Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

FOOTWINE

FOOTWINE is a Windows spyware/backdoor payload observed in Zscaler ThreatLabz reporting as part of the North Korea–linked APT37/ScarCruft campaign dubbed “Ruby Jumper” (discovered December 2025). It is delivered later in the intrusion chain by the removable-media backdoor THUMBSBD, in operations designed to bridge internet-connected and air-gapped Windows environments via weaponized USB drives.

Capabilities attributed to FOOTWINE in the provided content include surveillance and remote-access functionality: keystroke logging, screenshot capture, audio recording, video recording, file manipulation, registry access, remote shell/command execution, and “full shell access.” It is described as being disguised as an Android package (APK) and delivered as an encrypted payload (noted as “foot.apk”) with an integrated shellcode launcher.

Command-and-control is described as using a custom binary protocol over TCP, including a custom XOR-based key exchange followed by session-key encryption.

Associated tradecraft and related components in the same campaign (context) include initial access via malicious Windows LNK files that launch PowerShell to carve embedded payloads and open a decoy document; RESTLEAF using Zoho WorkDrive for C2; SNAKEDROPPER installing a disguised Ruby 3.3.0 runtime and persistence via a scheduled task (rubyupdatecheck); and THUMBSBD/VIRUSTASK using hidden directories (including $RECYCLE.BIN) on removable media for bidirectional command relay and propagation to air-gapped systems.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Kimsuky

The final payload, FOOTWINE, delivers surveillance capabilities including keylogging, audio capture, video capture, and full shell access...

via cyber security newscybersecuritynews.com
APT37

The final payload, FOOTWINE, delivers surveillance capabilities including keylogging, audio capture, video capture, and full shell access...

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

18 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1

“The attack begins… with a malicious Windows shortcut file (LNK) that, once opened by a victim, silently drops and executes a series of payloads…”

Execution

4 techniques
T1059Command and Scripting InterpreterEvidence1

“…executes the operator’s commands — ranging from file exfiltration and system reconnaissance to arbitrary command execution.”

T1059.001PowerShellEvidence1

Initial infection vectors involve malicious LNK files that launch PowerShell commands to deploy embedded payloads.

T1059.003Windows Command ShellEvidence1

“execute various backdoor commands including… arbitrary command execution” / “FOOTWINE… sm Provides an interactive command shell…”

T1204.002Malicious FileEvidence3

“The infection chain begins when the victim opens a malicious Windows shortcut file (LNK), which deploys a PowerShell script…”

Persistence

1 technique
T1112Modify RegistryEvidence2

"rm , for modifying the Windows Registry"

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1

“…decrypts them with a single-byte XOR key…” and “encrypted C2 channel using a custom XOR-based key exchange protocol.”

T1140Deobfuscate/Decode Files or InformationEvidence2

"...responsible for loading shellcode containing the payload after decrypting it."

Defense Impairment

1 technique
T1112Modify RegistryEvidence2

"rm , for modifying the Windows Registry"

Credential Access

2 techniques
T1056Input CaptureEvidence1

“FOOTWINE… supports keylogging…”

T1056.001KeyloggingEvidence4

“FOOTWINE… includes surveillance features such as keystroke logging…”

Discovery

1 technique
T1057Process DiscoveryEvidence2

"pm , for enumerating running processes"

Collection

5 techniques
T1056Input CaptureEvidence1

“FOOTWINE… supports keylogging…”

T1056.001KeyloggingEvidence4

“FOOTWINE… includes surveillance features such as keystroke logging…”

T1113Screen CaptureEvidence3

“FOOTWINE… supports… screenshot capture…”

T1123Audio CaptureEvidence4

“FOOTWINE… supports… audio… recording…”

T1125Video CaptureEvidence4

“FOOTWINE… delivers surveillance capabilities including… video capture…”

Command and Control

4 techniques
T1090ProxyEvidence1

“FOOTWINE… pxm Establishes a proxy connection and relays traffic bidirectionally.”

T1090.001Internal ProxyEvidence1

"pxm , for setting up a proxy connection and relaying traffic bidirectionally."

T1095Non-Application Layer ProtocolEvidence1

"It communicates with a C2 server using a custom binary protocol over TCP."

T1102Web ServiceEvidence2

“Cloud services including Zoho WorkDrive, Microsoft OneDrive, Google Drive, and pCloud are abused as command-and-control (C2) infrastructure…”

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
ctoatncsc substackNews
Mar 7, 2026
CTO at NCSC Summary: week ending March 8th

Later-stage backdoor with surveillance features including keylogging and audio/video capture.

Read more
scworldNews
Mar 2, 2026
North Korea’s ScarCruft group leverages Zoho WorkDrive and removable media in new cyber campaign | brief | SC Media

Post-compromise capability providing keylogging plus audio/video capture, communicating over a custom TCP protocol; delivered via THUMBSBD.

Read more
the hacker newsNews
Feb 27, 2026
ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks

Encrypted surveillance payload with integrated shellcode launcher; provides keylogging plus audio/video capture and communicates to C2 via a custom binary TCP protocol.

Read more
cyber security newsNews
Feb 27, 2026
North Korean APT37 Hackers Leverages Novel Malware to Infect Air‑Gapped Systems

Surveillance payload providing keylogging, audio/video capture, and remote shell access over an encrypted C2 channel using a custom XOR-based key exchange protocol.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping18

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.