Overview
- Zscaler ThreatLabz says it uncovered the Ruby Jumper campaign in December 2025 and published its technical report on February 26, 2026.
- Infection starts with malicious Windows LNK files that launch PowerShell to carve multiple payloads from the shortcut, including a decoy Arabic document about the Palestine‑Israel conflict.
- A newly observed implant called RESTLEAF uses Zoho WorkDrive for command‑and‑control to fetch follow‑on components, leading to the SNAKEDROPPER loader that installs a Ruby runtime disguised as usbspeed.exe and sets persistence.
- THUMBSBD turns USB drives into covert two‑way relays for commands and exfiltration, while VIRUSTASK focuses on propagation to new air‑gapped hosts by weaponizing shortcuts and only triggers when sufficient free space is available.
- The toolkit also includes FOOTWINE spyware with keylogging and audio‑video capture and reuses the BLUELIGHT backdoor that leverages cloud providers like Google Drive and OneDrive, with Zscaler expressing high confidence in attributing the activity to APT37 and not naming specific victims.