Today, Immersive's Container 7 Research Team have released two labs on APT37 and its latest campaign
In February 2026, Zscaler ThreatLabz uncovered a sophisticated cyber espionage campaign orchestrated by APT37, assessed to be a North Korean state-sponsored threat actor. Dubbed "Ruby Jumper", this campaign represents a significant escalation in APT37's technical capabilities, specifically targeting air-gapped networks through weaponized removable media and abuse of legitimate cloud services.
What is this about?Air-gapped networks are considered the final line of defense against threats to critical infrastructure, classified government systems, nuclear facilities, and high-value intellectual property. Ruby Jumper demonstrates that physical network isolation is no longer sufficient; sophisticated adversaries have developed reliable methods to bridge the air gap using removable media as bidirectional command channels.
Why is this critical for you and your team?This campaign introduces novel techniques, including portable Ruby runtime environments for cross-platform malware execution, OAuth-based cloud C2 through legitimate services (Zoho WorkDrive, Google Drive, OneDrive), and self-propagating USB infection mechanisms. Understanding these TTPs is essential for organizations operating in air-gapped environments or defending against advanced persistent threats that leverage social engineering and trusted infrastructure to bypass traditional security controls.
Who is the content for?
- Cyber Threat Intelligence Analysts
- Malware Reverse Engineers
- Threat Researchers
- Threat Hunters
Link to the Labs:
Immerser