North Korea-Linked APT37 Expands into Air-Gapped Networks with “Ruby Jumper”

Air-gapped networks exist for one reason: to keep the most sensitive systems physically separated from the internet. In practice, however, air gaps rarely mean “no connection ever.” Organizations still move files, patches, reports, and logs using removable media and controlled transfer stations. Threat actors who can reliably weaponize that transfer path can turn an air gap into a slow, but functional, two-way bridge.

New reporting indicates that North Korea-linked APT37 has expanded its operational capability with a campaign dubbed Ruby Jumper, featuring removable media infection tooling intended to breach or interact with air-gapped systems. This development matters because it shifts the threat model: the attack surface becomes not just endpoints and email, but every controlled transfer workflow and every USB-handling policy across high-security environments.

Who is APT37 and why does this shift matter?

APT37 is a long-running North Korean cyber espionage group tracked by multiple vendors under names including ScarCruft and Ruby Sleet. The actor has historically targeted victims aligned with DPRK strategic interests, and is associated with sustained intelligence collection rather than quick-hit crimeware.

What makes “air-gapped” targeting strategically valuable:

  • Isolated systems often store high-value plans, intelligence, engineering data, and sensitive communications.
  • Security controls are stronger, but operational constraints often create predictable transfer workflows.
  • Detection can be delayed because offline systems have limited telemetry and fewer automated defenses.
  • Even low-bandwidth exfiltration (over days/weeks) can be mission-impacting if the data is strategic.

Ruby Jumper at a glance

Ruby Jumper is described as a campaign using new malicious tools and a removable-media infection chain to reach or interact with air-gapped systems. The high-level idea is simple: compromise an internet-connected host first, then use that host to “seed” removable drives with malicious components. When the drive is inserted into an offline machine, the toolset can execute, collect information, and stage data for return via the same removable-media path.

The operational theme is not high-speed data theft. It is reliable, covert, and repeatable transfer across a boundary defenders assume is safe.

How air-gap bridging works in practice

While implementations vary, removable-media “bridging” campaigns typically follow a pattern:

1) Stage One: Initial compromise of a connected environment

  • Entry points commonly include spear-phishing, malicious shortcuts or documents, and exploitation of endpoint weaknesses.
  • The objective is to gain a foothold on a workstation that participates in “file transfer” workflows.

2) Stage Two: Removable media infection

  • The attacker installs a component that watches for inserted removable media.
  • When a USB drive is mounted, the tool writes hidden payloads and/or modifies files likely to be opened by the next user.
  • The USB becomes a courier, carrying both malware and tasking between security zones.

3) Stage Three: Offline execution and collection

  • On the air-gapped host, the malicious component attempts to execute via user interaction, autorun-like abuse (where feasible), or tricked execution paths.
  • It performs discovery (system info, user info, directory listing), and may capture documents or targeted file types.
  • It stages results onto the USB for the next “return trip” to a connected host.

4) Stage Four: Return trip and exfiltration

  • Once the USB is re-inserted into a connected system, the malware harvests the staged data.
  • It then exfiltrates the data to attacker infrastructure using available channels from the connected host.

Why this tactic is hard to defend against

Many organizations treat air-gapped environments as “mostly safe” because the internet is absent. Ruby Jumper-style operations exploit the reality that humans and operational processes are the connective tissue. This introduces a set of challenges:

  • Security vs. operations tension: transfer stations exist because work must continue.
  • Limited telemetry: offline hosts may have constrained logging and delayed alerting.
  • Policy drift: removable media rules are often inconsistently enforced across teams and contractors.
  • Trust assumptions: a “known USB” is often treated as benign, even when it has traversed multiple machines.
  • Low-and-slow exfiltration: small staged bundles can evade attention while still leaking critical information over time.

Likely targeting: why government and military air gaps are attractive

Campaigns aiming at air-gapped systems are typically intelligence-driven. Sectors with isolated enclaves often include:

  • Defense planning and logistics networks
  • Intelligence and security operations centers with offline repositories
  • Critical infrastructure engineering environments
  • Secure research labs and classified program workstations

Even if only a subset of files can be moved out, the strategic value can be immense: plans, procurement documents, internal assessments, technical schematics, and communications records.

Detection opportunities and defensive controls

Defending against removable-media bridging requires a layered approach that treats “USB workflows” as a first-class security perimeter. The most effective strategy is to reduce trust in removable media and to instrument every step where media crosses boundaries.

1) Reduce or eliminate removable media where possible

  • Replace ad-hoc USB transfers with managed, audited transfer mechanisms.
  • Use controlled “data diodes” or one-way gateways for specific workflows, where feasible.
  • Centralize secure file transfer operations into hardened transfer stations.

2) Enforce device control and hardware policies

  • Implement USB device control policies: allow-list approved devices, block unknown VID/PID, and restrict write access.
  • Disable execution from removable media where possible, and restrict script interpreters on transfer stations.
  • Use dedicated, serialized media with chain-of-custody controls for sensitive enclaves.

3) Harden the “transfer station” as a critical security asset

  • Lock down to least privilege; remove unnecessary tools and components.
  • Apply application allow-listing and aggressive macro/script restrictions.
  • Instrument high-fidelity logging (process creation, script block logs, device mount events).

4) Scan and detonate, not just “AV scan”

  • Use multi-engine scanning on all inbound files.
  • Detonate suspicious files in sandbox environments before permitting transfer.
  • Validate file types; block “polyglot” or masqueraded files (e.g., shortcut files posing as documents).

5) Monitor for behavioral indicators

  • Unusual file creation patterns on removable drives (hidden directories, odd extensions, repeated small writes).
  • Processes interacting with many files immediately after USB insertion.
  • Unexpected scheduled tasks, registry persistence entries, or WMI event subscriptions on transfer systems.
  • Repeatable “USB in → process burst → USB out” timing patterns tied to specific hosts or users.

Strategic takeaways

Ruby Jumper reinforces a recurring lesson in high-security environments: air gaps reduce risk, but they do not remove it. Attackers who can compromise the workflows around the gap can still create a covert communications path. As more intelligence actors prioritize stealth and persistence, defenders should assume that “trusted” transfer processes are being profiled and targeted.

For security leaders, the immediate priority is to treat removable media as a high-risk interface and to invest in controls that create auditability and friction at the boundary. For incident responders, the priority is to expand hunting beyond network indicators and into device-mount telemetry, transfer-station baselines, and offline enclave integrity monitoring.

APT37’s reported expansion into removable-media bridging is a meaningful escalation in capability because it targets the assumptions behind isolated networks. Whether the goal is political intelligence, military insight, or surveillance of high-interest individuals, the ability to interact with air-gapped systems provides disproportionate strategic value.

For more insights and updates on cybersecurity, AI advancements, and cyberespionage, visit NorthernTribe Insider. Stay secure, NorthernTribe.

Comments

Post a Comment

Popular posts from this blog

Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide

Businesses across the world have been hit by widespread disruptions to their Windows workstations stemming from a faulty update pushed out by cybersecurity company CrowdStrike. "CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts," the company's CEO George Kurtz said in a statement . "Mac and Linux hosts are not impacted. This is not a security incident or cyber attack." The company, which acknowledged "reports of [ Blue Screens of Death ] on Windows hosts," further said it has identified the issue and a fix has been deployed for its Falcon Sensor product, urging customers to refer to the support portal for the latest updates. For systems that have been already impacted by the problem, the mitigation instructions are listed below - Boot Windows in Safe Mode or Windows Recovery Environment Navigate to the C:\Windows\System32\drivers\CrowdStrike directory Find the file nam...
Read more

Western Intelligence Warns: Spyware Threats Targeting Taiwan and Tibet

Recent alerts from Western intelligence agencies have spotlighted a sophisticated spyware campaign that is targeting rights advocates in Taiwan and Tibet. The campaign, likely linked to state-sponsored actors from China, is believed to be designed to surveil and suppress dissidents, contributing to ongoing cyber conflicts in the region. This comprehensive analysis examines the nature of the spyware threat, its technical and geopolitical implications, and the necessary defensive measures for mitigating these risks. Overview of the Threat In recent intelligence briefings, Western security agencies have issued warnings about the use of advanced spyware designed to infiltrate devices belonging to Taiwanese and Tibetan rights advocates. The primary goal of these operations appears to be the covert surveillance and suppression of dissident voices, aiming to monitor political activities and gather sensitive intelligence. Sophisticated Spywa...
Read more

Stealthy BITSLOTH Backdoor Exploits Windows BITS for Covert Communication

A newly discovered Windows backdoor, dubbed BITSLOTH, is making waves in the cybersecurity community for its cunning exploitation of the Background Intelligent Transfer Service (BITS) to facilitate stealthy communication. This advanced threat poses significant risks to organizations and individuals alike, highlighting the ever-evolving tactics of cybercriminals. Overview of BITSLOTH BITSLOTH leverages the legitimate Windows service BITS, which is typically used for background file transfers and updates, to establish a covert communication channel. Key features of this backdoor include: Stealthy Operations: By using BITS, BITSLOTH can blend in with normal network traffic, making it difficult for traditional security measures to detect its presence. Persistent Backdoor: Once installed, BITSLOTH creates a persistent backdoor that allows attackers to maintain long-term access to compromised systems. Data Exfiltration: The backdoor is capable of exfiltrating sensitive data from the targe...
Read more