This week, three campaigns arrived with the same underlying design principle: each one was built specifically to be invisible to a well-configured security stack. APT37 built a six-component toolkit to bridge air-gapped government and defense networks, routing its command traffic through a Zoho WorkDrive account with a hardcoded valid access token that produces telemetry indistinguishable from a sales team syncing files. A different North Korean-linked cluster published 26 malicious npm packages whose C2 addresses were encoded character-by-character into Pastebin essays, invisible to every scanner trained on what malicious traffic is supposed to look like. And a freshly disclosed campaign called VOID#GEIST deployed three separate RATs simultaneously by injecting them into explorer.exe via Early Bird APC before a single EDR hook could fire, with no decrypted executable ever touching disk.
The common thread is not sophistication for its own sake. It is precision targeting of the specific layer each defender is not watching: the cloud storage session your DLP tool sees as Zoho, the npm package your scanner passed because it pulled a legitimate dependency, the process injection that ran before your EDR’s thread-creation hooks initialized. This week: three campaigns showing what it looks like when threat actors design around your detection model rather than trying to outrun it.
ScarCruft / APT37 Ruby Jumper – Air-Gap Bypass via Zoho WorkDrive and USB
What happened: Zscaler ThreatLabz disclosed the Ruby Jumper campaign on February 27, 2026, attributing it with high confidence to APT37 (also known as ScarCruft and Velvet Chollima), a DPRK-backed threat group with a long history of targeting government, defense, and media organizations in South Korea and beyond. The campaign was discovered in December 2025. APT37 used a malicious LNK file as the initial vector, delivering a six-component toolkit – RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT – designed to surveil victims on internet-connected systems and then propagate across the air gap into physically isolated networks via USB removable media. The decoy document in analyzed samples was an Arabic translation of a North Korean newspaper article about the Palestine-Israel conflict, consistent with APT37’s historical targeting of entities with interest in North Korean political narratives.
Technical details that matter:
- Initial Access: Malicious LNK file carves multiple embedded payloads from fixed offsets within itself via PowerShell; drops
find.bat,search.dat(PowerShell shellcode loader), andviewer.dat(shellcode + RESTLEAF payload) - Shellcode Delivery: Two-stage shellcode loader using custom API hashing with ROR 11 (module name) and ROR 15 (function name); stage 1 injects 1-byte XOR-decrypted second-stage shellcode into a randomly chosen legitimate Windows executable from
%WINDIR%\System32; stage 2 reflectively loads the final PE - C2 via Legitimate SaaS (RESTLEAF): First-ever APT37 abuse of Zoho WorkDrive for C2; RESTLEAF authenticates using hardcoded refresh token credentials (client_id
1000.3GYW7TSOWPQUNLVY1SK3Y6TWIUNAFH), exchanges them for a valid access token, downloads shellcode namedAAA.bin, and beacons by creating timestamped files namedlion [timestamp]in a folder calledSecondon the WorkDrive - Persistence (SNAKEDROPPER): Extracts a legitimate Ruby 3.3.0 runtime from embedded
ruby3.zip, installs it to%PROGRAMDATA%\usbspeed, renamesrubyw.exetousbspeed.exeto masquerade as a USB utility, and replaces the legitimateoperating_system.rbRubyGems auto-load file with a malicious version; creates a scheduled task namedrubyupdatecheckto execute the disguised interpreter every 5 minutes - Air-Gap Bridge (THUMBSBD): Monitors for removable media; creates a hidden
$RECYCLE.BINdirectory at the root of the drive; stages operator-issued commands and collected output there; decrypts content using a 1-byte 0x83 XOR routine and dispatches by command identifier at offset0x0C; victim identified by SHA-256 hash of disk volume serial and UUID; C2 fallback endpoints atphilion[.]store,homeatedke[.]store,hightkdhe[.]store - Air-Gap Propagation (VIRUSTASK): On media with at least 2GB free space, creates hidden
$RECYCLE.BIN.USERdirectory, hides victim’s original files, and replaces them with LNK files bearing identical names; when a new host opens a hijacked file, the shortcut executes the Ruby interpreter, which auto-loads the maliciousoperating_system.rband infects the new system; checksDir.exist?("c:\programdata\usbspeed")to avoid re-infection - Surveillance (FOOTWINE): TCP-based backdoor with custom XOR key exchange; supports interactive shell (
sm), keystroke logging (dm), audio and video capture (cm), file manipulation (fm), registry manipulation (rm), process enumeration (pm), screenshot capture, proxy relay (pxm), and DLL plugin loading; delivered with.apkextension to evade file-type filtering - BLUELIGHT: Previously documented APT37 backdoor abusing Google Drive, OneDrive, pCloud, and BackBlaze for C2; supports arbitrary command execution, file system enumeration, payload download, upload, and self-removal
- Attribution Confidence: High; LNK-based initial vector, two-stage shellcode with ROR 11/15 API hashing, and BLUELIGHT reuse are all consistent APT37 signatures confirmed across multiple prior campaigns
Why you should care: Air-gapped networks are predicated on a physical trust assumption: if there is no network path, there is no lateral movement. Ruby Jumper dissolves that assumption using removable media your employees already use, replacing their documents with shortcuts they will recognize and click. Once VIRUSTASK’s payload executes on the air-gapped host, THUMBSBD creates a bidirectional covert channel using the USB drive as a relay – operators deliver commands into the isolated network and pull data out without a network connection ever being established. The Zoho WorkDrive C2 on the internet-connected side is equally difficult to detect: RESTLEAF’s traffic is an authenticated API session to a legitimate enterprise SaaS platform, producing telemetry that looks like normal file sync activity to your DLP and proxy tools. For government agencies, defense contractors, utilities with OT segmentation, and any organization treating physical network isolation as a security control, this campaign requires a fundamentally different defensive posture – monitoring physical access points for unauthorized removable media, auditing scheduled tasks for renamed interpreters, and treating cloud storage API traffic as a potential C2 category rather than a trusted application class.
Key sources:
- https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks
- https://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.html
- https://securityaffairs.com/188767/apt/apt37-combines-cloud-storage-and-usb-implants-to-infiltrate-air-gapped-systems.html
- https://www.rescana.com/post/scarcruft-exploits-zoho-workdrive-and-usb-malware-to-compromise-air-gapped-government-and-defense-ne
StegaBin / Famous Chollima npm Supply Chain Campaign
What happened: Socket uncovered 26 malicious npm packages published to the registry over February 25-26, 2026, all sharing a single malicious file at vendor/scrypt-js/version.js, attributed to the North Korean-aligned actor FAMOUS CHOLLIMA – closely associated with the Lazarus Group and the ongoing Contagious Interview campaign. The packages were typosquatted versions of popular libraries like express, fastify, and lodash, often adding a -lint suffix to appear as legitimate developer tooling, and in some cases including the legitimate library as a dependency to boost credibility. Socket’s detection engine flagged the first package within two minutes of publication and all 26 in under six minutes each. The campaign is tracked as StegaBin and represents a meaningful technical evolution from earlier Contagious Interview waves.
Technical details that matter:
- C2 Concealment via Steganography: C2 URLs encoded character-by-character into three Pastebin essays at evenly-spaced positions; decoder strips zero-width Unicode characters, reads a 5-digit length marker, calculates character positions, and splits on a
|||separator to reconstruct the domain array – infrastructure invisible to signature-based scanning - Infrastructure: 31 Vercel deployments used as C2 relay; active deployment at time of analysis resolved to
103[.]106[.]67[.]63on ports 1244 and 1247 - Malicious Install Script: Automatically executing
install.jstriggers the payload loader onnpm install– no user interaction required beyond standard package installation - Cross-Platform Payloads: Platform-specific shell payloads delivered for Windows, macOS, and Linux from the decoded Vercel relay
- RAT Modules (9 total): VSCode persistence, clipboard theft, browser credential harvesting, keylogging, TruffleHog secrets scanning, and a filesystem sweep targeting 17 glob patterns including seed phrases, private keys,
.envfiles, KeePass databases, and Solidity contracts - Persistence:
.vscode/tasks.jsonused as a persistence trigger via folder-open event; SSH directory artifacts for long-term access - Evasion: Legitimate library included as a dependency to pass casual inspection; typosquatting with
-lintsuffix mimics real developer tooling patterns
Why you should care: The targeting is deliberate: developers are the highest-value soft target in your organization because they hold API keys, cloud credentials, SSH keys, signing certificates, and access to production pipelines. The TruffleHog module is particularly notable – the attacker is using your own secrets-scanning tooling against you, sweeping the developer’s filesystem for credentials they forgot to rotate. This iteration of the Contagious Interview campaign demonstrates a concerted effort to bypass both automated detection and human review, with character-level steganography on Pastebin making the C2 infrastructure essentially invisible to signature-based scanning. Any organization where developers install npm packages without enforcing lockfile integrity or organizational package registries is exposed to this exact vector.
Key sources:
- https://socket.dev/blog/stegabin-26-malicious-npm-packages-use-pastebin-steganography
- https://thehackernews.com/2026/03/north-korean-hackers-publish-26-npm.html
- https://www.scworld.com/brief/updated-contagious-interview-campaign-harnesses-illicit-npm-packages-for-rat-delivery
- https://securityonline.info/north-korean-stegabin-campaign-targets-developers-with-steganographic-malware/
VOID#GEIST – Multi-Stage Batch Script RAT Delivery Campaign
What happened: Securonix Threat Research disclosed VOID#GEIST on March 6, 2026 – a multi-stage malware campaign that uses obfuscated batch scripts as a delivery pathway for three encrypted RAT payloads: XWorm, AsyncRAT, and Xeno RAT. The attack chain begins with a phishing-delivered batch script and progresses through multiple stages without ever dropping a decrypted executable to disk. The obfuscated batch script deploys a second batch script, stages a legitimate embedded Python runtime, and decrypts encrypted shellcode blobs that are executed directly in memory by injecting them into separate instances of explorer.exe using Early Bird Asynchronous Procedure Call (APC) injection. Attribution is not confirmed as of disclosure.
Technical details that matter:
- Payload Staging: Three encrypted shellcode blobs –
new.bin(XWorm),xn.bin(Xeno RAT),pul.bin(AsyncRAT) – alongsidea.json,n.json, andp.jsonkey files containing the runtime decryption keys required for each payload - Python Runtime Embedding: Legitimate Python runtime pulled from python.org and embedded directly into the staging directory – malware operates even if Python is not installed on the target host, creating a fully self-contained execution environment
- Injection Technique: Early Bird APC injection into
explorer.exe– code is queued to the thread’s APC list and executes before the thread’s main routine runs, ahead of most EDR hook points at thread creation - Fileless Execution: Decrypted payloads never written to disk in recognizable form; all execution happens within memory of a trusted Windows process
- Redundancy by Design: Three independent RATs with separate C2 channels deployed simultaneously – if one implant is detected and remediated, the other two continue operating independently
- Obfuscation: Multi-layer batch script obfuscation designed to mimic legitimate user activity; the script-based delivery chain breaks assumptions about executable-based detection at every stage
Why you should care: The redundant multi-RAT deployment is operationally significant. Security teams responding to an XWorm detection may remediate that implant and close the ticket while AsyncRAT and Xeno RAT continue providing access. The script-based delivery chain – batch to Python to shellcode to memory injection – breaks the assumption that endpoint protection scanning for executable files will catch the threat at any stage. For institutions with large user populations and high phishing exposure (hospitals, universities, utilities), the combination of fileless execution, three independent C2 channels, and a delivery mechanism that looks like a user running a script represents a meaningful detection gap. Modern malware campaigns increasingly shift from standalone executables toward complex, script-based delivery frameworks that closely mimic legitimate user activity – and your SOC needs to be hunting at the process injection level, not the file level.
Key sources:
- https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html
- https://www.securonix.com/blog/voidgeist-stealthy-multi-stage-python-loader/
- https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html
The Pattern This Week
Each of this week’s three campaigns was engineered around a specific defensive layer the attacker assumed you are not watching. Ruby Jumper routes C2 through an authenticated Zoho WorkDrive session – your proxy tool sees a legitimate SaaS API call, not a command channel – and delivers commands to isolated networks via USB drives your employees already trust. StegaBin hides its C2 infrastructure inside the character positions of a public Pastebin essay – your threat intel feed never catalogued it because there is nothing to catalogue until you know the decoding algorithm. VOID#GEIST injects three RATs into explorer.exe via Early Bird APC before thread-creation hooks initialize, and your file-based detection never fires because there is no file.
The structure is the same across all three: identify the detection layer, design the attack to run underneath it, and rely on defenders closing the ticket after they find one implant without realizing there are two more still running. Two of the three campaigns are North Korean-linked, which says something about how methodically DPRK-nexus clusters have mapped out and tested the gaps in Western enterprise security stacks over the past several years.
The defender’s problem is not a missing signature or an unpatched CVE. It is that your detection stack was built to catch the last generation of attacks. Cloud storage C2, steganographic Pastebin encoding, and pre-hook process injection are all techniques that require you to go one layer deeper than standard tooling looks. If you are not auditing cloud storage API traffic as a potential C2 category, enforcing npm lockfile integrity, monitoring scheduled tasks for renamed interpreters, and hunting for APC injection at the process level rather than the file level – this week’s campaigns were invisible to you.
See you next week.