North Korea’s state-aligned threat group widely tracked as APT37, also known as ScarCruft, Reaper, Red Eyes, and Ricochet Chollima, has spent more than a decade refining a disciplined cyber-espionage capability. Recent research into its tooling, however, shows a significant operational shift. The group has moved beyond conventional spear-phishing and browser exploitation campaigns into a domain long considered resistant to remote compromise: air-gapped networks. At the same time, it continues to enhance mature backdoors such as Dolphin, expanding their reach into mobile devices and cloud ecosystems.
For cybersecurity professionals, this evolution represents more than incremental malware development. It demonstrates a deliberate investment in persistence, lateral movement, covert command-and-control (C2) engineering, and removable-media tradecraft. Collectively, the researcher reveals a threat actor that adapts its tooling to target environment constraints rather than forcing targets to conform to predefined attack playbooks.
APT37’s Operational Trajectory
APT37 has historically focused on South Korean government, defense, and policy organizations, while also targeting NGOs, journalists, and entities aligned with regional geopolitical interests. Analysts have long assessed that the group operates in support of North Korean strategic intelligence objectives. Over time, it has demonstrated a pattern common to mature advanced persistent threats: iterative tool development, operational security discipline, and selective targeting rather than broad criminal monetization.
Earlier campaigns frequently relied on watering-hole attacks and vulnerability exploitation chains to deploy implants such as BLUELIGHT and Dolphin. These operations emphasized credential harvesting, document theft, and reconnaissance. However, the recent emergence of the Ruby Jumper campaign marks a departure. Rather than exploiting exposed systems directly, the group engineered a chain of malware components designed to bridge physically isolated environments.
This shift underscores an important point for defenders: air-gapped environments reduce exposure, but they do not eliminate risk. When users introduce removable media into isolated networks, they create a human-mediated bridge. APT37 has invested in weaponizing that bridge.
Ruby Jumper Engineering a Path into Air-Gapped Networks
Security researchers recently identified a new campaign they attributed to APT37 with high confidence, naming it “Ruby Jumper.” The campaign stands out because it explicitly targets air-gapped systems, environments typically used in defense, industrial control systems, and high-sensitivity research settings.
The infection chain begins with a malicious Windows shortcut (LNK) file. When a user executes the LNK file on an internet-connected system, it launches a PowerShell script that extracts embedded components. The script displays a decoy document to distract the victim while it executes its payload chain in the background. This tradecraft mirrors long-standing APT37 techniques: blend legitimate-looking content with staged execution to reduce suspicion.
The initial PowerShell stage installs an implant called RESTLEAF, that communicates with C2 infrastructure via Zoho WorkDrive, a legitimate cloud storage service. By leveraging a reputable SaaS platform, APT37 obscures outbound traffic within normal enterprise activity. RESTLEAF retrieves encrypted shell code and passes execution to the next stage, namely, SNAKEDROPPER.
SNAKEDROPPER performs a particularly notable function. It installs a complete Ruby 3.3 runtime environment on the compromised system, disguising it as a benign executable named usbspeed.exe. The actor then uses this embedded Ruby interpreter to execute malicious Ruby scripts. This approach offers several advantages:
- It avoids reliance on native Windows scripting engines that defenders commonly monitor.
- It provides cross-platform scripting flexibility.
- It allows attackers to obfuscate logic within less commonly scrutinized interpreter behavior.
From a detection standpoint, the installation of an unexpected scripting runtime on an enterprise endpoint should immediately trigger investigation. Yet in many environments, endpoint detection systems prioritize PowerShell, WMI, and .NET abuse, potentially overlooking Ruby-based execution chains.
Removable Media Weaponization
The most strategically significant aspect of Ruby Jumper lies in its use of removable media. Two components, THUMBSBD and VIRUSTASK, coordinate the infection and data exfiltration process via USB drives.
THUMBSBD operates as a backdoor with surveillance and staging functionality. It creates hidden directories on removable drives and stores harvested data there. It also reads command files placed on the drive, enabling bidirectional communication. When a USB device moves between an internet-connected system and an air-gapped system, it effectively becomes a covert C2 channel.
VIRUSTASK focuses on propagation. It hides legitimate files on the USB drive and replaces them with malicious shortcut files. When a user opens what appears to be a legitimate document, the malicious Ruby interpreter executes again, continuing the infection chain.
This design allows APT37 to infect an internet-connected machine first, stage malicious components on removable media, and then piggyback into a physically isolated environment. Once inside the air-gapped system, THUMBSBD collects data and stores it for eventual exfiltration when the USB device reconnects to a system with internet access.
The operational implications are profound. Air-gapped systems often lack real-time monitoring, centralized logging, or outbound network telemetry. If attackers can establish a foothold via removable media, defenders may struggle to reconstruct timelines or detect anomalies promptly.
FOOTWINE and Expanded Capability
Researchers also observed another implant, FOOTWINE, disguised as an Android package (APK). Although Ruby Jumper primarily targets Windows systems, FOOTWINE demonstrates APT37’s willingness to blend desktop and mobile tradecraft. FOOTWINE supports keylogging, screenshot capture, audio and video recording, and remote shell execution.
This capability reflects a broader pattern seen in APT37 operations: once a target environment is compromised, the actor aggressively expands collection vectors. It does not limit itself to a single platform.
For defenders, this reinforces the need for cross-platform telemetry. Endpoint, mobile device management (MDM), and identity monitoring systems must operate cohesively. Isolated detection silos allow actors like APT37 to move laterally across device categories without triggering unified alerts.
Dolphin Improves Espionage Tooling
While Ruby Jumper represents a forward-leaning offensive innovation, the Dolphin backdoor illustrates APT37’s refinement of espionage tooling over time. Dolphin establishes persistence via Windows registry modifications and uses Google Drive as C2 infrastructure. This cloud-based C2 strategy aligns with a broader industry trend: adversaries increasingly hide within sanctioned SaaS traffic to evade perimeter defenses.
Dolphin’s core functions include keylogging, screenshot capture, credential harvesting from web browsers, and file exfiltration. However, its more advanced capabilities differentiate it from commodity spyware.
One particularly notable feature involves its use of the Windows Portable Device (WPD) API. Dolphin enumerates connected mobile devices and harvests files from them. In practice, this means that when a user connects a smartphone to a compromised PC, Dolphin may copy images, documents, or other data directly from the mobile device.
This capability extends the blast radius of a desktop compromise. Sensitive data stored exclusively on mobile devices may inadvertently flow into attacker hands via a compromised workstation.
Researchers also observed that earlier Dolphin variants manipulated Google account settings to weaken security controls. By altering account configurations, the malware may have reduced the likelihood of detection or reauthentication prompts. This demonstrates an adversary that thinks beyond file theft and invests in identity persistence.
Detection and Defensive Considerations
Cybersecurity professionals should draw several lessons from APT37’s recent campaigns.
First, defenders must reassess assumptions about air-gapped security. Physical isolation reduces exposure but does not mitigate threats introduced through human behavior. Organizations operating sensitive environments should implement strict removable-media governance frameworks that include:
- Hardware-based USB control solutions and device allow-listing.
- Mandatory malware scanning stations for all media crossing security boundaries.
- Behavioral monitoring for unexpected scripting interpreter installations or hidden directory creation on removable drives.
Second, cloud C2 abuse demands improved SaaS telemetry analysis. When adversaries use services such as Zoho WorkDrive or Google Drive for command and control, traffic blends into normal enterprise activity. Security teams should integrate CASB or SSE solutions capable of inspecting API-level interactions, not merely domain reputation.
Third, endpoint detection engineering must account for nontraditional interpreters. The appearance of a Ruby runtime in a corporate Windows environment should not pass unnoticed. Threat hunters should create detection rules that flag unexpected installations of scripting engines or anomalous parent-child process relationships involving LNK-triggered PowerShell execution.
Fourth, mobile device exposure through desktop compromise remains underappreciated. Security programs must treat workstation-to-mobile data flows as high-risk interactions. Logging WPD API usage, restricting unmanaged mobile connections, and enforcing strong MDM policies can reduce this risk.
Threat Modeling and Incident Response Implications
From a threat-modeling perspective, APT37’s approach illustrates a layered attack strategy:
- Compromise an internet-connected system.
- Stage modular payloads using legitimate cloud services.
- Infect removable media to bridge into isolated networks.
- Establish persistence and collect data.
- Exfiltrate staged data when media reconnects externally.
Each stage offers defenders a detection opportunity. However, detection requires visibility across network boundaries and device types. Many organizations still segment telemetry pipelines for classified or sensitive environments. Without careful log aggregation and cross-environment correlation, defenders may miss early warning indicators.
Incident responders should prepare playbooks specifically addressing removable-media–borne infection. Traditional Incident Response (IR) procedures often emphasize network-based lateral movement. In air-gapped scenarios, responders must analyze USB device artifacts, hidden directories, shortcut file metadata, and registry persistence mechanisms.
Adaptation as a Core Competency
APT37’s recent campaigns demonstrate that adaptation forms the core of its operational philosophy. The group does not rely on a single exploit or technique. Instead, it studies defensive architectures and identifies human-mediated weaknesses. Air-gapped environments represent a prestige target category; breaching them sends a signal about capability and persistence.
At the same time, the continued development of Dolphin reveals sustained investment in surveillance depth. The ability to harvest data from connected mobile devices, manipulate cloud accounts, and iterate across versions reflects a mature software development lifecycle within the threat actor ecosystem.
For cybersecurity professionals, this convergence of innovation and iteration demands a balanced response. Organizations must invest not only in perimeter hardening but also in behavioral analytics, device governance, and cross-domain visibility.
Conclusion
APT37’s evolution from targeted espionage campaigns to sophisticated air-gap bridging operations underscores the dynamic nature of state-aligned cyber threats. Through Ruby Jumper, the group demonstrated that physical isolation alone does not guarantee safety. Through Dolphin, it proved that mature implants can quietly expand collection into cloud accounts and mobile ecosystems.
Security leaders should treat these developments as a call to reassess assumptions about network segmentation and removable-media risk. Effective defense now requires integrated telemetry, disciplined USB governance, proactive threat hunting for unusual interpreter installations, and a holistic understanding of how desktop, cloud, and mobile environments intersect.
APT37’s trajectory shows that determined adversaries adapt to defensive innovation. Cybersecurity professionals must respond with equal adaptability, ensuring that even the most isolated systems remain under vigilant scrutiny.