ScarCruft Ruby Jumper Campaign Targets Air-Gapped Networks

Overview

The North Korean state-sponsored threat group known as ScarCruft (also tracked as APT37, RedEyes, and Reaper) has been identified executing a sophisticated new campaign dubbed Ruby Jumper. According to reporting from The Hacker News, which cites research from Zscaler ThreatLabz, the threat actor is utilizing a dual-pronged approach to bypass modern security defenses and infiltrate isolated environments. This campaign is characterized by the abuse of the legitimate Zoho WorkDrive cloud storage service for command-and-control (C2) operations and the deployment of a specialized malware implant designed to bridge the air-gap via removable USB media.

The Ruby Jumper Infection Chain

The campaign typically begins with the delivery of malicious LNK files, often disguised as legitimate documents or lures related to North Korean affairs. Once executed, these LNK files initiate a multi-stage infection process that utilizes Microsoft Compiled HTML Help (CHM) files or HTA scripts to establish a foothold. This approach allows the attacker to leverage legitimate system utilities, such as mshta.exe, to execute arbitrary code while staying below the radar of traditional signature-based detection mechanisms.

Analysis indicates that the secondary stages of the infection involve the deployment of a persistent backdoor. This backdoor is specifically designed to communicate with the Zoho WorkDrive API, enabling the threat actor to upload exfiltrated data and download additional malicious modules. By utilizing a known and trusted cloud service provider for C2, ScarCruft effectively bypasses domain-based filtering and firewalls that may otherwise block connections to unknown or suspicious IP addresses.

Breaching Air-Gapped Isolation

One of the most concerning aspects of the Ruby Jumper campaign is its focus on air-gapped networks—highly secure environments that are physically isolated from the public internet. To overcome this isolation, ScarCruft employs a custom USB-based malware implant. This implant monitors the infected host for the insertion of removable media. When a USB drive is detected, the malware creates hidden directories on the device to store commands for the air-gapped system and act as a repository for stolen data.

When the infected USB drive is subsequently plugged into an air-gapped machine, the malware executes its payload, performs reconnaissance, and collects sensitive information. This data is then moved back to the USB drive in an encrypted format. Once the drive is reconnected to an internet-facing host, the primary backdoor retrieves the stolen information from the hidden folders and exfiltrates it to the Zoho WorkDrive C2 infrastructure.

Strategic Implications and TTPs

ScarCruft’s evolution toward using legitimate SaaS platforms for infrastructure reflects a broader trend among nation-state actors to minimize their unique footprint. The Ruby Jumper campaign demonstrates a high level of operational maturity, specifically in the group’s ability to maintain persistence across heterogeneous network environments. The use of USB media for lateral movement into isolated zones confirms that the actor continues to target high-value government, diplomatic, and research entities where air-gapping is a standard security practice.

Technical Tactics Observed:

• Cloud Service Abuse: Leveraging Zoho WorkDrive API for resilient and stealthy C2 communications.
• Living-off-the-Land (LotL): Heavy reliance on mshta.exe and cmd.exe to process scripts and LNK-based triggers.
• Removable Media Exfiltration: Automating the data relay process through hidden folders on USB storage devices to bridge network segments.

Mitigation and Recommendations

To defend against the tactics observed in the Ruby Jumper campaign, security teams should focus on the following defensive measures:

1. Restrict Removable Media: Implement strict policies on the use of USB drives. Where possible, disable USB ports on critical systems or enforce the use of encrypted and authorized hardware only.
2. Monitor Cloud API Traffic: Analyze network traffic for unusual or excessive connections to cloud storage APIs (like Zoho, Dropbox, or Mega) from administrative or sensitive hosts that have no legitimate business need for such services.
3. LNK and CHM Inspection: Deploy security controls to inspect and block suspicious LNK files in email attachments or web downloads. Organizations should consider disabling the association of CHM files with the Help Viewer if not required for business operations.
4. Endpoint Auditing: Enhance logging for process spawning, specifically focusing on instances where mshta.exe or wscript.exe are called by unconventional parent processes like explorer.exe or mail clients.
5. Air-Gap Integrity: Ensure that air-gapped systems are strictly audited and that any data transfer between isolated and connected zones occurs via a verified, scanned, and controlled “sheep-dip” process.