S. targeted since November 2025. This is the first time Lazarus has been linked to Medusa ransomware, though they have been associated with other ransomware strains. The attacks use a toolset that includes both custom and commodity tools, some of which are linked to another North Korean group, Diamond Sleet. The average ransom recorded in these attacks is $260,000, which is reportedly used to fund espionage operations against defense, technology, and government sectors in the U.S., Taiwan, and South Korea. Symantec has provided indicators of compromise (IoCs) to help defenders prevent these attacks. The Stonefly sub-group of Lazarus, also known as Andariel, has been involved in ransomware operations for the past five years. Rim Jong Hyok, an alleged Stonefly member, was indicted by the US Justice Department for ransomware campaigns targeting US hospitals and healthcare providers. The US Justice Department announced a $10m reward for information related to Rim Jong Hyok.

Open in new tab

Shift Left Security Strategy Fails to Deliver Expected Benefits

The 'shift left' security strategy, which aims to integrate security earlier in the software development lifecycle (SDLC), has failed to deliver its promised benefits. Developers are overwhelmed with cognitive load, and businesses prioritize speed over security, leading to increased risks. A study by Qualys found that 7.3% of container images from public repositories were malicious, with 70% containing cryptomining software. The strategy has shifted the burden onto developers without adequate support, resulting in security being bypassed or ignored. To address these issues, experts recommend a 'shift down' approach, where security is embedded into the infrastructure layer, managed by specialized teams. This approach automates security checks and fixes, reducing the cognitive load on developers and making secure deployment the path of least resistance.

Open in new tab

Infostealer Malware Targets OpenClaw Configuration Files

Infostealer malware has been observed stealing OpenClaw configuration files containing API keys, authentication tokens, and other sensitive secrets. This marks the first known instance of such attacks targeting the popular AI assistant framework. The stolen data includes configuration details, authentication tokens, and persistent memory files, which could enable full compromise of the victim's digital identity. The malware, identified as a variant of the Vidar infostealer, executed a broad file-stealing routine that scanned for sensitive keywords. Researchers predict increased targeting of OpenClaw as it becomes more integrated into professional workflows. Additionally, security issues with OpenClaw have prompted the maintainers to partner with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations.

Open in new tab

454,000+ Malicious Open Source Packages Discovered in 2026

Researchers reported a surge in malicious open source packages, with 454,648 new malicious packages discovered in 2026. These packages are increasingly used in sustained, industrialized campaigns, often state-sponsored, targeting developer machines and CI/CD pipelines. The threat landscape includes repository abuse, potentially unwanted apps, and multi-stage attacks involving host information exfiltration, droppers, and backdoors. Additionally, AI-assisted development is exacerbating the risk by recommending non-existent versions and failing to check for malicious indicators.

Open in new tab

EU Investigates X Over Grok-Generated Sexual Content

The European Commission, along with authorities in the UK, France, California, and now Ireland, are investigating X (formerly Twitter) over the use of its Grok AI tool to generate non-consensual sexual images, including child sexual abuse material (CSAM). The investigations are examining whether X has complied with data protection laws and adequately safeguarded against the generation of harmful content. The Irish Data Protection Commission (DPC) has opened a formal inquiry into X's compliance with GDPR obligations, joining the UK's Information Commissioner's Office (ICO), the European Commission, and French prosecutors in their respective investigations. French authorities have also raided X's offices in Paris and summoned Elon Musk and X CEO Linda Yaccarino for interviews. X has restricted Grok's image generation capabilities to paid subscribers, a move criticized by UK officials.

Open in new tab