SNAKEDROPPER
SNAKEDROPPER is a Ruby-based next-stage loader used in the North Korea–linked APT37/ScarCruft campaign dubbed “Ruby Jumper” (discovered by Zscaler ThreatLabz in December 2025). It is delivered after the initial RESTLEAF implant (which uses Zoho WorkDrive for C2) fetches encrypted shellcode and downloads the SNAKEDROPPER payload; SNAKEDROPPER is executed within a randomly chosen legitimate Windows executable as part of a two-stage XOR-decrypted shellcode/reflective-loading chain.
On execution, SNAKEDROPPER installs and masquerades a full Ruby 3.3.0 runtime on Windows by extracting an embedded archive (ruby3.zip) to %PROGRAMDATA%\ruby3.zip and unpacking it under %PROGRAMDATA%\usbspeed, renaming rubyw.exe to usbspeed.exe. It modifies the Ruby environment for execution by replacing RubyGems’ operating_system.rb with a malicious version that auto-loads when the Ruby interpreter starts. It establishes persistence via a scheduled task named rubyupdatecheck that runs every five minutes.
SNAKEDROPPER then drops additional campaign components (notably THUMBSBD and VIRUSTASK) disguised as Ruby scripts (e.g., ascii.rb and bundler_index_client.rb; also referenced alongside win32\task.rb). These follow-on payloads are used to weaponize removable media to relay commands and exfiltrate data between internet-connected and air-gapped systems (THUMBSBD) and to propagate to additional isolated hosts by replacing files on removable drives with malicious LNK shortcuts (VIRUSTASK). ThreatLabz also reported THUMBSBD downloading additional payloads from domains including philion[.]store, homeatedke[.]store, and hightkdhe[.]store.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...onto SNAKEDROPPER for second-stage payload delivery...
"ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks" ... "malware families, such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT"
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
4 techniques
Execution
“Creates a scheduled task named rubyupdatecheck to execute… usbspeed.exe every 5 minutes.”
"...it launches a PowerShell command..."; "...the batch script launching PowerShell..."
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
4 techniques
Stealth
“Renames… rubyw.exe to usbspeed.exe to masquerade as a legitimate USB speed monitoring utility.”
"...downloads shellcode, which is then executed via process injection..."
Command and Control
2 techniques
Command and Control
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Next-stage loader that installs Ruby runtime, establishes persistence, and drops additional components (THUMBSBD, VIRUSTASK).
"The Ruby Jumper campaign... deploys multiple malware families such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT."
Dropper/installer that deploys a self-contained Ruby runtime, establishes persistence via scheduled task, and drops additional implants (THUMBSBD, VIRUSTASK).
Second-stage payload delivery component; disguises a Ruby 3.3.0 runtime as 'usbspeed.exe' and establishes persistence via a scheduled task ('rubyupdatecheck').
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.