----------------
🎯 Threat Intelligence
===================
Opening:
Zscaler ThreatLabz published a technical analysis of a December 2025 campaign tracked as Ruby Jumper and attributed to APT37 (aliases: ScarCruft, Ruby Sleet, Velvet Chollima). The report documents a multi-stage intrusion that begins with malicious Windows shortcut (LNK) files and culminates in surveillance payloads delivered to both networked and air-gapped machines.
Technical Details:
• Initial vector: Malicious LNK files that launch PowerShell. The dropped artifacts include find.bat, search.dat (PowerShell), and viewer.dat (shellcode-based payload) which are carved from fixed offsets inside the LNK.
• Initial implant: RESTLEAF, observed using Zoho WorkDrive for command-and-control communications.
• Secondary loader: SNAKEDROPPER, which installs the Ruby runtime, establishes persistence, and drops additional components.
• Removable-media components: THUMBSBD (backdoor) and VIRUSTASK (propagation), where VIRUSTASK replaces files with malicious LNK shortcuts and THUMBSBD relays commands/data between internet-connected and air-gapped hosts.
• Final payloads: FOOTWINE (surveillance backdoor with keylogging and audio/video capture) and BLUELIGHT.
🔹 Attack Chain Analysis
• Initial Access / Execution: Victim opens malicious LNK → PowerShell executed.
• Staging: PowerShell scripts parse embedded payloads and load shellcode (viewer.dat) into memory.
• C2 & Commanding: RESTLEAF communicates via Zoho WorkDrive for payload fetch and C2 operations.
• Loader & Persistence: SNAKEDROPPER installs Ruby runtime and persists on the host.
• Propagation / Air‑gap Bridging: VIRUSTASK infects removable media by creating malicious LNKs; THUMBSBD reads/writes commands and data to the media to bridge air-gapped systems.
• Post‑exploitation: FOOTWINE and BLUELIGHT provide surveillance capabilities including keylogging and media capture.
Analysis:
The use of Zoho WorkDrive as a stealthy C2 channel and the deployment of a Ruby-based loader that executes shellcode are noteworthy technical choices. The removable-media relay technique enables cross-network persistence and data transfer to systems that lack direct network access, aligning with long-standing APT objectives to access isolated environments.
Detection:
ThreatLabz documents specific artifacts: the LNK carving behavior, the three-file drop sequence (find.bat, search.dat, viewer.dat), the presence of RESTLEAF communicating with Zoho WorkDrive, and the Ruby runtime installed by SNAKEDROPPER. These artifacts are primary indicators enumerated in the analysis.
Mitigation:
The Zscaler post focuses on behavioral artifacts and component-level findings; it enumerates file artifacts and high-level C2 mechanics rather than prescriptive remediation steps. Review of the original ThreatLabz report is required for any detection rules and prioritized defensive actions.
References:
Zscaler ThreatLabz analysis of the Ruby Jumper campaign (December 2025) contains full technical breakdown and component mappings.
🔹 APT37 #RubyJumper #malware #airgap #ThreatIntel
🔗 Source: https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks
cryptomancer
Klara
Caria Giovanni - Harpocrates
Habr
AnonimaGeek
hasamba
Vasco G.
Paranoid Qrypto
The New Oil
Hackaday [Unofficial]