The Ruby Jumper campaign by APT37 represents a significant evolution in attacks against air-gapped networks, which are typically isolated from external networks to prevent cyber intrusions. This campaign uses Windows shortcut (.lnk) files as the initial infection vector, exploiting user interaction with removable media to execute malicious payloads. The threat actor employs a modular toolset including RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, which collectively facilitate reconnaissance, lateral movement, and persistent backdoor access. Notably, the payloads FOOTWINE and BLUELIGHT are designed for surveillance and data exfiltration. The use of Ruby for shellcode-based payloads is unusual and allows for flexible and stealthy execution. Command and control communications are conducted via abuse of legitimate cloud storage services, circumventing traditional network defenses and enabling control even in isolated environments. The malware also uses advanced techniques such as process injection, credential dumping, and masquerading to evade detection and maintain persistence. This campaign targets air-gapped systems by leveraging removable media to bridge the physical network gap, a method that is difficult to defend against due to the reliance on human factors and physical access. The campaign's sophistication and multi-stage approach indicate a high level of adversary capability and intent to conduct long-term espionage operations.

Organizations with air-gapped networks, often found in critical infrastructure, government, defense, and high-security research environments, face significant risk from this campaign. Successful compromise can lead to unauthorized surveillance, theft of sensitive intellectual property, and exposure of classified information. The ability to bypass network isolation using removable media and cloud storage for command and control undermines traditional security assumptions about air-gapped environments. Persistent access and advanced evasion techniques increase the difficulty of detection and remediation, potentially allowing prolonged espionage activities. The campaign could disrupt operational integrity and confidentiality, leading to strategic disadvantages, reputational damage, and regulatory consequences. Additionally, the use of cloud services for C2 may implicate third-party providers and complicate incident response efforts. The medium severity rating reflects the complexity of exploitation but acknowledges that initial infection requires physical access or user interaction with removable media, somewhat limiting the attack surface.

To mitigate this threat, organizations should implement strict controls on removable media usage, including disabling autorun features and enforcing strict scanning policies with advanced endpoint detection solutions capable of identifying malicious shortcut files and Ruby-based shellcode. Employ application whitelisting to prevent unauthorized execution of unknown binaries and scripts. Network segmentation should be enhanced to monitor and restrict outbound traffic to cloud storage services, using anomaly detection to identify unusual data flows. Implement strong user training focused on the risks of removable media and social engineering attacks. Deploy endpoint detection and response (EDR) tools with capabilities to detect process injection, credential dumping, and masquerading behaviors. Regularly audit and monitor system logs for indicators of compromise related to the identified hashes and domains. Physical security controls should be strengthened to limit unauthorized access to air-gapped systems. Incident response plans must include procedures for handling removable media infections and cloud-based C2 communications. Finally, collaborate with cloud service providers to monitor and block malicious activities leveraging their platforms.