The article says North Korea-linked APT37 is using a new malware campaign called “Ruby Jumper” to move data into and out of air-gapped networks—systems that are normally isolated from the internet. According to the report, the attack starts when a victim opens a malicious Windows shortcut (LNK) file, which secretly runs PowerShell, drops malware, and shows a decoy document to avoid suspicion. From there, the attackers install several tools, including a Ruby-based loader and backdoors that collect system data, prepare files for theft, and maintain control of infected machines.

What makes this campaign notable is how it crosses the “air gap.” The malware copies hidden data and commands onto USB drives, turning removable media into a covert bridge between connected systems and isolated ones. One component spreads the infection by replacing normal files on USB devices with malicious shortcuts, while another can even deploy spyware that supports keylogging, screenshots, audio/video recording, and remote shell access. In simple terms, the campaign shows that even systems not connected to the internet can still be compromised if attackers can abuse trusted removable media as a delivery and exfiltration path.

‍

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/