Full Report
The North Korean threat actor known as ScarCruft has been attributed to a fresh set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control (C2) communications to fetch more payloads and an implant that uses removable media to relay commands and breach air-gapped networks. The campaign, codenamed Ruby Jumper by Zscaler ThreatLabz, involves the deployment of malware
Analysis Summary
# Threat Actor: ScarCruft
## Attribution & Identity
North Korean threat actor.
**Known Aliases/Associations:** Previously attributed to the malware family BLUELIGHT (since at least 2021).
## Activity Summary
The actor is linked to a fresh campaign, codenamed **Ruby Jumper** by Zscaler ThreatLabz (discovered in December 2025). This campaign involves deploying a suite of new and existing malware families initially launched via a malicious LNK file that executes a PowerShell command to carve embedded payloads from the file itself. The primary objective appears to be surveillance, including the ability to breach air-gapped networks.
## Tactics, Techniques & Procedures
- **Initial Execution:** Launching a PowerShell command upon opening a malicious LNK file.
- **Payload Staging:** Carving multiple embedded payloads (decoy document, executable, scripts, batch file) from the LNK file itself.
- **C2 on Connected Systems (RESTLEAF):** Using a legitimate cloud storage service, Zoho WorkDrive, for Command-and-Control (C2) communications to download further payloads after authenticating with a valid access token.
- **In-Memory Execution:** The executable payload (RESTLEAF) spawns shellcode in memory via process injection.
- **Persistence:** Establishing persistence using a scheduled task.
- **Air-Gapped Network Bridging (THUMBSBD/VIRUSTASK):** Utilizing removable media (USB drives) to relay commands and transfer data between connected and air-gapped systems.
- **Data Staging on Removable Media:** Creating hidden folders on detected removable media to stage operator commands or store execution output.
- **Surveillance Capabilities (FOOTWINE):** Keylogging, audio capture, and video capture capabilities.
- **Payload Delivery:** Use of multiple malware families in a sequential manner to achieve full infection chain.
## Targeting
- **Sectors:** Not explicitly detailed, but the nature of the targets (air-gapped networks, focus on surveillance) suggests critical infrastructure, governmental, or strategic entities.
- **Geography:** Not explicitly detailed, but the lure document mentions an article about the Palestine-Israel conflict translated from a North Korean newspaper into Arabic, suggesting potential interest in regions related to Middle Eastern conflicts or Arabic-speaking entities.
- **Victims:** No specific victim organizations mentioned in the summary context.
## Tools & Infrastructure
- **Malware Families used:** RESTLEAF (Backdoor utilizing Zoho WorkDrive C2), SNAKEDROPPER, THUMBSBD (USB relay implant), VIRUSTASK (USB propagation component), FOOTWINE (Surveillance component with keylogging/media capture), BLUELIGHT (Previously attributed backdoor).
- **Infrastructure (C2, domains, IPs):**
- **Zoho WorkDrive:** Used by RESTLEAF for C2 downloading shellcode.
- **Removable Media:** Used by THUMBSBD/VIRUSTASK for command relay/data exfiltration between segmented environments.
- **Remote Server:** Used by THUMBSBD to download secondary payloads (via custom binary protocol over TCP).
- **Previously Used Cloud C2:** Google Drive, Microsoft OneDrive, pCloud, and BackBlaze (used by BLUELIGHT).
## Implications
ScarCruft demonstrates mature and evolving tactics, specifically adapting legitimate cloud services (Zoho WorkDrive) for C2 communications on internet-connected systems. Crucially, the introduction of sophisticated removable media implants (THUMBSBD/VIRUSTASK) highlights a focused effort to compromise highly secure, air-gapped environments, posing a significant threat to organizations maintaining strict network segmentation.
## Mitigations
- **Monitor for Unauthorized Cloud Service Usage:** Investigate anomalous access or authentication patterns involving valid organizational access tokens within legitimate cloud services like Zoho WorkDrive.
- **Strict Removable Media Controls:** Implement policies restricting the use of unauthorized removable media, scanning all trusted media thoroughly before introduction to sensitive networks.
- **Behavioral Monitoring:** Monitor for PowerShell execution patterns attempting to carve data from LNK files or load shellcode directly into memory (reflectively).
- **Network Segmentation Verification:** Regularly audit security controls maintaining air-gapped environments, as methods for bridging these gaps via physical media are proven effective by this actor.
- **Process Injection Detection:** Enhance endpoint detection capabilities to spot process injection techniques used to execute downloaded shellcode.