----------------

🎯 Threat Intelligence
===================

Opening:
Zscaler ThreatLabz published a technical analysis of a December 2025 campaign tracked as Ruby Jumper and attributed to APT37 (aliases: ScarCruft, Ruby Sleet, Velvet Chollima). The report documents a multi-stage intrusion that begins with malicious Windows shortcut (LNK) files and culminates in surveillance payloads delivered to both networked and air-gapped machines.

Technical Details:
• Initial vector: Malicious LNK files that launch PowerShell. The dropped artifacts include find.bat, search.dat (PowerShell), and viewer.dat (shellcode-based payload) which are carved from fixed offsets inside the LNK.
• Initial implant: RESTLEAF, observed using Zoho WorkDrive for command-and-control communications.
• Secondary loader: SNAKEDROPPER, which installs the Ruby runtime, establishes persistence, and drops additional components.
• Removable-media components: THUMBSBD (backdoor) and VIRUSTASK (propagation), where VIRUSTASK replaces files with malicious LNK shortcuts and THUMBSBD relays commands/data between internet-connected and air-gapped hosts.
• Final payloads: FOOTWINE (surveillance backdoor with keylogging and audio/video capture) and BLUELIGHT.

🔹 Attack Chain Analysis
• Initial Access / Execution: Victim opens malicious LNK → PowerShell executed.
• Staging: PowerShell scripts parse embedded payloads and load shellcode (viewer.dat) into memory.
• C2 & Commanding: RESTLEAF communicates via Zoho WorkDrive for payload fetch and C2 operations.
• Loader & Persistence: SNAKEDROPPER installs Ruby runtime and persists on the host.
• Propagation / Air‑gap Bridging: VIRUSTASK infects removable media by creating malicious LNKs; THUMBSBD reads/writes commands and data to the media to bridge air-gapped systems.
• Post‑exploitation: FOOTWINE and BLUELIGHT provide surveillance capabilities including keylogging and media capture.

Analysis:
The use of Zoho WorkDrive as a stealthy C2 channel and the deployment of a Ruby-based loader that executes shellcode are noteworthy technical choices. The removable-media relay technique enables cross-network persistence and data transfer to systems that lack direct network access, aligning with long-standing APT objectives to access isolated environments.

Detection:
ThreatLabz documents specific artifacts: the LNK carving behavior, the three-file drop sequence (find.bat, search.dat, viewer.dat), the presence of RESTLEAF communicating with Zoho WorkDrive, and the Ruby runtime installed by SNAKEDROPPER. These artifacts are primary indicators enumerated in the analysis.

Mitigation:
The Zscaler post focuses on behavioral artifacts and component-level findings; it enumerates file artifacts and high-level C2 mechanics rather than prescriptive remediation steps. Review of the original ThreatLabz report is required for any detection rules and prioritized defensive actions.

References:
Zscaler ThreatLabz analysis of the Ruby Jumper campaign (December 2025) contains full technical breakdown and component mappings.

🔹 APT37 #RubyJumper #malware #airgap #ThreatIntel

🔗 Source: https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks

Anyone running local AI or storing private data should stick to an air-gapped system. Why?

Corporations & governments harvest enormous amounts of data to predict your behavior.

For local updates, I still advise what I told companies 25+ years ago:
Use USB drives for one-way updates only. Never reuse them, destroy after a single use. Modern research shows even USBs can carry spyware, so treat each drive as potentially contaminated & enforce strict, one-time procedures.

#airgap #cybersecurity

Our BTC Airgap Bridge just got merged into awesome-bitcoin!
https://github.com/paranoid-qrypto/btc-airgap-bridge

A curated list of the best Bitcoin tools and resources.

Open source, client-side, air-gapped transaction broadcasting.

https://github.com/igorbarinov/awesome-bitcoin

#bitcoin #opensource #airgap #security

#APT37 hackers use new #malware to breach air-gapped networks

https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

#NorthKorea #cybersecurity #AirGap

Robots Talking to Robots

https://fed.brid.gy/r/https://hackaday.com/2026/02/07/robots-talking-to-robots/

Helm chart maintainers should provide a list of container images for each version of a Helm chart to make mirroring for air-gapped deployments easier.

#helm #airgap #containers

Take back cost control with an on-premises cloud solution for data archiving and online backup:
IBM Deep Archive Multi-library on Diamondback - makes it possible! ... and it's cool.
➡️ https://www.ibm.com/products/deep-archive
Store up to 123PB in a single namespace, while improving bandwidth and threading for faster operations.

👁🐝Ⓜ️‬
#IBM
#IBMStorage #IBMTape #AirGap
#THINK about the #LastLineOfDefence #CostControl
#IBMStorageRocks🚀