APT37 Hackers Deploy New Malware to Breach Air-Gapped Networks

A new campaign named Ruby Jumper has been identified. This is linked to
APT37, a North Korean sponsored threat actor group.

Pulse ID: 69a45b7f626a0d30ee10d8dc
Pulse Link: https://otx.alienvault.com/pulse/69a45b7f626a0d30ee10d8dc
Pulse Author: cryptocti
Created: 2026-03-01 15:30:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #CyberSecurity #InfoSec #Korea #Malware #NorthKorea #OTX #OpenThreatExchange #bot #cryptocti

APT37 Adds New Capabilities for Air-Gapped Networks

Pulse ID: 69a416526b6cc12014753344
Pulse Link: https://otx.alienvault.com/pulse/69a416526b6cc12014753344
Pulse Author: Tr1sa111
Created: 2026-03-01 10:34:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #CyberSecurity #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111

#APT37 hackers use new #malware to breach air-gapped networks

https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

#NorthKorea #cybersecurity #AirGap

APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

Are critical infrastructure operators prepared for USB-mediated C2 relays?

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Engage below.

Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.

#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

APT37 Adds New Capabilities for Air-Gapped Networks

APT37, a DPRK-backed threat group, has launched a new campaign called Ruby Jumper, utilizing Windows shortcut files to initiate attacks with newly discovered tools. These tools include RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, which work together to deliver surveillance payloads like FOOTWINE and BLUELIGHT. The campaign leverages removable media to infect and communicate with air-gapped systems. Key features include the use of Ruby for shellcode-based payloads, abuse of cloud storage services for command and control, and sophisticated techniques for bypassing network isolation. The malware demonstrates advanced capabilities in system reconnaissance, data exfiltration, and persistent surveillance.

Pulse ID: 69a06896d797f45ad8da76b0
Pulse Link: https://otx.alienvault.com/pulse/69a06896d797f45ad8da76b0
Pulse Author: AlienVault
Created: 2026-02-26 15:36:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #Cloud #CyberSecurity #DPRK #EDR #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Rust #ShellCode #Windows #bot #AlienVault

South Korean researchers (Genians) report that APT37 is abusing Google Find Hub to track victims and remotely wipe Android devices.

The attackers use phished Google credentials to access legitimate Find Hub functions - no exploit involved.

Google has confirmed this and advises enabling 2-Step Verification or passkeys.

Credential security remains the weakest link in most modern attacks.

#CyberSecurity #APT37 #GoogleFindHub #ThreatIntel #AndroidSecurity #InfoSec #MalwareAnalysis #Kimsuky #TechNadu

North Korean hackers are using Google’s own tools to remotely wipe Android devices and hijack messaging apps. Think your account is safe? Dive into how a single breach can trigger a digital meltdown.

https://thedefendopsdiaries.com/konni-activity-cluster-north-korean-apts-exploit-google-find-hub-for-advanced-cyber-espionage/

#konni
#apt37
#cyberespionage
#androidsecurity
#googlefindhub
#malware
#northkorea
#spearphishing
#infosec

ScarCruft (APT37) is running Operation HanKook Phantom → phishing South Korean academics w/ RokRAT malware.
🔹 LNK loaders + fileless PowerShell
🔹 Exfil via Dropbox & GDrive
🔹 Goal: espionage & persistence
💬 Should academia ramp up defenses to enterprise SOC levels, or is that unrealistic?
Follow @technadu for more threat intel.

#CyberSecurity #APT37 #ScarCruft #RokRAT #Phishing #ThreatIntel