Cybersecurity News and Headlines
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Sunday recap

NewsDealsSocialBlogsVideosPodcasts
CybersecurityNewsScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks
ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks
CybersecurityEnterpriseDefense

ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks

•February 27, 2026
0
The Hacker News
The Hacker News•Feb 27, 2026

Why It Matters

The campaign shows how APT groups can bypass network isolation by combining legitimate SaaS C2 channels with removable‑media infection, raising the threat level for highly secured environments. Organizations must rethink defenses for both cloud traffic and air‑gap hygiene.

Key Takeaways

  • •ScarCruft leverages Zoho WorkDrive for C2 communications
  • •THUMBSBD uses removable media to bridge air‑gapped networks
  • •Multiple payloads (RESTLEAF, SNAKEDROPPER, VIRUSTASK) deployed sequentially
  • •Campaign disguises lures as Arabic article on Middle East conflict
  • •Removable-media modules exfiltrate data and execute arbitrary commands

Pulse Analysis

The Ruby Jumper operation underscores a growing trend among nation‑state actors to exploit everyday cloud services for command‑and‑control. By hijacking Zoho WorkDrive, ScarCruft sidesteps traditional network monitoring, blending malicious traffic with legitimate business workflows. This approach mirrors earlier abuses of Google Drive and OneDrive, but marks the first documented use of Zoho’s platform, expanding the attack surface for enterprises that rely on diverse SaaS ecosystems. Security teams must therefore broaden their telemetry to include authentication anomalies and unexpected file transfers across all cloud storage providers.

Technically, the infection chain begins with a crafted LNK shortcut that triggers PowerShell, which then parses the shortcut to extract four embedded payloads. RESTLEAF, the initial downloader, authenticates to Zoho WorkDrive using a stolen token, pulls encrypted shellcode, and injects it into memory. That shellcode drops SNAKEDROPPER, which installs a Ruby runtime, creates a scheduled‑task persistence mechanism, and delivers THUMBSBD and VIRUSTASK. Both modules are designed to detect removable media, create hidden staging folders, and relay commands between isolated and internet‑connected machines, effectively turning a USB stick into a bidirectional bridge for data exfiltration, keylogging, and audio‑video surveillance.

The implications for organizations with air‑gapped networks are profound. Traditional perimeter defenses cannot stop malware that moves via physical media, especially when the same tools also communicate through trusted cloud channels. Mitigation strategies should include strict whitelisting of removable devices, real‑time monitoring of cloud storage API usage, and behavioral analytics that flag anomalous process injection or scheduled‑task creation. As APT groups continue to blend cloud abuse with offline propagation, a unified security posture that spans both digital and physical vectors will be essential to protect critical infrastructure.

ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks

Read Original Article
0

Comments

Want to join the conversation?

Loading comments...