APT37 Adds New Tools For Air-Gapped Networks
Contents
Zscaler Blog
Get the latest Zscaler blog updates in your inbox
APT37 Adds New Capabilities for Air-Gapped Networks
Introduction
In December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, download a payload that delivers FOOTWINE and BLUELIGHT, which enable surveillance on a victim’s system.
In this blog post, ThreatLabz examines how these tools function, including their notable use of Ruby to load shellcode-based payloads. We also explore how the Ruby Jumper campaign leverages removable media to infect and pass commands and information between air-gapped systems.
Key Takeaways
- In December 2025, ThreatLabz discovered Ruby Jumper, a campaign orchestrated by APT37, a DPRK-backed threat group.
- ThreatLabz discovered RESTLEAF, …
Get the latest Zscaler blog updates in your inbox
APT37 Adds New Capabilities for Air-Gapped Networks
Introduction
In December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, download a payload that delivers FOOTWINE and BLUELIGHT, which enable surveillance on a victim’s system.
In this blog post, ThreatLabz examines how these tools function, including their notable use of Ruby to load shellcode-based payloads. We also explore how the Ruby Jumper campaign leverages removable media to infect and pass commands and information between air-gapped systems.
Key Takeaways
- In December 2025, ThreatLabz discovered Ruby Jumper, a campaign orchestrated by APT37, a DPRK-backed threat group.
- ThreatLabz discovered RESTLEAF, …
IoC
https://www.homeatedke.store/star/main.php
http://hightkdhe.store
https://www.hightkdhe.store/star/main.php
https://www.philion.store/star/main.php
144.172.106.66
57dac5f7d21da2454d0fbefdced80bf3
476bce9b9a387c5f39461d781e7e22b9
098d697f29b94c11b52c51bfe8f9c47d
585322a931a49f4e1d78fb0b3f3c6212
ad556f4eb48e7dba6da14444dcce3170
ed54cf1ebffbfc1c8ae1ccdd2c681012
5c6ff601ccc75e76c2fc99808d8cc9a9
4214818d7cde26ebeb4f35bc2fc29ada
709d70239f1e9441e8e21fcacfdc5d08
http://hightkdhe.store
https://www.hightkdhe.store/star/main.php
https://www.philion.store/star/main.php
144.172.106.66
57dac5f7d21da2454d0fbefdced80bf3
476bce9b9a387c5f39461d781e7e22b9
098d697f29b94c11b52c51bfe8f9c47d
585322a931a49f4e1d78fb0b3f3c6212
ad556f4eb48e7dba6da14444dcce3170
ed54cf1ebffbfc1c8ae1ccdd2c681012
5c6ff601ccc75e76c2fc99808d8cc9a9
4214818d7cde26ebeb4f35bc2fc29ada
709d70239f1e9441e8e21fcacfdc5d08