The North Korean threat actor known as ScarCruft has been attributed to a fresh set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control (C2) communications to fetch more payloads and an implant that uses removable media to relay commands and breach air-gapped networks.
The campaign, codenamed Ruby Jumper by Zscaler ThreatLabz, involves the deployment of malware families, such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to facilitate surveillance on a victim's system. It was discovered by the cybersecurity company in December 2025.
"In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it launches a PowerShell command and scans the current directory to locate itself based on file size," security researcher Seongsu Park said. "Then, the PowerShell script launched by the LNK file carves multiple embedded payloads from fixed offsets within that LNK, including a decoy document, an executable payload, an additional PowerShell script, and a batch file."
One of the lure documents used in the campaign displays an article about the Palestine-Israel conflict that's translated from a North Korean newspaper into Arabic.
All three remaining payloads are used to progressively move the attack to the next stage, with the batch script launching PowerShell, which, in turn, is responsible for loading shellcode containing the payload after decrypting it. The Windows executable payload, named RESTLEAF, is spawned in memory, and uses Zoho WorkDrive for C2, marking the first time the threat actor has abused the cloud storage service in its attack campaigns.
Once it's successfully authenticated with the Zoho WorkDrive infrastructure by means of a valid access token, RESTLEAF downloads shellcode, which is then executed via process injection, eventually leading to the deployment of SNAKEDROPPER, which installs the Ruby runtime, sets up persistence using a scheduled task, and drops THUMBSBD and VIRUSTASK.
THUMBSBD, which is disguised as a Ruby file and uses removable media to relay commands and transfer data between internet-connected and air-gapped systems. It's capable of harvesting system information, downloading a secondary payload from a remote server, exfiltrating files, and executing arbitrary commands. If the presence of any removable media is detected, the malware creates a hidden folder and uses it to stage operator-issued commands or store execution output.
One of the payloads delivered by THUMBSBD is FOOTWINE, an encrypted payload with an integrated shellcode launcher that comes fitted with keylogging and audio and video capturing capabilities to conduct surveillance. It communicates with a C2 server using a custom binary protocol over TCP. The complete set of commands supported by the malware is as follows -
- sm, for interactive command shell
- fm, for file and directory manipulation
- gm, for managing plugins and configuration
- rm, for modifying the Windows Registry
- pm, for enumerating running processes
- dm, for taking screenshots and captures keystrokes
- cm, for performing audio and video surveillance
- s_d, for receiving batch script contents from C2 server, saving it to the file %TEMP%\SSMMHH_DDMMYYYY.bat, and executing it
- pxm, for setting up a proxy connection and relaying traffic bidirectionally.
- [filepath], for loading a given DLL
THUMBSBD is also designed to distribute BLUELIGHT, a backdoor previously attributed to ScarCruft since at least 2021. The malware weaponizes legitimate cloud providers, including Google Drive, Microsoft OneDrive, pCloud, and BackBlaze, for C2 to run arbitrary commands, enumerate the file system, download additional payloads, upload files, and remove itself.
Also delivered as a Ruby file, VIRUSTASK functions similar to THUMBSBD in that it acts as a removable media propagation component to spread the malware to non-infected air-gapped systems. "Unlike THUMBSBD which handles command execution and exfiltration, VIRUSTASK focuses exclusively on weaponizing removable media to achieve initial access on air-gapped systems," Park explained.
"The Ruby Jumper campaign involves a mult-stage infection chain that begins with a malicious LNK file and utilizes legitimate cloud services (like Zoho WorkDrive, Google Drive, Microsoft OneDrive, etc.) to deploy a novel, self-contained Ruby execution environment," Park said. "Most critically, THUMBSBD and VIRUSTASK weaponize removable media to bypass network isolation and infect air-gapped systems."
