North Korea's APT37 Seen Breaching Air-Gapped Networks

APT37 is again making headlines, where previously the North Korean-linked state-sponsored group was linked with deploying data wipers; now they're breaching air-gapped networks. Also tracked under aliases such as ScarCruft, Reaper, Red Eyes, and Ricochet Chollima, this actor has long been associated with targeted espionage campaigns focused on sensitive sectors in South Korea and beyond.

What was once predominantly a reconnaissance and credential-stealing threat has expanded into a sophisticated operator capable of circumventing some of the most stringent network defenses, including air-gapped systems, networks physically isolated from the internet for security reasons.

Security analysts credit this transformation to the development of complex malware families and modular campaign toolkits designed to bypass conventional controls and sustain covert access. The dual threads of APT37's recent activities, the discovery of the Ruby Jumper toolkit for bridging air-gapped systems, and the longstanding "Dolphin" backdoor family, illustrate an actor investing heavily in adaptability and stealth. Collectively, these tools demonstrate APT37's expanding operational sophistication, signaling a persistent threat to critical infrastructure and targeted organizations.

In December 2025, researchers at Zscaler ThreatLabz uncovered a campaign they dubbed Ruby Jumper, attributed with high confidence to APT37. This operation stands out for its focus on air-gapped networks, environments traditionally considered safe because they are physically isolated from any network connectivity.

Air-gapped systems are common in defense, industrial, and high-value research environments. They are designed to prevent external access by eliminating Wi-Fi, Ethernet, and Bluetooth connections. However, Ruby Jumper exploits a classic weakness of such environments: the transfer of data via removable media.

Ruby Jumper begins with a malicious Windows shortcut file (LNK) delivered to a victim system that is connected to the internet. When this file is opened, a PowerShell script activates and extracts multiple embedded components, including a decoy document intended to distract users while the real payload executes. Once in motion, the PowerShell script initiates a chain of malware tools, each with distinct roles in persistence, data collection, and spreading across media that may later be attached to secure, air-gapped environments.

Privilege escalation and secondary payload delivery rely on a mix of scripting and binary execution. The LNK-triggered PowerShell script launches the RESTLEAF implant, which communicates with command-and-control (C2) servers via Zoho WorkDrive, a legitimate cloud storage service.

RESTLEAF's responsibility is to fetch encrypted shellcode and deliver it to the next stage: SNAKEDROPPER. This loader installs a complete Ruby 3.3 runtime, disguising it as a legitimate USB utility called usbspeed.exe. Once installed, SNAKEDROPPER autoloads malicious Ruby scripts that further the infection.

Crucially, the campaign leverages two additional tools, THUMBSBD and VIRUSTASK, to interact with removable storage. THUMBSBD acts as a backdoor with surveillance and data staging capabilities, creating hidden directories on USB drives and preparing sensitive files for exit from isolated systems.

It effectively transforms removable media into a bidirectional covert command-and-control relay, able to both receive instructions and deliver stolen information once reconnected to internet-connected infrastructure. VIRUSTASK, on the other hand, focuses on weaponizing removable media by hiding legitimate files and replacing them with shortcuts that execute the malicious Ruby interpreter when opened.

A final component observed in this campaign is FOOTWINE, a backdoor disguised as an Android package (APK) that supports key logging, screenshot capture, audio/video recording, and remote shell capabilities. Legacy APT37 tools, such as BLUELIGHT, also appear during the attack chain, reinforcing the actor's consistent use of reconnaissance and persistence operations.

Dolphin Backdoor

While Ruby Jumper represents a newer frontier in APT37's tool set oriented toward hard targets and air-gap bypassing, the Dolphin backdoor is an earlier example of ScarCruft's espionage capabilities. First identified by ESET researchers in 2021 and publicly documented in late 2022, Dolphin was deployed selectively against high-value targets and integrated into multistage compromises. It served as a powerful surveillance and data-exfiltration tool, with features that extended beyond standard reconnaissance.

The Dolphin backdoor was often delivered alongside or after other implants such as BLUELIGHT, using watering-hole attacks that exploited internet browser vulnerabilities. Once installed, Dolphin established persistence by modifying Windows registry entries and leveraging Google Drive as its C2 infrastructure. The malware's capabilities included key logging, screenshot capture, credential theft from web browsers, and recursive scanning of local and connected drives to exfiltrate documents, media files, emails, and certificates.

Among the most notable features of Dolphin was its ability to scan portable devices using the Windows Portable Device (WPD) API. Connected devices such as mobile phones were enumerated and harvested for files of interest, a capability that was refined across successive Dolphin versions as operators iterated on the malware's exfiltration logic and filtering controls.

Cybersecurity analysts observed evidence that earlier Dolphin versions could also alter settings in a victim's Google or Gmail accounts to reduce security barriers, possibly to maintain access or evade detection. This unconventional capability highlighted the lengths to which APT37 was willing to engineer its implants to ensure longevity and effectiveness.

Together, Ruby Jumper and Dolphin illustrate the breadth and depth of APT37's evolving operations. Ruby Jumper's air-gap bridging techniques exploit removable media, a longstanding vulnerability in network defense, using a combination of scripting, cloud C2 abuse, and clandestine relaying via USB drives that circumvent physical isolation barriers. Dolphin's rich feature set underscores APT37's capacity for targeted espionage, credential theft, and the extraction of mobile device data once a system is compromised.

Case studies of these tool families show that APT37 is not limited to scattershot attacks. Instead, the group adapts to the target's environment, developing tailored tool chains to match operational objectives, from stealing credentials to infiltrating sanitized environments. Its longstanding focus on South Korean entities and alignment with DPRK strategic interests further underscores the geopolitical dimension of these campaigns.

For defenders, the resurgence of air-gap compromise as a viable technique underscores the importance of physical controls, strict policies governing removable media use, and robust monitoring of endpoint behavior on both internet-connected and isolated systems.

Endpoint detection systems must be aware of abnormal use of scripting interpreters (such as Ruby) and of unusual access patterns involving cloud services like WorkDrive or Google Drive, which may serve as covert C2 channels. Deep visibility into removable media interactions and USB device control platforms is also critical to detecting early signs of misuse.

Moreover, understanding how tools like Dolphin operate allows incident responders to craft detection and response strategies that account for both local system artifacts and broader network indicators of compromise. This includes tracking registry changes, monitoring API usage for phone scanning, and auditing attempts to exfiltrate files via cloud storage.