TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Infosecurity Magazine

North Korea's APT37 Expands Toolkit to Breach Air-Gapped Networks

2026-02-27 · Read original ↗

ATT&CK techniques detected

5 predictions
T1091Replication Through Removable Media
93%
"north korea ' s apt37 expands toolkit to breach air - gapped networks a cyber espionage group linked to north korea has been observed deploying a new malicious campaign using removable media infection tools to gain access to air - gapped systems. the group, apt37, is well - known…"
T1052.001Exfiltration over USB
84%
": stolen data is written back to the usb drive in hidden or obfuscated form. the operators also deploy footwine, a reconnaissance and collection utility focused on harvesting documents and monitoring removable drive activity, ensuring valuable data is queued for extraction. suppo…"
T1091Replication Through Removable Media
73%
"- and - control ( c2 ) communications to fetch additional payloads. “ to our knowledge, this is the first time apt37 has abused zoho workdrive, ” the researchers noted. restleaf profiles the compromised system and establishes persistence before retrieving follow ‑ on components f…"
T1052.001Exfiltration over USB
63%
"- and - control ( c2 ) communications to fetch additional payloads. “ to our knowledge, this is the first time apt37 has abused zoho workdrive, ” the researchers noted. restleaf profiles the compromised system and establishes persistence before retrieving follow ‑ on components f…"
T1204.002Malicious File
47%
"##d, virustask and footwine ). it also leveraged removable media to infect and pass commands and information between air - gapped systems. apt37 ’ s ruby jumper campaign explained the ruby jumper campaign was discovered by the threatlabz team in december 2025. during this campaig…"

Summary

The security researchers from Zscaler ThreatLabz have also discovered five new tools deployed by the North Korean hacking group