Malware

The Ruby Jumper campaign, first identified by Zscaler ThreatLabz in December 2025, deploys multiple malware families such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT.

The compromised Go module injects malicious code into the "ssh/terminal/terminal.go" file, specifically within the "ReadPassword()" function.

Threat actors use a fake Ivanti certificate for authentication, which, although unencrypted, can serve as a network signature for detection.

The compromises are attributed to the exploitation of CVE-2025-64328, a vulnerability with a CVSS score of 8.6, which allows for post-authentication command injection.

Once the threat actor establishes persistence, it can return and expand access.

Aeternum C2, developed in C++, operates by writing commands into smart contracts on the Polygon blockchain.

Steaelite allows cybercriminals to control victims’ machines through a single browser panel.