North Korea’s ScarCruft group leverages Zoho WorkDrive and removable media in new cyber campaign

North Korean threat actor ScarCruft has been linked to a new cyber campaign, codenamed Ruby Jumper, employing novel tools including a backdoor that utilizes Zoho WorkDrive for command-and-control communications. This campaign introduces sophisticated methods for infecting air-gapped networks, according to a recent report by The Hacker News.

The Ruby Jumper campaign, first identified by Zscaler ThreatLabz in December 2025, deploys multiple malware families such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT. Initial infection vectors involve malicious LNK files that launch PowerShell commands to deploy embedded payloads. The RESTLEAF backdoor uniquely uses Zoho WorkDrive for command and control, fetching further payloads after authentication.

A critical component, THUMBSBD, disguised as a Ruby file, weaponizes removable media to relay commands and exfiltrate data, enabling the breach of air-gapped systems. VIRUSTASK, another removable media component, focuses on initial access to these isolated networks. FOOTWINE, delivered by THUMBSBD, offers keylogging and audio/video capture capabilities, communicating via a custom TCP protocol. BLUELIGHT, a previously attributed backdoor, also leverages legitimate cloud services like Google Drive and OneDrive for its operations.

Source: The Hacker News