Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

RESTLEAF

RESTLEAF is a Windows implant/backdoor used in the North Korea–linked APT37 (aka ScarCruft/Ricochet Chollima/InkySquid) “Ruby Jumper” campaign (reported by Zscaler ThreatLabz; first identified December 2025). In the described intrusion chain, a malicious Windows LNK file launches PowerShell that carves embedded components (including a decoy document and scripts) and ultimately spawns the RESTLEAF Windows executable payload in-memory as the first-stage downloader/implant.

RESTLEAF’s distinguishing behavior is command-and-control over Zoho WorkDrive cloud storage. It authenticates to Zoho WorkDrive using token material (including embedded refresh-token credentials and hardcoded client_id/client_secret/refresh_token) to obtain a valid access token for API operations. After successful authentication, RESTLEAF attempts to download shellcode (noted as “AAA.bin”) from Zoho WorkDrive and executes it via process injection (allocating executable memory, copying the payload, and transferring execution to the shellcode entry point). RESTLEAF is also described as beaconing by creating timestamped files in a Zoho WorkDrive folder named “Second,” with filenames matching the pattern “lion [timestamp].”

RESTLEAF is part of a multi-component toolkit used to breach segmented/air-gapped environments: it fetches further payloads after authentication, including the next-stage Ruby-based loader SNAKEDROPPER, which installs a disguised Ruby 3.3.0 runtime and persistence (scheduled task “rubyupdatecheck”), and later stages that weaponize removable media (THUMBSBD/VIRUSTASK) and deliver surveillance tooling (e.g., FOOTWINE for keylogging and audio/video capture).

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Kimsuky

The full attack chain flows from the initial LNK file through RESTLEAF as the first-stage downloader...

via cyber security newscybersecuritynews.com
APT37

The full attack chain flows from the initial LNK file through RESTLEAF as the first-stage downloader...

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1

“The attack begins… with a malicious Windows shortcut file (LNK) that, once opened by a victim, silently drops and executes a series of payloads…”

Execution

3 techniques
T1059.001PowerShellEvidence4

“…opens a malicious Windows shortcut file (LNK), which deploys a PowerShell script that extracts payloads embedded in the LNK file.”

T1059.003Windows Command ShellEvidence1

"...including ... a batch file."; "...the batch script launching PowerShell..."

T1204.002Malicious FileEvidence4

“APT37 has abused LNKs as an initial vector for years. In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it launches a PowerShell command…”

Privilege Escalation

1 technique
T1055Process InjectionEvidence2

“…shellcode is executed through a classic process injection technique. RESTLEAF allocates executable memory, copies the downloaded payload into this region, and transfers execution…”

Stealth

3 techniques
T1055Process InjectionEvidence2

“…shellcode is executed through a classic process injection technique. RESTLEAF allocates executable memory, copies the downloaded payload into this region, and transfers execution…”

T1140Deobfuscate/Decode Files or InformationEvidence2

“…second-stage shellcode that is decrypted using a 1-byte XOR key… reflectively loads an embedded Windows executable payload that is also decoded using a 1-byte XOR key.”

T1620Reflective Code LoadingEvidence1

"The Windows executable payload, named RESTLEAF, is spawned in memory..."

Command and Control

4 techniques
T1071.001Web ProtocolsEvidence2

“RESTLEAF uses Zoho WorkDrive cloud storage for C2 communications… enabling subsequent API operations with the Zoho WorkDrive infrastructure.”

T1102Web ServiceEvidence2

“RESTLEAF… uses Zoho WorkDrive for C2 communications to fetch additional payloads…”

T1102.002Bidirectional CommunicationEvidence2

"...backdoor that uses Zoho WorkDrive for command-and-control (C2)..."; "...weaponizes legitimate cloud providers, including Google Drive, Microsoft OneDrive, pCloud, and BackBlaze, for C2..."

T1105Ingress Tool TransferEvidence5

"...uses Zoho WorkDrive for command-and-control (C2) communications to fetch more payloads..."; "...downloads shellcode..."; "...downloading a secondary payload..."

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
ctoatncsc substackNews
Mar 7, 2026
CTO at NCSC Summary: week ending March 8th

Initial implant using Zoho WorkDrive as C2 to retrieve additional payloads.

Read more
scworldNews
Mar 2, 2026
North Korea’s ScarCruft group leverages Zoho WorkDrive and removable media in new cyber campaign | brief | SC Media

Backdoor used in the Ruby Jumper campaign that leverages Zoho WorkDrive as a command-and-control channel and can retrieve additional payloads after authenticating to the service.

Read more
the hacker newsNews
Feb 27, 2026
ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks

In-memory Windows backdoor that abuses Zoho WorkDrive for command-and-control, downloads additional shellcode, and executes it via process injection to advance the infection chain.

Read more
cyber security newsNews
Feb 27, 2026
North Korean APT37 Hackers Leverages Novel Malware to Infect Air‑Gapped Systems

First-stage downloader component in the Ruby Jumper infection chain, used to fetch/execute subsequent payloads.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.