top of page
Buscar

ScarCruft Bridges Air-Gapped Networks via Zoho WorkDrive and USB Implants

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 23 horas
  • 3 Min. de lectura

In December 2025, the North Korean threat actor ScarCruft launched a campaign codenamed Ruby Jumper, introducing new tooling that blends cloud abuse and removable media propagation to compromise both internet-connected and air-gapped systems. By leveraging phishing-delivered LNK files, Zoho WorkDrive as command-and-control (C2), and USB-based implants, the group demonstrated a deliberate strategy to bypass network isolation and maintain covert, long-term surveillance.


Phase 1: Initial Access – Phishing and LNK Weaponization


The infection chain begins with spear-phishing emails delivering malicious Windows shortcut (LNK) files. Some lures include Arabic-language decoy documents referencing the Palestine–Israel conflict, translated from North Korean sources to enhance credibility.

When opened, the LNK file launches a PowerShell command that scans its own structure and extracts multiple embedded payloads from fixed offsets. These include:

  • A decoy document

  • An executable payload

  • An additional PowerShell script

  • A batch file

The staged execution ensures the victim sees legitimate content while the infection silently progresses in memory.


Phase 2: RESTLEAF – Cloud-Based Command and Control


The primary executable payload, RESTLEAF, is launched in memory. This backdoor marks a notable shift: for the first time, ScarCruft abuses Zoho WorkDrive for C2 communications.

Using a valid access token, RESTLEAF authenticates to Zoho’s infrastructure and downloads encrypted shellcode. That shellcode is executed via process injection, minimizing on-disk artifacts and reducing detection surface.

This cloud-based C2 approach provides:

  • Legitimate traffic blending

  • Infrastructure resilience

  • Reduced reliance on attacker-controlled domains


Phase 3: SNAKEDROPPER and Persistence


The next stage deploys SNAKEDROPPER, which installs a self-contained Ruby runtime environment on the victim system. It establishes persistence through scheduled tasks and drops two critical components:

  • THUMBSBD

  • VIRUSTASK

This modular design allows ScarCruft to tailor functionality depending on whether the target environment is connected to the internet or physically isolated.


Phase 4: USB-Based Lateral Movement into Air-Gapped Systems


THUMBSBD


Disguised as a Ruby file, THUMBSBD weaponizes removable media to relay commands and exfiltrate data between internet-connected and air-gapped machines.

When removable media is detected, the malware creates hidden directories to:

  • Stage operator-issued commands

  • Store execution output

  • Transfer data between segmented networks

Capabilities include:

  • System information harvesting

  • File download and upload

  • Keystroke logging

  • Screenshot capture

  • Audio and video surveillance

  • Registry modification

  • DLL loading

  • Batch execution

  • Proxy setup for bidirectional traffic relay

THUMBSBD can also deploy FOOTWINE, an encrypted surveillance implant communicating over a custom TCP binary protocol.


VIRUSTASK


While THUMBSBD handles command execution and exfiltration, VIRUSTASK focuses exclusively on propagation. It weaponizes removable media to infect previously untouched air-gapped systems, achieving initial compromise without direct internet connectivity.


Phase 5: BLUELIGHT and Multi-Cloud Abuse


ScarCruft further expands its cloud abuse strategy by deploying BLUELIGHT, a backdoor previously attributed to the group since at least 2021.

BLUELIGHT leverages multiple legitimate cloud providers for C2, including:

  • Google Drive

  • Microsoft OneDrive

  • pCloud

  • BackBlaze

It supports:

  • Arbitrary command execution

  • File system enumeration

  • Payload download

  • File upload

  • Self-removal

This diversification of cloud infrastructure complicates detection and takedown efforts.


Strategic Significance


Ruby Jumper illustrates three important trends:

  1. Legitimate cloud service abuse as primary C2

  2. Modular, memory-resident execution chains

  3. Deliberate bridging of air-gapped environments via USB propagation

ScarCruft is not merely compromising endpoints—it is systematically eroding the security assumption that physical network isolation guarantees protection.


Measures to Fend Off the Attack


  • Disable or restrict execution of LNK files from untrusted sources

  • Harden email filtering to detect shortcut-based phishing attachments

  • Restrict and monitor PowerShell execution and script-block logging

  • Enforce strict removable media policies and device control solutions

  • Monitor Zoho WorkDrive and other cloud APIs for anomalous token usage

  • Detect unexpected Ruby runtime installations and scheduled-task persistence

  • Flag abnormal keylogging, audio/video capture, DLL loading, and proxy behavior

  • Apply network segmentation with strict data diodes where possible

  • Deploy behavioral EDR capable of detecting in-memory shellcode execution


ScarCruft’s Ruby Jumper campaign demonstrates how modern threat actors combine traditional spear-phishing with cloud infrastructure abuse and removable media propagation to defeat network segmentation and air-gap defenses.

By integrating Zoho WorkDrive C2, modular Ruby-based implants, USB command relays, and multi-cloud backdoors, the group showcases operational maturity and long-term espionage intent. The campaign reinforces a critical reality: air-gapped systems are no longer isolated if human behavior and removable media remain uncontrolled.

Organizations relying on physical segmentation as a primary defense must reassess that assumption. In the current threat landscape, isolation without behavioral monitoring and strict device governance is no longer sufficient.



The Hacker News


 
 
 

Comentarios

bottom of page