Malware & Threats North Korean APT Targets Air-Gapped Systems in Recent Campaign Using Windows shortcut files, the APT deployed a new implant, a loader, a propagation tool, and two backdoors. By Ionut Arghire | March 2, 2026 (6:46 AM ET) Flipboard Reddit Whatsapp Whatsapp Email A North Korea-linked threat actor tracked as APT37 has been observed using five new malicious tools in a recent campaign targeting air-gapped systems, Zscaler reports. Also tracked as ScarCruft, Ruby Sleet, and Velvet Chollima, APT37 has been active since 2012, focusing on data theft and surveillance and mainly targeting entities in South Korea. As part of a campaign discovered in December 2025, named Ruby Jumper , APT37 was seen using LNK files to execute a PowerShell script and deploy multiple payloads, including a decoy document in Arabic about the Palestine-Israel conflict. The payloads work together to execute a payload in memory. Dubbed RestLeaf, it uses the Zoho WorkDrive cloud storage for command-and-control (C&C) and attempts to fetch a file containing shellcode from it. The shellcode, which is executed in memory, acts as a launcher, fetching and decrypting second-stage shellcode that loads an embedded Windows executable, dubbed SnakeDropper. The malware creates a working directory and installs the Ruby 3.3.0 runtime environment disguised as a USB speed monitoring utility, backdoors the Ruby interpreter, and creates a scheduled task to execute the interpreter every five minutes, establishing persistence. Advertisement. Scroll to continue reading. Executed every time the Ruby interpreter starts, SnakeDropper drops ThumbsBD, a backdoor that uses removable drives to exfiltrate data from air-gapped systems, using them as bidirectional relays. When detecting USB drives, the malware creates a hidden directory in their root folder, which is used to stage backdoor commands and data for exfiltration. ThumbsBD also collects system information, downloads additional payloads, and executes shellcode from a specific directory. SnakeDropper was also observed dropping VirusTask, a removable media propagation tool designed to infect air-gapped systems, which exclusively weaponizes USB drives for initial access. It copies the payload executables to a folder in the drive’s root directory and enumerates files on the drive, replacing them with LNK files that lead to the execution of shellcode on the air-gapped systems when the user attempts to open those files. “VirusTask complements ThumbsBD to form a complete air-gap attack toolkit. While ThumbsBD handles C&C communication and data exfiltration, VirusTask ensures the malware spreads to new systems through social engineering by replacing legitimate files with malicious shortcuts that victims trust and execute,” Zscaler explains. The security firm also observed ThumbsBD deploying FootWine, an encrypted Android package file containing a shellcode launcher with surveillance capabilities, such as keystroke logging and audio and video capturing. FootWine supports various surveillance-related commands, including file manipulation, shell management, and registry and process manipulation. “ThumbsBD and VirusTask weaponize removable media to bypass network isolation and infect air-gapped systems. To maintain a strong security posture, the security community should focus on monitoring endpoint activity and physical access points to counter this threat and other campaigns led by APT37,” Zscaler notes. Related: North Korean Hackers Distributed Android Spyware via Google Play Related: North Korean Hackers Target macOS Developers via Malicious VS Code Projects Related: FBI: North Korean Spear-Phishing Attacks Use Malicious QR Codes Related: North Korea’s Digital Surge: $2B Stolen in Crypto as Amazon Blocks 1,800 Fake IT Workers Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience Gambit Security Emerges From Stealth With $61 Million in Funding Zyxel Patches Critical Vulnerability in Many Device Models US Sanctions Russian Exploit Broker Operation Zero Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly Sophisticated Hackers SolarWinds Patches Four Critical Serv-U Vulnerabilities Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia CarGurus Data Breach Impacts Over 12 Million Users Latest News Google Working Towards Quantum-Safe Chrome HTTPS Certificates US-Israel and Iran Trade Cyberattacks: Pro-West Hacks Cause Disruption as Tehran Retaliates Hackers Weaponize Claude Code in Mexican Government Cyberattack Canadian Tire Data Breach Impacts 38 Million Accounts Trump Orders All Federal Agencies to Phase Out Use of Anthropic Technology In Other News: ATT&CK Advisory Council, Russian Cyberattacks Aid Missile Strikes, Predator Bypasses iOS Indicators 38 Million Allegedly Impacted by ManoMano Data Breach 900 Sangoma FreePBX Instances Infected With Web Shells Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit People on the Move Predictive revenue system company Clari + Salesloft has named Peter Liebert as CISO. Nscale has appointed Latha Maripuri as Chief Information Security Officer. BreachRx has named Young-Sae Song as Chief Marketing Officer. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email