Zscaler ThreatLabz links the Ruby Jumper campaign to APT37, also tracked as ScarCruft, Ruby Sleet, and Velvet Chollima, and describes new tooling for surveillance and air-gapped environments. The infection begins with malicious LNK files that launch PowerShell, carve embedded payloads, show a decoy document, and execute RESTLEAF, which abuses Zoho WorkDrive for command-and-control and shellcode retrieval. SNAKEDROPPER installs a disguised Ruby runtime under `ProgramData`, establishes a scheduled task, and drops THUMBSBD and VIRUSTASK, using Ruby files to load shellcode-based payloads. THUMBSBD uses removable media to move commands and data between internet-connected and air-gapped systems, while VIRUSTASK infects removable media by replacing files with malicious LNK shortcuts. Later payloads include FOOTWINE and BLUELIGHT, giving the campaign surveillance capabilities such as keylogging, screenshots, and audio or video capture.