What is ScarCruft (APT37)?

ScarCruft, also known as APT37, Reaper, Group123, and InkySquid, is a North Korean state-sponsored threat actor active since at least 2012. They primarily target South Korean individuals and organisations, journalists, human rights workers, North Korean defectors, and Asia-Pacific government entities. Their operations are widely attributed to the Reconnaissance General Bureau (RGB), North Korea's intelligence service.

What is the Ruby Jumper campaign?

Ruby Jumper is a February 2026 ScarCruft campaign that used Zoho WorkDrive — a legitimate cloud collaboration service — as its command-and-control channel. The campaign combined cloud-based C2 with USB-spread malware designed to bridge air-gapped networks by traversing removable media into isolated systems.

Why use Zoho WorkDrive instead of a traditional C2 server?

Zoho WorkDrive is a legitimate business service used by tens of thousands of organisations. Network defenders can't block it without significant collateral impact. C2 communications blend with ordinary cloud file-sync traffic. There's no malicious domain to sinkhole, no unusual IP to block, and no suspicious certificate. This is the Living Off Trusted Sites (LOTS) technique applied to North Korean state-level operations.

How does USB relay attack air-gapped networks?

Air-gapped systems are physically isolated from the internet, but they still receive physical media — USB drives, update sticks, portable storage for data transfer. The Ruby Jumper USB component infects removable media on internet-connected machines. When that USB is later inserted into an air-gapped system (for a legitimate data transfer), the malware executes automatically. It collects data and writes it back to the USB on its next connection to an internet-connected host, where it can be exfiltrated via the Zoho WorkDrive C2 channel.

Threat Intelligence | North Korea | APT37

ScarCruft's 'Ruby Jumper': North Korea Is Using Zoho WorkDrive to Bridge Air-Gapped Networks

North Korean state hackers used a legitimate cloud platform as their covert command channel — and added a USB relay to reach systems that have no internet connection at all.

March 1, 2026 | BugHunterTools

TL;DR: ScarCruft (APT37, North Korea) deployed C2 infrastructure via Zoho WorkDrive in February 2026 — using the legitimate cloud service as a covert communication channel. The campaign also included USB-spread malware designed to reach air-gapped targets. If your security posture relies entirely on blocking malicious domains and IP addresses, this campaign exposes exactly why that's not enough.

Who Is ScarCruft?

ScarCruft, also tracked as APT37, Reaper, Group123, and InkySquid, is a North Korean state-sponsored threat actor that has been operational since at least 2012. They operate under the Reconnaissance General Bureau (RGB), North Korea's primary foreign intelligence service, and are distinct from Lazarus Group (which focuses primarily on financial theft and cryptocurrency) and APT38 (financially motivated operations at scale).

ScarCruft's mission is primarily collection: espionage against individuals and organisations the North Korean government wants intelligence on. Their primary targets are:

South Korean government officials, military personnel, and think tanks
North Korean defectors and human rights organisations
Journalists covering North Korean affairs
South Korean defence industry and critical infrastructure
Select targets in Japan, Vietnam, the Middle East, and Europe

They're not the loudest APT in the room. They're focused, patient, and operationally disciplined. They almost never deploy ransomware or cause destructive impact — the goal is quiet, sustained access and data exfiltration.

The Ruby Jumper Campaign (February 2026)

Threat intelligence reports from February 27, 2026 documented a ScarCruft campaign that researchers have named Ruby Jumper. The campaign has two notable characteristics that make it technically interesting beyond the standard spear-phishing → malware → exfil chain:

Zoho WorkDrive as C2 — legitimate cloud storage used as the command-and-control channel
USB relay for air-gap bridging — physical media used to deliver the implant to systems with no internet connection

This is a meaningful escalation in ScarCruft's tradecraft. It combines the Living Off Trusted Sites (LOTS) technique — using legitimate cloud platforms to hide C2 traffic — with a physical-media persistence mechanism for reaching the hardest targets in a network: the ones with no network connection at all.

Why Zoho WorkDrive?

ScarCruft has a long history of using legitimate cloud platforms for C2. Past campaigns have used pCloud, Google Drive, OneDrive, Dropbox, and Naver cloud services. The choice of cloud platform varies by campaign, but the strategic logic is always the same.

Blocking Zoho WorkDrive at the perimeter creates immediate operational problems for any organisation that legitimately uses Zoho for document collaboration — tens of thousands of businesses globally. Network defenders face a fundamental asymmetry:

Blocking the domain stops the legitimate users in your organisation
Not blocking the domain leaves the implant's C2 channel open
The C2 traffic looks identical to legitimate WorkDrive sync activity — same HTTPS, same domain, same certificate

Traditional blocklist-based defences fail entirely against this technique. The only effective countermeasures are behavioural: what processes are making requests to Zoho WorkDrive, and is that expected behaviour for those processes?

How the Cloud C2 Works

ScarCruft's cloud C2 implementations typically follow a consistent pattern:

The implant authenticates to a cloud storage account (credentials hardcoded or derived from the target)
It polls a specific file or folder within the cloud account for new "tasks" — usually a small file with encoded commands
It writes exfiltrated data as new files to a designated output folder in the same account
The attacker reads collected data and writes new commands from their own machine, also authenticated to the same cloud account

All communication is HTTPS to a legitimate cloud storage API. No suspicious domains, no port knocking, no unusual protocols. From the network edge, it looks like a process syncing files to cloud storage.

The Air-Gap Bridging Component

The more technically significant aspect of Ruby Jumper is the USB relay capability. Air-gapped systems — machines with no network connection of any kind — are present in the most sensitive environments: nuclear facilities, military networks, critical industrial controls, isolated research systems. They're the last line of defence for organisations that have learned from high-profile breaches.

The challenge for an attacker is: if you can compromise an internet-connected machine on the periphery of an organisation, how do you reach the air-gapped system inside?

The answer ScarCruft implemented: infect USB drives that cross the air gap.

Physical media — USB sticks, update drives, removable storage — regularly cross the air gap in almost every organisation that uses air-gapped systems. Patch updates, data extraction, configuration backups: these all require physical media at some point. The air gap doesn't eliminate this attack surface; it just shifts it from the network to physical media.

Ruby Jumper's USB Mechanism

While the full technical analysis of the Ruby Jumper USB component is detailed in the original threat intelligence reports, the general technique ScarCruft uses (consistent with their prior campaigns and aligned with what's known about Ruby Jumper) works as follows:

Stage 1 — Infection: The internet-connected compromised machine (via the cloud C2 implant) monitors for USB drive insertion and writes a small, persistent dropper to the drive using a Windows-compatible autorun mechanism or an LNK file that mimics legitimate content
Stage 2 — Air-gap crossing: When the infected USB is inserted into the air-gapped machine (by an operator performing a legitimate task), the dropper executes, deploys an implant in memory, and begins collecting target data
Stage 3 — Data staging: Collected data is written to a hidden partition or file on the USB drive
Stage 4 — Exfiltration: When the USB is next connected to the internet-connected machine, the outer implant reads the staged data from the USB and uploads it via the Zoho WorkDrive C2 channel

This creates a one-hop relay: air-gapped machine → USB → internet-connected machine → Zoho WorkDrive → attacker. The air gap is bridged physically, but the exfiltration channel uses legitimate cloud infrastructure.

Historical Context: ScarCruft and USB-Based Attacks

ScarCruft has previously used USB-based spread mechanisms. Their DOGCALL malware family and subsequent campaigns have included drive-based persistence components for years. Air-gap bridging via removable media is not a new concept — Stuxnet (widely attributed to US-Israel) used this technique against Iranian nuclear facilities over a decade ago. What Ruby Jumper adds is the combination with cloud-based C2 and a relatively small operational footprint that makes each component harder to detect in isolation.

The historical precedent matters for defenders: if you've been operating on the assumption that your air-gapped systems are unreachable because you control who physically accesses them, state-sponsored actors have been proving that assumption wrong for years. The USB threat to air-gapped networks is not theoretical — it's documented operational behaviour by multiple APT groups across multiple countries.

Detection: What to Look For

Cloud C2 Detection (Internet-Connected Systems)

Process to cloud storage ratio: A non-browser, non-productivity process making regular HTTPS requests to Zoho WorkDrive (or any cloud storage service) warrants immediate investigation. Map expected business software to expected cloud storage destinations. Unexplained processes polling cloud APIs are a significant anomaly.
Volume and frequency patterns: Legitimate file sync is bursty (large uploads when you save a document). C2 polling is regular and small — frequent small HTTPS requests at fixed intervals. Beaconing detection looks for this pattern.
Account context: Cloud storage access by a process running under a user account that has no legitimate use of that cloud service is suspicious. A user who uses Zoho via their browser will have the web traffic attributed to the browser process. A separate process polling Zoho WorkDrive from the same machine is not that user's browser session.

USB Monitoring (Including Air-Gapped Systems)

USB device logging: Log every USB insertion/removal event with device identifier on all machines — including air-gapped systems. This requires endpoint logging that writes to a local log file (or manual extraction) rather than a network log store.
File system monitoring on USB insertion: Alert on executable files written to or executed from USB drives, particularly from processes other than Windows Explorer or the file manager.
USB device whitelisting: On air-gapped systems specifically, enforce hardware-level USB whitelisting (approved device identifiers only). Group Policy or endpoint security tools can block unknown devices entirely.
Bi-directional scan policy: Every USB drive that crosses the air gap in either direction should be scanned on a dedicated, non-networked scanning station before being inserted into the air-gapped environment. This is standard policy in high-security environments but inconsistently enforced in practice.

Indicators of Compromise (IoC Methodology)

For the specific Ruby Jumper campaign, check the original threat intelligence reports for specific IoC values (file hashes, registry keys, Zoho account patterns). As a general ScarCruft detection rule, look for:

DLL sideloading from non-standard paths (ScarCruft frequently abuses legitimate signed binaries)
PowerShell or WScript processes with base64-encoded command line arguments being spawned by document reader applications (initial access via HWP/Office malicious documents is a ScarCruft staple)
Scheduled tasks or registry Run keys added by document application processes
Network connections to cloud storage APIs from processes associated with document handling

The Broader LOTS Trend in 2026

Ruby Jumper is the latest in a pattern of APT campaigns from early 2026 that use legitimate cloud infrastructure to make detection and disruption harder. Consider what we've seen in just the last few weeks:

UNC2814 (China) — Used Google Sheets as a C2 channel (GRIDTIDE campaign). Google disrupted the infrastructure on February 25, 2026 — but the technique doesn't get "fixed" by that action.
Aeternum Botnet — Used Polygon blockchain smart contracts as C2. Untakeable by design — there's no server to seize.
ScarCruft (North Korea) — Used Zoho WorkDrive. Combines cloud C2 with USB air-gap bridging.

Three different threat actors, three different legitimate platforms, same fundamental problem: defenders can't block the destination without blocking legitimate business use. The answer — as with all LOTS campaigns — is behavioural detection, not static blocklists.

If your detection strategy is "block bad IPs and domains," every LOTS campaign will bypass it. Full stop.

Recommendations

For Organisations with Air-Gapped Systems

Action	Priority	Owner
Enforce USB device whitelisting on all air-gapped systems (block unknown device IDs)	URGENT	Security / IT
Implement USB scanning station (offline AV scan before any media crosses the gap)	URGENT	Security
Enable USB insertion logging on all endpoints (including air-gapped, local log)	HIGH	Security / IT
Audit which employees have physical access to both internet-connected and air-gapped systems	HIGH	CISO
Review cross-gap data transfer procedures — consider a formal data diode or supervised transfer protocol	MEDIUM	Security Architecture

For All Organisations (Internet-Connected Systems)

Deploy beaconing detection: Network monitoring tools that flag processes making regular, small, fixed-interval connections to cloud storage APIs are your primary detection layer against LOTS-based C2.
Process-to-destination correlation: Build and maintain a baseline of which processes should be making connections to which cloud services. Deviations from that baseline — especially non-browser processes connecting to cloud storage — warrant investigation.
EDR tuning for ScarCruft TTPs: DLL sideloading from temp/AppData paths, PowerShell spawned from document readers, scheduled tasks created by non-system processes — these are the initial access indicators that precede cloud C2 deployment.

Threat Actor Summary

Attribute	ScarCruft / APT37
Also known as	Reaper, Group123, InkySquid, RedEyes, TA-RedAnt
Country of origin	North Korea (DPRK) — Reconnaissance General Bureau (RGB)
Active since	At least 2012
Primary objective	Espionage — data exfiltration from high-value targets
Primary targets	South Korean government, military, journalism, human rights, NK defectors
Initial access TTPs	Spear-phishing, HWP exploits, browser/plugin exploits, watering hole
C2 history	pCloud, Dropbox, OneDrive, Google Drive, Naver, Zoho WorkDrive (Ruby Jumper)
Key malware families	RokRAT, DOGCALL, KONNI, BLUELIGHT, GOLDBACKDOOR
MITRE ATT&CK ID	G0067

Conclusion

The Ruby Jumper campaign doesn't require a zero-day, a supply chain compromise, or a particularly novel initial access technique. What it does require is patience, knowledge of the target's operational procedures, and a C2 infrastructure that blends perfectly with legitimate business traffic.

Zoho WorkDrive as a C2 channel is elegant precisely because it's unremarkable. In an organisation that uses Zoho for document collaboration, traffic to the Zoho API is expected and normal. The malware doesn't need to hide — it just needs to look like everything else.

The USB relay addresses the one scenario where cloud-based C2 isn't sufficient: an air-gapped system that physically cannot connect to the internet. For ScarCruft's target set — organisations with sensitive government, military, or research data — air-gapped systems are exactly where the most valuable data lives.

Defending against this requires a posture shift: away from perimeter blocklists and toward endpoint behavioural monitoring, process-to-destination baselines, and physical media controls that treat every USB drive as potentially hostile until scanned and approved.

🔍 Further reading: Ruby Jumper is one of three LOTS-based C2 campaigns from early 2026. See how China's UNC2814 used Google Sheets as a C2 channel and how the Aeternum botnet used Polygon blockchain smart contracts for truly untakeable C2 infrastructure.

📚 Recommended Reading

Hacking: The Art of Exploitation, 2nd Ed. — Network persistence, privilege escalation, and understanding the technical foundation of APT implant tradecraft. Essential reading for anyone working in threat hunting or incident response.
Social Engineering: The Science of Human Hacking, 2nd Ed. — ScarCruft's initial access almost always starts with social engineering. Understanding how spear-phishing and pretexting work at a technical and psychological level makes detection and training programs significantly more effective.
Black Hat Python, 2nd Ed. — Writing USB monitoring tools, process-to-destination network correlation scripts, and custom detection logic for novel C2 patterns. The behavioural detection recommendations in this article all have Python implementation paths.