North Korea-linked APT37 has developed a sophisticated method to infiltrate air-gapped systems, leveraging cloud storage and USB implants in a campaign known as Ruby Jumper. The group, also referred to as ScarCruft, utilizes a backdoor that communicates with command and control servers via Zoho WorkDrive, a cloud-based file sharing platform. This approach enables APT37 to conduct surveillance and deliver additional payloads, exploiting the trust associated with legitimate cloud services. The attacks typically begin with malicious LNK files, which deploy multiple malware families to breach targeted networks. Notably, the use of USB-based implants allows APT37 to compromise air-gapped systems, which are isolated from the internet and other networks to prevent cyber attacks1. The discovery of this campaign by Zscaler ThreatLabz in December 2025 highlights the evolving tactics employed by APT37. The incorporation of cloud storage and USB implants demonstrates the group's ability to adapt and innovate, posing a significant threat to organizations with sensitive information. So what matters to practitioners is that a breach involving North Korea signals a potential shift in attack methods, which may lead to downstream regulatory and supply-chain effects.