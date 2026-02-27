A cyber espionage group linked to North Korea has been observed deploying a new malicious campaign using removable media infection tools to gain access to air-gapped systems.

The group, APT37, is well-known hacking team active since at least 2012 and known under many names, including ScarCruft, Ruby Sleet, InkySquid, Ricochet Chollima and Velvet Chollima.

Initially focused on the public and private sectors in South Korea, the group expanded its operations in 2017 to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities.

Read more: North Korean Hackers Weaponize Seoul Intelligence Files to Target South Koreans

In this new campaign, spotted by security researchers at Zscaler ThreatLabz and dubbed ‘Ruby Jumper,’ APT37 utilized a set of six malicious tools throughout the attack lifecycle, five of which had never been documented (Restleaf, SnakeDropper, ThumbSBD, VirusTask and FootWine).

It also leveraged removable media to infect and pass commands and information between air-gapped systems.

APT37’s Ruby Jumper Campaign Explained

The Ruby Jumper campaign was discovered by the ThreatLabz team in December 2025.

During this campaign, documented in a report published on February 26, APT37 gained access using the group’s traditional method: abusing Windows shortcut (LNK) files.

When a victim opens a malicious LNK file, it launches a PowerShell command and scans the current directory to locate itself based on file size. Then, the PowerShell script launched by the LNK file carves multiple embedded payloads from fixed offsets within that LNK, including a decoy document, an executable payload, an additional PowerShell script and a batch file.

This document displays an article about the Palestine-Israel conflict, translated from a North Korean newspaper into Arabic.