Key Findings

• ScarCruft, a North Korean threat actor, has been attributed to a new set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control (C2) communications.

• The campaign, codenamed "Ruby Jumper" by Zscaler ThreatLabz, involves the deployment of various malware families to facilitate surveillance on victim systems.

• One of the malware components, THUMBSBD, uses removable media to relay commands and transfer data between internet-connected and air-gapped systems.

• Another malware, VIRUSTASK, focuses solely on weaponizing removable media to achieve initial access on air-gapped systems.

• The campaign leverages a multi-stage infection chain starting with a malicious LNK file, followed by the deployment of payloads that abuse legitimate cloud storage services for C2.

Background

ScarCruft, also known as APT37, is a North Korean advanced persistent threat (APT) group that has been active since at least 2012. The group is known for targeting various sectors, including government, military, defense, technology, and media organizations, primarily in South Korea, Japan, and the Middle East.

Zoho WorkDrive Abuse

In the Ruby Jumper campaign, the threat actor has been observed using a backdoor named RESTLEAF that communicates with the Zoho WorkDrive cloud storage service for command-and-control (C2) purposes. This marks the first time ScarCruft has been seen abusing Zoho WorkDrive in its attack campaigns.

USB Malware for Air-Gapped Networks

The campaign also involves the deployment of two malware families, THUMBSBD and VIRUSTASK, that are designed to target air-gapped networks by leveraging removable media.

• THUMBSBD is capable of harvesting system information, downloading secondary payloads, exfiltrating files, and executing arbitrary commands. It uses removable media to relay commands and transfer data between infected and air-gapped systems.

• VIRUSTASK, on the other hand, focuses exclusively on weaponizing removable media to achieve initial access on air-gapped systems.

Multi-Stage Infection Chain

The Ruby Jumper campaign employs a multi-stage infection chain that begins with a malicious LNK file, which then launches a PowerShell command to carve and execute various payloads, including a decoy document, an executable, a PowerShell script, and a batch file. These payloads are responsible for progressively moving the attack to the next stage, ultimately leading to the deployment of the RESTLEAF backdoor and the USB-based malware components.

Sources

• https://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.html

• https://x.com/TheCyberSecHub/status/2027370477333995753

• https://www.reddit.com/r/pwnhub/comments/1rgkjjq/scarcruft_breaches_airgapped_networks_using_zoho/

• https://www.reddit.com/r/SecOpsDaily/comments/1rg7imo/scarcruft_uses_zoho_workdrive_and_usb_malware_to/