APT37 Deploys Ruby Jumper to Bridge Air-Gapped Networks
🛡️ Zscaler researchers uncovered a toolkit named Ruby Jumper used by North Korea–linked APT37 to bridge internet-connected and air-gapped systems via removable drives. The campaign begins with a malicious LNK that launches a PowerShell script, a decoy document, and the RESTLEAF implant, which fetches encrypted shellcode via Zoho WorkDrive and loads the Ruby-based loader SNAKEDROPPER. The threat persists by installing a Ruby runtime masked as usbspeed.exe and weaponizes USB media to relay commands and exfiltrate data.
