So you air-gapped your network. You physically disconnected it from the internet. You bought the rack, paid for the isolated environment, told management “nothing can get in here.” You were proud of yourself, maybe even a little smug about it.

Yeah. About that.

Zscaler ThreatLabz published research this week on a campaign they’re calling Ruby Jumper — attributed with high confidence to APT37, also known as ScarCruft, Ruby Sleet, and Velvet Chollima — a DPRK-backed espionage group that’s been running operations since at least 2012. They discovered this campaign back in December 2025, and the research dropped on February 25-26th, 2026. And what they found is a beautifully nasty piece of tradecraft that uses cloud services you almost certainly haven’t blocked, USB drives that employees plug in without thinking, and a modular malware chain that would make any nation-state operator quietly impressed.

The whole thing uses Zoho WorkDrive as command-and-control infrastructure. Zoho. The perfectly legitimate cloud productivity platform your legal department might literally be paying for right now. APT37 is using it to quietly run an air-gap-jumping operation against what are almost certainly high-value targets in government, defense, and critical infrastructure.

What Actually Happened — The Technical Picture

According to the Zscaler ThreatLabz deep-dive, the Ruby Jumper campaign works in stages that are worth understanding because each one is clever in a specific way.

It starts with a Windows shortcut (LNK) file — a classic initial access vehicle that Windows still, in 2026, executes with distressing enthusiasm. The LNK file spawns a Windows executable payload in memory that ThreatLabz calls RESTLEAF. Here’s where it gets interesting: RESTLEAF uses Zoho WorkDrive cloud storage for its C2 communications. It retrieves a valid access token by exchanging embedded refresh token credentials, enabling subsequent API operations with Zoho WorkDrive infrastructure. This is, as ThreatLabz notes, the first documented case of APT37 abusing Zoho WorkDrive. Because RESTLEAF is communicating with Zoho — a legitimate cloud service with valid TLS certificates and a good reputation — it sails right past most network-level controls. Good luck blocking Zoho without breaking half your organization’s legitimate workflows.

RESTLEAF fetches SNAKEDROPPER, a next-stage loader that installs the Ruby runtime on the system (hence the campaign name — APT37 is literally embedding Ruby to load shellcode-based payloads, because why use something detectable when you can run shellcode through a scripting language runtime?), establishes persistence, and drops two more tools: THUMBSBD and VIRUSTASK.

VIRUSTASK is the air-gap jumper. It infects removable media — USB drives — by replacing files with malicious LNK shortcuts. So when your employee plugs their USB stick into an air-gapped machine to transfer a file, they’re carrying VIRUSTASK with them, and the malicious LNK files on the drive execute on the isolated machine.

THUMBSBD is the backdoor that operates across the air gap. It uses removable media to relay commands and transfer data between internet-connected systems (where C2 via Zoho WorkDrive is available) and air-gapped systems (where it isn’t). The USB drive becomes a data mule — commands go in, exfiltrated data comes out, physically shuttled by employees who have no idea they’re acting as carriers.

The final payload — FOOTWINE — is a surveillance tool with keylogging and audio/video capture capabilities. And BLUELIGHT, a previously documented APT37 backdoor, is also delivered in the chain. Once FOOTWINE is on an air-gapped system, it can capture keystrokes, record audio and video, and that data gets exfiltrated via the USB mule channel back to Zoho WorkDrive. Elegant, nasty, and deeply patient.

Why It Matters

Air gaps are supposed to be the nuclear option in network security — the thing you do when the data is so sensitive that no network connection is worth the risk. Government classified systems. Defense contractor R&D environments. Critical infrastructure control systems. Industrial control networks. These are the targets that get air-gapped, and they’re air-gapped because the consequences of compromise are catastrophic.

APT37 targeting air-gapped networks tells you something important about the threat landscape for 2026: nation-state actors are systematically working through every physical security assumption we make. Air gaps were always theoretically defeatable via removable media — Stuxnet demonstrated this in 2010 against Iranian nuclear centrifuges — but the sophistication of the Ruby Jumper campaign shows how far this tradecraft has evolved in the intervening sixteen years. RESTLEAF using legitimate cloud service APIs for C2 is specifically designed to defeat network monitoring controls. VIRUSTASK automatically propagating via USB is designed to defeat the “we control USB access” assumption. THUMBSBD using USB as a data relay is designed to defeat the “there’s no network path out” assumption.

The targeting profile for APT37 based on their MITRE ATT&CK group profile includes victims in South Korea, Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other Middle Eastern nations, with a focus on government, defense, military, media, and human rights organizations. This isn’t a financially motivated operation. This is strategic intelligence collection. Whoever APT37 has gotten into via this campaign probably doesn’t know it yet — because FOOTWINE is a surveillance tool, not a ransomware payload. There’s no ransom note. There’s no obvious disruption. There’s just quiet, persistent collection.

What Went Wrong

The honest answer is: the threat model was wrong.

Organizations that air-gap sensitive networks often treat the air gap as a final solution rather than one layer in a defense-in-depth strategy. “It’s air-gapped” becomes the answer that ends the security conversation, rather than a foundation that needs additional controls layered on top. Ruby Jumper is specifically designed to exploit that mentality.

The USB vector is particularly interesting because it’s not a failure of technology — it’s a failure of human factors. The USB drive gets plugged in by a person. That person might be following documented procedures to transfer legitimate files. The LNK file infection is designed to be transparent; there’s nothing obviously wrong happening when the employee plugs in their drive. This is exactly the kind of attack I’ve written about in my research on how human behavior intersects with technical security controls — the attack succeeds not because the human did something obviously stupid but because the technical and procedural controls weren’t designed to catch this specific vector.

The Zoho WorkDrive C2 channel is a separate problem: it’s a living-off-the-land technique applied to cloud services. APT37 isn’t running a sketchy IP as a C2 server. They’re using Zoho’s API. Your DNS doesn’t flag it. Your web proxy might not block it. Your TLS inspection sees a valid Zoho certificate. This is exactly why “block known malicious IPs” as a defense strategy is increasingly useless against sophisticated actors.

The Fixer’s Playbook

For organizations running air-gapped environments — and you know who you are — here’s what you need to be thinking about:

USB control is not optional. Air-gapped environments need strict removable media policies with technical enforcement, not just policy documents. That means application whitelisting that controls what can execute from removable media, USB device management that restricts which specific approved devices can be used, and a quarantine/scanning station where USB devices are scanned on an internet-connected system before they go anywhere near the air-gapped environment. The quarantine station should be running detection for malicious LNK files specifically.

Block Zoho WorkDrive and audit your allowed cloud services — everywhere. If you’re running air-gapped networks for sensitive operations, the internet-connected workstations that interact with those environments via USB should have strict egress filtering. “Allow only required services” is the rule. Any cloud storage or productivity platform that isn’t explicitly required for operations should be blocked. Regularly audit what cloud services are actually reaching out from your network — RESTLEAF’s Zoho C2 channel would appear as legitimate Zoho API traffic, but anomalous for an environment that doesn’t need Zoho.

Hunt for LNK-based execution. Malicious LNK files are a recurring APT37 technique that’s been in their playbook for years. Your endpoint detection should be configured to alert on LNK files executing from removable media, especially those that spawn child processes, make network connections, or install runtimes. Ruby runtime installation in a corporate environment that doesn’t use Ruby should generate a very loud alert.

Treat air-gapped systems as breach-assumed. Regular forensic sweeps of air-gapped systems for indicators of compromise — specifically USB-borne malware artifacts — should be part of your operational security routine. FOOTWINE’s keylogging and audio/video capture will eventually generate anomalous file activity that forensic examination can catch.

As I’ve written about in my post on why device visibility and exposure matter even in supposedly secure environments, the assumption of security based on architecture alone is dangerous. Defense-in-depth means monitoring inside the perimeter, not just at the edge.

The Final Call-Out

North Korea is running sophisticated, patient, multi-stage operations against air-gapped networks using legitimate cloud services as C2 infrastructure and USB drives as the physical bridge. The Ruby Jumper campaign was running since at least December 2025 before it was publicly disclosed. How long before that was APT37 quietly developing and testing these tools?

If your sensitive environment uses USB drives for data transfer — even occasionally, even with documented procedures — and you haven’t reviewed your controls against this specific attack pattern, you have work to do. Stuxnet taught us in 2010 that air gaps can be jumped. In 2026, the technique has been refined, modularized, and deployed against targets across multiple continents by a nation-state with effectively unlimited patience.

They’re not in a hurry. Are you?