Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks

The Hacker News by The Hacker News
February 27, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananFeb 27, 2026Malware / Surveillance

The North Korean threat actor known as ScarCruft has been attributed to a fresh set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control (C2) communications to fetch more payloads and an implant that uses removable media to relay commands and breach air-gapped networks.

The campaign, codenamed Ruby Jumper by Zscaler ThreatLabz, involves the deployment of malware families, such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to facilitate surveillance on a victim’s system. It was discovered by the cybersecurity company in December 2025.

“In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it launches a PowerShell command and scans the current directory to locate itself based on file size,” security researcher Seongsu Park said. “Then, the PowerShell script launched by the LNK file carves multiple embedded payloads from fixed offsets within that LNK, including a decoy document, an executable payload, an additional PowerShell script, and a batch file.”

One of the lure documents used in the campaign displays an article about the Palestine-Israel conflict that’s translated from a North Korean newspaper into Arabic.

All three remaining payloads are used to progressively move the attack to the next stage, with the batch script launching PowerShell, which, in turn, is responsible for loading shellcode containing the payload after decrypting it. The Windows executable payload, named RESTLEAF, is spawned in memory, and uses Zoho WorkDrive for C2, marking the first time the threat actor has abused the cloud storage service in its attack campaigns.

Once it’s successfully authenticated with the Zoho WorkDrive infrastructure by means of a valid access token, RESTLEAF downloads shellcode, which is then executed via process injection, eventually leading to the deployment of SNAKEDROPPER, which installs the Ruby runtime, sets up persistence using a scheduled task, and drops THUMBSBD and VIRUSTASK.

THUMBSBD, which is disguised as a Ruby file and uses removable media to relay commands and transfer data between internet-connected and air-gapped systems. It’s capable of harvesting system information, downloading a secondary payload from a remote server, exfiltrating files, and executing arbitrary commands. If the presence of any removable media is detected, the malware creates a hidden folder and uses it to stage operator-issued commands or store execution output.

One of the payloads delivered by THUMBSBD is FOOTWINE, an encrypted payload with an integrated shellcode launcher that comes fitted with keylogging and audio and video capturing capabilities to conduct surveillance. It communicates with a C2 server using a custom binary protocol over TCP. The complete set of commands supported by the malware is as follows –

  • sm, for interactive command shell
  • fm, for file and directory manipulation
  • gm, for managing plugins and configuration
  • rm, for modifying the Windows Registry
  • pm, for enumerating running processes
  • dm, for taking screenshots and captures keystrokes
  • cm, for performing audio and video surveillance
  • s_d, for receiving batch script contents from C2 server, saving it to the file %TEMP%SSMMHH_DDMMYYYY.bat, and executing it
  • pxm, for setting up a proxy connection and relaying traffic bidirectionally.
  • [filepath], for loading a given DLL

THUMBSBD is also designed to distribute BLUELIGHT, a backdoor previously attributed to ScarCruft since at least 2021. The malware weaponizes legitimate cloud providers, including Google Drive, Microsoft OneDrive, pCloud, and BackBlaze, for C2 to run arbitrary commands, enumerate the file system, download additional payloads, upload files, and remove itself.

Also delivered as a Ruby file, VIRUSTASK functions similar to THUMBSBD in that it acts as a removable media propagation component to spread the malware to non-infected air-gapped systems. “Unlike THUMBSBD which handles command execution and exfiltration, VIRUSTASK focuses exclusively on weaponizing removable media to achieve initial access on air-gapped systems,” Park explained.

“The Ruby Jumper campaign involves a mult-stage infection chain that begins with a malicious LNK file and utilizes legitimate cloud services (like Zoho WorkDrive, Google Drive, Microsoft OneDrive, etc.) to deploy a novel, self-contained Ruby execution environment,” Park said. “Most critically, THUMBSBD and VIRUSTASK weaponize removable media to bypass network isolation and infect air-gapped systems.”



Source link

The Hacker News

The Hacker News

Next Post
Cisco to Participate in March 2026 Events with the Financial Community

Cisco to Participate in March 2026 Events with the Financial Community

Recommended.

Stocks making the biggest moves premarket: Honeywell, Strategy, Oracle & more

Stocks making the biggest moves premarket: Honeywell, Strategy, Oracle & more

December 22, 2025
From Interconnect to Power and Thermal Management: Luxshare-ICT Expands Its Role in AI Data Center Infrastructure

From Interconnect to Power and Thermal Management: Luxshare-ICT Expands Its Role in AI Data Center Infrastructure

April 24, 2026

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio