Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ScarCruft Ruby Jumper campaign

Campaign
First reported
Last updated
Happening score
H score 37
2 unique sources, 2 articles

Summary

Hide ▲

The ScarCruft-linked Ruby Jumper operation is using a malicious LNK infection chain and multi-stage payload delivery to support surveillance and attempts to breach air-gapped networks. Identified in December 2025, the campaign matters because it combines shortcut-based execution, cloud C2, and removable-media propagation to widen access across isolated environments.

Related Happenings

ClickFix MacSync social-engineering campaign targeting macOS users

Campaign
First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...

Open Happening

SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment

Malware Activity
First: 05.03.2026 14:01 Last: 05.03.2026 14:01 Sources 1

About this happening: A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...

Open Happening

Silver Dragon assessed within the APT41 umbrella

Threat Actor Meta
First: 04.03.2026 10:14 Last: 04.03.2026 10:14 Sources 1

About this happening: **Silver Dragon** is now assessed to operate within the **APT41 umbrella**, sharpening attribution for a cluster active against **Europe**, **Southeast Asia**, and **government en...

Open Happening

RESTLEAF malware stack using Zoho WorkDrive C2 and removable media

Malware Activity
First: 27.02.2026 14:43 Last: 27.02.2026 14:43 Sources 1

How related: Researchers at cloud security company Zscaler analyzed the malware employed in APT37's Ruby Jumper campaign and identified a toolkit of five malicious tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE.

About this happening: A **ScarCruft** malware stack built around **RESTLEAF** uses **Zoho WorkDrive** for C2 and **removable media** to reach **air-gapped systems**, expanding surveillance and exfiltra...

Latest development: 27.02.2026 21:21

APT37's Ruby Jumper campaign uses a malicious Windows shortcut file (LNK) and PowerShell to load RESTLEAF, then adds a Ruby-based loader, SNAKEDROPPER, plus THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to move data between internet-connected and air-gapped systems. The tooling relies on Zoho WorkDrive C2, installs a disguised Ruby 3.3.0 runtime as usbspeed.exe, modifies RubyGems operating_system.rb, and weaponizes removable drives to relay commands, stage files, exfiltrate data, and spread to new air-gapped machines.

Open Happening

WinRAR path-traversal exploitation wave (CVE-2025-8088)

Exploitation Wave
First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: **CVE-2025-8088** in **WinRAR** remains part of an **ongoing exploitation wave**, with **multiple threat groups** using the flaw for **initial access** and payload delivery. The a...

Open Happening

Timeline

  1. 27.02.2026 14:43 2 articles · 2mo ago

    ScarCruft Ruby Jumper campaign disclosed

    Initial Disclosure

    Zscaler ThreatLabz identifies the ScarCruft-linked Ruby Jumper campaign as a multi-stage infection chain that starts with a malicious LNK file, launches PowerShell to carve embedded payloads, uses RESTLEAF with Zoho WorkDrive C2, and deploys SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to support surveillance, removable-media propagation, and air-gapped-system access.

    Show sources
    Open in new tab