ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks
The North Korean threat actor known as ScarCruft is said to have created a new set of tools, including a backdoor that uses Zoho WorkDrive communications and control (C2) to download additional payloads and a seal that uses removable media to transmit commands and breach air-gapped networks.
The campaign, is codenamed Ruby Jumper by Zscaler ThreatLabz, includes the deployment of malware families, such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to facilitate monitoring of the victim’s system. It was discovered by a cybersecurity company in December 2025.
“In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it executes a PowerShell command and scans the current directory to automatically determine the size of the file,” said security researcher Seongsu Park. “Then, the PowerShell script launched by the LNK file records multiple embedded payloads from a fixed offset in that LNK, including the decoy document, the payload, the additional PowerShell script, and the batch file.”
Some of the most interesting texts used in the campaign show an article about the Palestinian-Israeli conflict translated from a North Korean newspaper into Arabic.
All three remaining payloads are used to move the attack slowly to the next stage, with the cluster script launching PowerShell, which, in turn, is responsible for loading the shellcode containing the payload after removing it. The Windows payload, called RESTLEAF, is embedded in memory, and uses Zoho WorkDrive for C2, marking the first time a threat actor has abused a cloud storage service in its attack campaigns.
Once successfully authenticated with the Zoho WorkDrive infrastructure using a valid access token, RESTLEAF downloads the shellcode, and is executed via process injection, ultimately leading to the execution of SNAKEDROPPER, which installs the Ruby runtime, stops persistence using a scheduled task, and drops THUMBSBD and VIRUSTASK.
THUMBSBD, which is disguised as a Ruby file and uses removable media to transfer commands and transfer data between Internet-connected and wireless systems. It can harvest system information, download secondary payloads from a remote server, extract files, and execute arbitrary commands. If the presence of any removable media is detected, the malware creates a hidden folder and uses it to place commands issued by the operator or store the output.
One of the payloads offered by THUMBSBD is FOOTWINE, an encrypted payload with an integrated shellcode launcher that comes with keylogging and audio and video capture capabilities for surveillance. It communicates with the C2 server using a custom binary protocol over TCP. The complete set of commands supported by the malware is as follows –
- smof the running command shell
- fmfor file and directory manipulation
- gmfor managing plugins and configuration
- rmto modify the Windows Registry
- p.mby calculating the effective processes
- dmtaking screenshots and capturing buttons
- cmby conducting audio and video surveillance
- s_dto get the batch text content from the C2 server, saving it to the %TEMP%SSMMHH_DDMMYYYY.bat file, and
- pxmby setting up a proxy connection and two-way traffic forwarding.
- [filepath]to load the provided DLL
THUMBSBD is also slated to distribute BLUELIGHT, a backdoor formerly known as ScarCruft since at least 2021. The malware leverages legitimate cloud providers, including Google Drive, Microsoft OneDrive, pCloud, and BackBlaze, for C2 to execute arbitrary commands, enumerate commands and extract files, upload additional files, upload additional files.
Also delivered as a Ruby file, VIRUSTASK functions similarly to THUMBSBD in that it acts as a removable media distribution component to distribute malware to systems with uninfected airspaces. “Unlike THUMBSBD which is in charge of command extraction and submersion, VIRUSTASK is specifically focused on using detachable media weapons to gain initial access to air-gapped systems,” explained Park.
“The Ruby Jumper campaign involves a multi-stage infection chain that starts with a malicious LNK file and uses legitimate cloud services (such as Zoho WorkDrive, Google Drive, Microsoft OneDrive, etc.) to exploit a novel, Ruby execution environment,” Park said. “Most importantly, THUMBSBD and VIRUSTASK equip removable media to bypass network fragmentation and infect systems with air gaps.”
