← Back to Security Blog
Security Briefing 8 min read

APT37 Breaches Air-Gapped Networks, CISA Warns of Dormant RESURGE Malware on Ivanti

North Korea's APT37 deploys a sophisticated new toolkit to infiltrate air-gapped networks via USB malware. CISA issues an urgent updated advisory on RESURGE implants hiding dormant on Ivanti Connect Secure devices. Europol's "Project Compass" dismantles The Com cybercrime collective with 30 arrests across 28 countries. Plus: a malicious Go crypto module delivers the Rekoobe backdoor to Linux systems.


APT37 "Ruby Jumper" — Air-Gapped Network Breaches

North Korean APT37 Deploys New Toolkit to Bridge Air Gaps

Zscaler ThreatLabz has uncovered "Ruby Jumper", a campaign by North Korean state-backed group APT37 (ScarCruft) that uses five previously unseen malware families to breach air-gapped networks through removable drives.

Attack Chain

The infection begins with a malicious LNK shortcut file that triggers PowerShell to extract embedded payloads. A decoy document (an Arabic translation of a North Korean newspaper article) diverts the victim's attention while the malware deploys silently.

Malware Role
RESTLEAF Initial implant using Zoho WorkDrive for C2 communications
SNAKEDROPPER Ruby-based loader disguised as usbspeed.exe
THUMBSBD USB-propagating implant for air-gapped network relay
VIRUSTASK Surveillance module for data exfiltration
FOOTWINE Advanced backdoor with full system access

Key concern: APT37 installs the entire Ruby 3.3.0 runtime environment on victim systems, disguised as a legitimate USB utility. This gives them a flexible platform for delivering additional payloads while evading signature-based detection.


CISA Updates RESURGE Advisory for Ivanti Devices

RESURGE Malware Can Lie Dormant on Ivanti Connect Secure — CHECK NOW

CISA has released updated technical details on RESURGE (libdsupgrade.so), a sophisticated implant exploiting CVE-2025-0282 that can survive reboots, evade network monitoring, and wait indefinitely for attacker connections.

Why This Is Dangerous

Attribution: Linked to China-nexus threat actor UNC5221, who has been exploiting CVE-2025-0282 as a zero-day since December 2024.


Europol Dismantles "The Com" — 30 Arrests

Europol's yearlong "Project Compass" operation has resulted in 30 arrests across 28 countries, targeting "The Com" — a decentralized English-speaking cybercrime collective notorious for targeting minors.

The Com Subgroups

Subgroup Activity
Offline Com Property damage, violence, terrorism promotion
Cyber Com Network intrusions, ransomware attacks
(S)extortion Com Coercing minors, encouraging self-harm
764 Grooming, exploitation ring (leaders arrested April 2025)

Investigators identified 179 suspects and 62 victims, directly safeguarding four individuals from ongoing attacks.


Malicious Go Module Delivers Rekoobe Backdoor

Socket security researchers have uncovered a malicious Go module (github[.]com/xinfeisoft/crypto) that impersonates the legitimate golang.org/x/crypto package to:

This attack exploits namespace confusion — the legitimate project uses go.googlesource.com/crypto as canonical with GitHub as a mirror, making the malicious package appear routine in dependency graphs.


More Headlines


How Kensai Protects You

Real-time CVE Monitoring — CVE-2025-0282 and Ivanti vulnerabilities tracked and prioritized

Supply Chain Scanning — Detect namespace-confused packages like the malicious Go crypto module

APT Threat Intelligence — APT37, UNC5221, and state-sponsored threat actor tracking

Continuous Exposure Management — Identify dormant implants before they activate


Recommended Actions

  1. Immediate: Audit all Ivanti Connect Secure devices for RESURGE indicators — factory reset if compromised
  2. Today: Review Go module dependencies for namespace confusion attacks
  3. This Week: Assess air-gap security controls — verify USB device policies and monitoring
  4. Ongoing: Monitor for APT37 IOCs published by Zscaler ThreatLabz

Protect Your Organization with Kensai

AI-powered vulnerability management with 331,910+ CVEs indexed.

Start Free Trial

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

📚 Related Articles