RESTLEAF malware stack using Zoho WorkDrive C2 and removable media
Malware Activity
Summary
Hide ▲
Show ▼
A ScarCruft malware stack built around RESTLEAF uses Zoho WorkDrive for C2 and removable media to reach air-gapped systems, expanding surveillance and exfiltration capability. The chain was discovered in December 2025 and includes SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT. The tooling can execute commands, exfiltrate files, keylog, and capture audio/video.
Related Happenings
LeakNet ransomware gang ClickFix and Deno in-memory loader activity
Malware Activity
First: 17.03.2026 14:09
Last: 17.03.2026 14:09
Sources 1
About this happening:
The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...
LeakNet ransomware gang ClickFix and Deno in-memory loader activity
Malware ActivityAbout this happening: The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...
Hive0163 extortion and ransomware campaign using ClickFix and malvertising
Campaign
First: 12.03.2026 19:02
Last: 12.03.2026 19:02
Sources 1
About this happening:
Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...
Hive0163 extortion and ransomware campaign using ClickFix and malvertising
CampaignAbout this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...
SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment
Malware Activity
First: 05.03.2026 14:01
Last: 05.03.2026 14:01
Sources 1
About this happening:
A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...
SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment
Malware ActivityAbout this happening: A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...
ScarCruft Ruby Jumper campaign
Campaign
First: 27.02.2026 14:43
Last: 27.02.2026 14:43
Sources 1
How related:
"The campaign, codenamed Ruby Jumper by Zscaler ThreatLabz, involves the deployment of malware families, such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to facilitate surveillance on a victim's system."
About this happening:
The **ScarCruft**-linked **Ruby Jumper** operation is using a **malicious LNK** infection chain and multi-stage payload delivery to support **surveillance** and attempts to breach...
ScarCruft Ruby Jumper campaign
CampaignHow related: "The campaign, codenamed Ruby Jumper by Zscaler ThreatLabz, involves the deployment of malware families, such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to facilitate surveillance on a victim's system."
About this happening: The **ScarCruft**-linked **Ruby Jumper** operation is using a **malicious LNK** infection chain and multi-stage payload delivery to support **surveillance** and attempts to breach...
LummaStealer infection surge via CastleLoader
Malware Activity
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Timeline
-
27.02.2026 21:21 1 articles · 2mo ago
APT37 Ruby Jumper expands its USB-based malware chain
Technical Analysis UpdateAPT37's Ruby Jumper campaign uses a malicious Windows shortcut file (LNK) and PowerShell to load RESTLEAF, then adds a Ruby-based loader, SNAKEDROPPER, plus THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to move data between internet-connected and air-gapped systems. The tooling relies on Zoho WorkDrive C2, installs a disguised Ruby 3.3.0 runtime as usbspeed.exe, modifies RubyGems operating_system.rb, and weaponizes removable drives to relay commands, stage files, exfiltrate data, and spread to new air-gapped machines.
Show sources
- APT37 hackers use new malware to breach air-gapped networks — www.bleepingcomputer.com — 27.02.2026 21:21
-
27.02.2026 14:43 1 articles · 2mo ago
RESTLEAF malware stack using Zoho WorkDrive C2 and removable media
Initial DisclosureThe operation starts when a victim opens a **malicious LNK file**, which launches **PowerShell** and extracts embedded payloads from fixed offsets in the shortcut. That foothold delivers the first stages needed to load **RESTLEAF** and progress the infection chain.
Show sources
- ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks — thehackernews.com — 27.02.2026 14:43