MalwareUsed by 2 actors

THUMBSBD

THUMBSBD is a backdoor used by the North Korean threat actor APT37, also tracked as ScarCruft, Ricochet Chollima, Ruby Sleet, Velvet Chollima, and InkySquid, in the Ruby Jumper campaign identified in December 2025. It is designed to compromise and operate across air-gapped Windows environments by weaponizing removable media as a covert bidirectional relay between internet-connected and isolated systems. THUMBSBD was reported as disguised as a Ruby file named ascii.rb and deployed after earlier Ruby Jumper stages involving malicious LNK files, PowerShell, RESTLEAF, and SNAKEDROPPER, which installs a disguised Ruby 3.3.0 runtime and persistence via a scheduled task named rubyupdatecheck.

Its core functionality is to collect system information, harvest reconnaissance data, create hidden directories on detected USB drives, stage operator command files, and copy data to removable media for later retrieval. Multiple reports describe it as enabling bidirectional command delivery and data exfiltration between segmented or air-gapped systems. Reported capabilities include harvesting system information, exfiltrating files, executing arbitrary commands, and downloading secondary payloads from remote infrastructure. One report states it stages hidden files in $RECYCLE.BIN on removable media and that commands are decrypted with a 1-byte XOR key on the air-gapped host before execution.

THUMBSBD is also used as a delivery mechanism for additional malware. It has been reported to deliver FOOTWINE, a Windows spyware backdoor disguised as an APK that supports keylogging, screenshot capture, audio and video recording, file manipulation, registry access, and remote shell commands, and to distribute BLUELIGHT, a backdoor previously associated with APT37 that uses legitimate cloud providers for command-and-control. In the same campaign, VIRUSTASK complements THUMBSBD by spreading infection to additional air-gapped machines via removable media, including replacing legitimate files with malicious LNK shortcuts.

High-confidence indicators and artifacts directly mentioned in the reporting include the filename ascii.rb for THUMBSBD; hidden directories on USB media including $RECYCLE.BIN or $RECYCLE.BIN.USER; associated scheduled task rubyupdatecheck from the broader infection chain; working directory %PROGRAMDATA%\usbspeed; registry key HKCU\SOFTWARE\Microsoft\TnGtp; and reported payload download infrastructure including philion[.]store, homeatedke[.]store, and hightkdhe[.]store.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT37

ScurCraft is notorious for using a broad range of custom malware, including THUMBSBD, which targets air-gapped Windows systems...

via bleeping computerbleepingcomputer.com

Kimsuky

THUMBSBD, a backdoor that turns ordinary removable media into a covert two-way communication channel between internet-connected systems and isolated, air-gapped ones.

via cyber security newscybersecuritynews.com

MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence1

“The attack begins… with a malicious Windows shortcut file (LNK) that, once opened by a victim, silently drops and executes a series of payloads…”

Execution

4 techniques

T1059Command and Scripting InterpreterEvidence1

“…executes the operator’s commands — ranging from file exfiltration and system reconnaissance to arbitrary command execution.”

T1059.001PowerShellEvidence1

Initial infection vectors involve malicious LNK files that launch PowerShell commands to deploy embedded payloads.

T1059.003Windows Command ShellEvidence1

“execute various backdoor commands including… arbitrary command execution” / “FOOTWINE… sm Provides an interactive command shell…”

T1204.002Malicious FileEvidence4

“APT37 has abused LNKs as an initial vector for years. In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it launches a PowerShell command…”

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

“…decrypts them with a single-byte XOR key…” and “encrypted C2 channel using a custom XOR-based key exchange protocol.”

T1140Deobfuscate/Decode Files or InformationEvidence1

“…second-stage shellcode that is decrypted using a 1-byte XOR key… reflectively loads an embedded Windows executable payload that is also decoded using a 1-byte XOR key.”

T1564.001Hidden Files and DirectoriesEvidence4

“Its most crucial function is to create hidden directories on detected USB drives and copy files to them.”

Discovery

3 techniques

T1057Process DiscoveryEvidence1

“THUMBSBD collects… running processes…” / “FOOTWINE supports… pm Enumerate running processes…”

T1082System Information DiscoveryEvidence3

“The role of THUMBSBD is to collect system information…”

T1083File and Directory DiscoveryEvidence2

“recursive file system enumeration (complete file tree)” / “Scans the removable media to enumerate the victim’s files…”

Collection

1 technique

T1074Data StagedEvidence1

“…stage command files, and prepare data for exfiltration… copy files to [hidden USB directories].”

Command and Control

2 techniques

T1092Communication Through Removable MediaEvidence7

"...implant that uses removable media to relay commands and breach air-gapped networks."; "...weaponize removable media to bypass network isolation and infect air-gapped systems."

T1105Ingress Tool TransferEvidence3

“RESTLEAF fetches encrypted shellcode from the C2 to download the next-stage payload…”

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

"...exfiltrating files..."; "...transfer data between internet-connected and air-gapped systems."

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

bleeping computerNews

May 5, 2026

ScarCruft hackers push BirdCall Android malware via game platform

THUMBSBD is custom malware used by ScarCruft that targets air-gapped Windows systems.

ctoatncsc substackNews

Mar 7, 2026

CTO at NCSC Summary: week ending March 8th

Backdoor enabling store-and-forward command/data relay via removable media between connected and air-gapped systems.

scworldNews

Mar 2, 2026

North Korea’s ScarCruft group leverages Zoho WorkDrive and removable media in new cyber campaign | brief | SC Media

Removable-media (USB) component used to bridge air-gapped networks by relaying commands and exfiltrating data; delivers additional payloads (e.g., FOOTWINE).

risky biz rssNews

Mar 2, 2026

LLMs can deanonymize internet users based on their comments

APT37-associated malware family designed for air-gap operations via removable media (file replacement on removable drives to move data/commands).

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.