The **air gap breach** is now being exploited by North Korean APT37 hackers who are deploying new malware to move data between internet-connected and air-gapped systems. This malicious campaign, dubbed Ruby Jumper, leverages removable drives to conduct covert surveillance and bypass typical security measures.
Air-gapped computers, critical for sensitive infrastructure, are designed to be isolated from external networks. This isolation is achieved through physical disconnection of all connectivity (Wi-Fi, Bluetooth, Ethernet) and logical segregation via software-defined controls like VLANs and firewalls.
In such environments, data transfer typically relies on removable storage drives, creating a potential vulnerability that APT37 is now actively exploiting.
APT37’s Ruby Jumper Campaign: A Detailed Look
Researchers at Zscaler analyzed the malware used in the Ruby Jumper campaign and identified a suite of five malicious tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. The infection chain begins with a malicious Windows shortcut file (LNK), which deploys a PowerShell script to extract embedded payloads and launch a decoy document, an Arabic translation of a North Korean news article about the Palestine-Israel conflict. This distraction hides the malicious activity.
The PowerShell script loads RESTLEAF, an implant communicating with APT37’s command-and-control (C2) infrastructure via Zoho WorkDrive. RESTLEAF then fetches encrypted shellcode to download SNAKEDROPPER, a Ruby-based loader. This loader installs the Ruby 3.3.0 runtime environment, disguised as a USB-related utility, usbspeed.exe. The attack continues by replacing the RubyGems default file, operating_system.rb, with a malicious version that executes via a scheduled task every five minutes.
How the Air Gap Breach Works
THUMBSBD, a key component, collects system information, stages command files, and prepares data for exfiltration. Its most critical function is creating hidden directories on USB drives and copying files to them. According to researchers, this effectively turns removable storage devices “into a bidirectional covert C2 relay,” enabling command delivery and data extraction from air-gapped systems.
“By leveraging removable media as an intermediary transport layer, the malware bridges otherwise air-gapped network segments,”
VIRUSTASK spreads the infection to new air-gapped machines, weaponizing removable drives by hiding legitimate files and replacing them with malicious shortcuts that execute the embedded Ruby interpreter. The module only triggers if the removable media has at least 2GB of free space. THUMBSBD also delivers FOOTWINE, a Windows spyware backdoor disguised as an Android package file (APK) that supports keylogging, screenshot capture, audio and video recording, file manipulation, registry access, and remote shell commands. Another malware observed is BLUELIGHT, a full-fledged backdoor previously linked to APT37. related Fraudulents news
Attribution and Implications of Air Gap Breach
Zscaler attributes the Ruby Jumper campaign to APT37 with high confidence, citing the use of BLUELIGHT, LNK file initial vectors, two-stage shellcode delivery, and C2 infrastructure typical of this actor. The decoy document suggests a target interested in North Korean media narratives, aligning with APT37’s known victim profile.
The discovery of this new campaign highlights the evolving sophistication of state-sponsored cyberattacks. The ability to effectively breach air-gapped networks, traditionally considered highly secure, poses a significant threat to critical infrastructure and sensitive data. Financial institutions and other organizations with high-security needs must implement robust countermeasures, including enhanced USB drive security policies, regular system scanning, and employee training to mitigate the risk of such attacks. The **air gap breach** represents a serious escalation in cyber warfare, requiring constant vigilance and proactive defense strategies.




