----------------
๐ฏ Threat Intelligence
===================
Opening:
Zscaler ThreatLabz published a technical analysis of a December 2025 campaign tracked as Ruby Jumper and attributed to APT37 (aliases: ScarCruft, Ruby Sleet, Velvet Chollima). The report documents a multi-stage intrusion that begins with malicious Windows shortcut (LNK) files and culminates in surveillance payloads delivered to both networked and air-gapped machines.
Technical Details:
โข Initial vector: Malicious LNK files that launch PowerShell. The dropped artifacts include find.bat, search.dat (PowerShell), and viewer.dat (shellcode-based payload) which are carved from fixed offsets inside the LNK.
โข Initial implant: RESTLEAF, observed using Zoho WorkDrive for command-and-control communications.
โข Secondary loader: SNAKEDROPPER, which installs the Ruby runtime, establishes persistence, and drops additional components.
โข Removable-media components: THUMBSBD (backdoor) and VIRUSTASK (propagation), where VIRUSTASK replaces files with malicious LNK shortcuts and THUMBSBD relays commands/data between internet-connected and air-gapped hosts.
โข Final payloads: FOOTWINE (surveillance backdoor with keylogging and audio/video capture) and BLUELIGHT.
๐น Attack Chain Analysis
โข Initial Access / Execution: Victim opens malicious LNK โ PowerShell executed.
โข Staging: PowerShell scripts parse embedded payloads and load shellcode (viewer.dat) into memory.
โข C2 & Commanding: RESTLEAF communicates via Zoho WorkDrive for payload fetch and C2 operations.
โข Loader & Persistence: SNAKEDROPPER installs Ruby runtime and persists on the host.
โข Propagation / Airโgap Bridging: VIRUSTASK infects removable media by creating malicious LNKs; THUMBSBD reads/writes commands and data to the media to bridge air-gapped systems.
โข Postโexploitation: FOOTWINE and BLUELIGHT provide surveillance capabilities including keylogging and media capture.
Analysis:
The use of Zoho WorkDrive as a stealthy C2 channel and the deployment of a Ruby-based loader that executes shellcode are noteworthy technical choices. The removable-media relay technique enables cross-network persistence and data transfer to systems that lack direct network access, aligning with long-standing APT objectives to access isolated environments.
Detection:
ThreatLabz documents specific artifacts: the LNK carving behavior, the three-file drop sequence (find.bat, search.dat, viewer.dat), the presence of RESTLEAF communicating with Zoho WorkDrive, and the Ruby runtime installed by SNAKEDROPPER. These artifacts are primary indicators enumerated in the analysis.
Mitigation:
The Zscaler post focuses on behavioral artifacts and component-level findings; it enumerates file artifacts and high-level C2 mechanics rather than prescriptive remediation steps. Review of the original ThreatLabz report is required for any detection rules and prioritized defensive actions.
References:
Zscaler ThreatLabz analysis of the Ruby Jumper campaign (December 2025) contains full technical breakdown and component mappings.
๐น APT37 #RubyJumper #malware #airgap #ThreatIntel
๐ Source: https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks
![<div><img alt="" class="attachment-large size-large wp-post-image" height="450" src="https://hackaday.com/wp-content/uploads/2026/01/voice-vacuum-main.png?w=800" style="margin: 0 auto; margin-bottom: 15px;" width="800" /></div><p>Although there are a few robots on the market that can make life a bit easier, plenty of them have closed-source software or smartphone apps required for control that may phone home and send any amount of data from the user’s LAN back to some unknown server. Many people will block off Internet access for these types of devices, if they buy them at all, but that can restrict the abilities of the robots in some situations. [Max]’s robot vacuum has this problem, <a href="https://wip.tf/posts/controlling-an-air-gapped-robot-vacuum-from-home-assistant-using-synthesized-speech/" target="_blank">but he was able to keep it offline while retaining its functionality by using an interesting approach</a>.</p>
<p>Home Assistant, a popular open source home automation system, has a few options for voice commands, and can also be set up to transmit voice commands as well. This robotic vacuum can accept voice commands in lieu of commands from its proprietary smartphone app, so to bypass this [Max] set up a system of automations in Home Assistant that would command the robot over voice. His software is called <a href="https://github.com/nbr23/jacadi" target="_blank">jacadi</a> and is built in Go, which uses text-to-speech to command the vacuum using a USB](https://files.mastodon.social/cache/media_attachments/files/116/029/599/286/213/090/original/2ad5b6c40017d4e2.png)
