Back to Intelligence

ScarCruft Exploits Zoho WorkDrive to Bridge Air-Gapped Networks via USB Malware

SA
Security Arsenal Team
February 27, 2026
4 min read

The Illusion of Isolation: Breaking the Air Gap

In the cybersecurity world, the "air gap" has long been considered the ultimate fortress. By physically isolating critical systems from the internet, organizations assume they are safe from remote adversaries. However, the North Korean state-sponsored group known as ScarCruft (also tracked as APT37 or Reaper) has once again proven that physical isolation is not a silver bullet.

Security Arsenal analysts have been tracking the recent "Ruby Jumper" campaign uncovered by Zscaler ThreatLabz. This operation highlights a sophisticated evolution in tradecraft: ScarCruft has developed mechanisms to abuse legitimate cloud services like Zoho WorkDrive for command-and-control (C2), while simultaneously utilizing custom USB malware to jump the air gap.

Analysis: The Mechanics of Ruby Jumper

ScarCruft’s objective in this campaign appears to be espionage targeting highly sensitive, often isolated environments. The attack chain is a masterclass in "Living off Trusted Sites" and physical bridging.

1. Cloud-Based C2 via Zoho WorkDrive

Traditional malware relies on hardcoded IP addresses or suspicious domains for C2, making detection relatively straightforward. ScarCruft has adapted by weaponizing Zoho WorkDrive, a legitimate cloud storage service.

  • The Tactic: The malware communicates with the attacker by interacting with Zoho WorkDrive. It may download additional payloads or upload stolen data by blending in with normal corporate traffic.
  • The Evasion: Since Zoho is a reputable service, security devices often whitelist its traffic. This allows the attacker to bypass network egress filters and hide the malicious data exfiltration within the noise of legitimate cloud usage.

2. Bridging the Divide with USB Malware

The most alarming aspect of this campaign is the "jumper" component. To reach the air-gapped network (the target), ScarCruft employs malware that propagates via removable media (USB drives).

  • Infection Logic: An internet-connected machine within the organization is initially compromised (perhaps via phishing). It becomes the "patient zero."
  • The Bridge: When a USB drive is inserted into the infected machine, the malware automatically copies a malicious payload onto it.
  • The Breach: When that same USB drive is later plugged into an air-gapped system, the payload executes. It can then relay commands or exfiltrate data back to the USB drive, which carries it back to the internet-connected system for upload to the Zoho C2 server.

Detection and Threat Hunting

Detecting this type of activity requires monitoring for suspicious process interactions with removable media and analyzing network traffic patterns for anomalies within trusted cloud services.

Hunting for Suspicious USB Activity (PowerShell)

Use the following PowerShell script to audit recent events where processes interacted with removable storage volumes, which could indicate USB-borne malware staging.

Script / Code
# Check for recent process executions originating from removable drives
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663} -MaxEvents 1000 |
Where-Object {$_.Message -match 'Removable' -and $_.Message -match 'ReadData'} |
Select-Object TimeCreated, Id, Message |
Format-Table -Wrap

Detecting Zoho WorkDrive Anomalies (KQL)

This KQL query for Microsoft Sentinel helps identify devices communicating with Zoho WorkDrive while exhibiting suspicious process behavior (e.g., PowerShell or CMD making the network connection, rather than a browser).

Script / Code
DeviceNetworkEvents
| where RemoteUrl contains "zoho" 
| where ActionType == "ConnectionSuccess"
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| summarize count(), dcount(DeviceName), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by InitiatingProcessFileName, RemoteUrl, InitiatingProcessParentFileName
| order by count_ desc

Mitigation Strategies

To defend against the "Ruby Jumper" techniques employed by ScarCruft, organizations must adopt a defense-in-depth strategy that addresses both the cloud vector and the physical vector.

  1. Restrict USB Usage: Implement strict Group Policy Object (GPO) settings to disable write access to removable media on endpoints where it is not operationally necessary. Consider physically blocking USB ports on air-gapped critical systems.

  2. Implement Data Loss Prevention (DLP): Deploy DLP solutions that inspect traffic to legitimate cloud storage providers. Look for data types (e.g., source code, classified documents) that should never be uploaded to personal or unauthorized cloud drives.

  3. Sanitization Kiosks: If USB data transfer is necessary, use dedicated "sheep dip" or data sanitization kiosks that scan USB drives before they are allowed to interact with air-gapped networks.

  4. Behavioral Analytics: Utilize EDR solutions that can detect "Sneakernet" bridging behavior—flagging instances where the same file hash appears on both an internet-connected host and an isolated host shortly thereafter.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsscar-cruftapt37air-gapusb-malwarethreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action