Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

VIRUSTASK

VIRUSTASK is a Ruby-based removable media propagation component used in the North Korea-linked APT37 (aka ScarCruft/Ruby Sleet/Velvet Chollima/InkySquid) “Ruby Jumper” campaign (discovered by Zscaler ThreatLabz in Dec 2025) to spread infections into and across air-gapped Windows environments.

In the reported toolchain, VIRUSTASK is delivered as a Ruby file named bundler_index_client.rb (dropped by the SNAKEDROPPER stage alongside other disguised Ruby files). Its primary role is to weaponize removable drives to achieve initial access on isolated networks and to propagate to additional air-gapped machines. It does this by hiding victims’ legitimate files on the removable media and replacing them with malicious Windows LNK shortcuts using the same filenames; when a user clicks the apparent file, the LNK executes a renamed Ruby interpreter (masquerading as usbspeed.exe from a disguised Ruby 3.3.0 runtime installed under %PROGRAMDATA%\usbspeed) and loads additional malicious content (noted as loading shellcode from task.rb). Zscaler reported VIRUSTASK only triggers the infection process if the removable media has at least 2GB of free space.

VIRUSTASK is observed operating alongside THUMBSBD (a removable-media command relay/exfiltration component) and other Ruby Jumper malware families (RESTLEAF, SNAKEDROPPER, FOOTWINE, and BLUELIGHT) in operations that bridge internet-connected and air-gapped systems via USB tradecraft. No standalone network C2 behavior for VIRUSTASK is described in the provided content.

Known identifiers/IOCs explicitly mentioned for VIRUSTASK in the content:

  • Filename used for delivery: bundler_index_client.rb
Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Kimsuky

Working alongside THUMBSBD is VIRUSTASK, which ensures the infection spreads further by replacing a victim’s legitimate files on the removable drive with malicious LNK shortcuts...

via cyber security newscybersecuritynews.com
APT37

"Also delivered as a Ruby file, VIRUSTASK functions similar to THUMBSBD... as a removable media propagation component... focuses exclusively on weaponizing removable media to achieve initial access on air-gapped systems."

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1

“The attack begins… with a malicious Windows shortcut file (LNK) that, once opened by a victim, silently drops and executes a series of payloads…”

Execution

4 techniques
T1053.005Scheduled TaskEvidence1

“Creates a scheduled task named rubyupdatecheck to execute… usbspeed.exe every 5 minutes.”

T1059.001PowerShellEvidence1

Initial infection vectors involve malicious LNK files that launch PowerShell commands to deploy embedded payloads.

T1204User ExecutionEvidence1

“…once opened by a victim… drops and executes a series of payloads…” and “When an unsuspecting user… clicks what appears to be their own file, they unknowingly launch the malware…”

T1204.002Malicious FileEvidence4

“APT37 has abused LNKs as an initial vector for years. In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it launches a PowerShell command…”

Persistence

1 technique
T1053.005Scheduled TaskEvidence1

“Creates a scheduled task named rubyupdatecheck to execute… usbspeed.exe every 5 minutes.”

Privilege Escalation

1 technique
T1053.005Scheduled TaskEvidence1

“Creates a scheduled task named rubyupdatecheck to execute… usbspeed.exe every 5 minutes.”

Stealth

2 techniques
T1036MasqueradingEvidence1

“Renames… rubyw.exe to usbspeed.exe to masquerade as a legitimate USB speed monitoring utility.”

T1564.001Hidden Files and DirectoriesEvidence1

“Creates a hidden $RECYCLE.BIN directory at the root of the removable media…” / “Creates a hidden folder named $RECYCLE.BIN.USER…”

Discovery

1 technique
T1083File and Directory DiscoveryEvidence1

“recursive file system enumeration (complete file tree)” / “Scans the removable media to enumerate the victim’s files…”

Command and Control

2 techniques
T1092Communication Through Removable MediaEvidence6

"...implant that uses removable media to relay commands and breach air-gapped networks."; "...weaponize removable media to bypass network isolation and infect air-gapped systems."

T1105Ingress Tool TransferEvidence1

“RESTLEAF fetches encrypted shellcode from the C2 to download the next-stage payload…”

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
ctoatncsc substackNews
Mar 7, 2026
CTO at NCSC Summary: week ending March 8th

Removable-media propagation tool that replaces files with malicious LNK shortcuts to spread via USB/removable drives.

Read more
scworldNews
Mar 2, 2026
North Korea’s ScarCruft group leverages Zoho WorkDrive and removable media in new cyber campaign | brief | SC Media

Removable-media component focused on gaining initial access into air-gapped/isolated networks.

Read more
risky biz rssNews
Mar 2, 2026
LLMs can deanonymize internet users based on their comments

APT37-associated malware family designed for air-gap operations via removable media (file replacement on removable drives to move data/commands).

Read more
the hacker newsNews
Feb 27, 2026
ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks

Removable-media propagation component focused on spreading the toolset to air-gapped systems and enabling initial access via infected removable media.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.