APT37 Adds New Tools For Air-Gapped Networks

ThreatLabz describes the APT37 "Ruby Jumper" campaign: a multi-stage, sophisticated toolkit that uses malicious LNKs and PowerShell to stage shellcode loaders and deploy multiple payloads — RESTLEAF (Zoho WorkDrive-based C2), SNAKEDROPPER (drops Ruby runtime and implants), THUMBSBD (removable-media air-gap bridging and exfiltration), VIRUSTASK (USB propagation), FOOTWINE (surveillance payload with custom crypto), and BLUELIGHT (cloud-backed backdoor). The report documents precise TTPs, persistence mechanisms, hardcoded Zoho tokens, registry keys, filenames, operational domains (including at least one active domain), and detection/evasion behaviors relevant for defenders.