Aeternum Botnet & APT37 Ruby Jumper: 2026 Cybersecurity Incidents and NIS2/DORA Compliance Lessons

Introduction: The Evolving Threat Landscape of 2026

As cybersecurity threats grow more sophisticated, 2026 has witnessed two significant incidents that underscore the need for robust regulatory compliance: the Aeternum botnet loader and the APT37 Ruby Jumper campaign. The Aeternum botnet, discovered in December 2025, leverages the Polygon blockchain for resilient command-and-control (C&C) infrastructure, while APT37, a North Korean state-backed group, breaches air-gapped networks via removable drives. These attacks highlight critical vulnerabilities in current security frameworks and have profound implications for compliance under the NIS2 Directive and DORA. This article analyzes these incidents, connects them to regulatory gaps, and provides actionable steps for organizations to enhance their cybersecurity posture.

Incident Analysis: Aeternum Botnet Loader and APT37 Ruby Jumper

Aeternum Botnet Loader: Blockchain-Based Resilience

The Aeternum botnet loader, marketed on underground forums for $200-$4,000, represents a shift in malware infrastructure. It uses the Polygon blockchain for C&C via smart contracts, eliminating the need for central servers. Commands are delivered encrypted through multiple RPC networks and validated before execution, with features like anti-VM checks and AV scanning. This blockchain-based approach reduces operational costs—as little as $1 worth of MATIC for 100-150 transactions—and increases persistence, making takedowns challenging. Similar to the Glupteba botnet, this innovation poses new risks for cybersecurity frameworks, as traditional detection methods may struggle with decentralized C&C.

APT37 Ruby Jumper Campaign: Breaching Air-Gapped Networks

APT37's Ruby Jumper campaign targets air-gapped networks using a toolkit of five malicious tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. The infection chain begins with a malicious LNK file deploying PowerShell scripts, leveraging decoy documents and disguised utilities like usbspeed.exe. Techniques include using USB drives as covert C2 relays, spreading via weaponized removable media, and deploying spyware for surveillance. Zscaler attributes this campaign to APT37 based on indicators like BLUELIGHT malware usage and C2 infrastructure patterns. This attack exploits physical security gaps, emphasizing vulnerabilities in sectors like critical infrastructure and military, where isolated networks are common.

Compliance Gaps Under NIS2 and DORA

NIS2 Directive: Risk Management and Incident Reporting

Directive (EU) 2022/2555 (NIS2) requires "essential" and "important" entities across 18 sectors, including energy, transport, and digital infrastructure, to implement risk management measures and incident reporting within 24 hours for early warnings and 72 hours for notifications. The Aeternum botnet's blockchain-based C&C challenges traditional network monitoring, potentially delaying detection and reporting. Similarly, APT37's air-gapped breaches may evade digital safeguards, highlighting gaps in physical security controls. NIS2 also mandates supply chain security, which is critical as these attacks often exploit third-party vulnerabilities. Organizations must verify their compliance with NIS2, as member states had a transposition deadline of 17 October 2024.

DORA: Digital Operational Resilience for Financial Entities

Regulation (EU) 2022/2554 (DORA) applies from 17 January 2025 to financial entities like banks, insurers, and crypto-asset service providers. It requires an ICT risk management framework, incident reporting, and digital operational resilience testing, including threat-led penetration testing. The Aeternum botnet's low-cost, persistent nature could disrupt financial services, while APT37's data exfiltration poses risks to sensitive financial data. DORA's third-party ICT risk management provisions are essential, as these attacks may originate from compromised vendors. Compliance teams should assess their incident response plans against DORA's requirements to mitigate similar risks.

Exploiting Vulnerabilities in Current Security Frameworks

Both incidents exploit weaknesses in existing cybersecurity frameworks. The Aeternum botnet's use of public blockchain networks circumvents traditional C&C takedowns, challenging frameworks like the NIST Cybersecurity Framework (CSF) 2.0, which emphasizes detection and response. APT37's focus on air-gapped networks highlights gaps in physical security controls, often overlooked in standards like ISO/IEC 27001:2022, which includes 93 controls but may not fully address removable media risks. These attacks demonstrate that compliance with standards like SOC 2—an attestation report based on Trust Services Criteria—is insufficient without adaptive threat intelligence. Organizations should integrate these lessons into their risk assessments, as highlighted in our AI security alerts analysis.

Actionable Steps for Compliance Teams

1. Enhance Threat Detection: Implement advanced monitoring for blockchain-based C&C and removable media activities. Use tools that align with NIS2's risk management requirements and DORA's resilience testing.
2. Update Incident Response Plans: Ensure plans include procedures for decentralized attacks and physical breaches. Test response capabilities regularly, as required by DORA.
3. Strengthen Supply Chain Security: Conduct third-party risk assessments, referencing NIS2's supply chain provisions. Verify vendor compliance with frameworks like ISO 27001.
4. Leverage Compliance Tools: Utilize platforms like AIGovHub's cybersecurity compliance monitoring tools to track NIS2 and DORA requirements, automate reporting, and compare vendors for readiness.
5. Conduct Regular Audits: Perform bias audits for AI systems, as mandated by regulations like NYC Local Law 144, and integrate findings into overall security posture.

Real-World Implications for Financial and Critical Infrastructure Sectors

Financial entities under DORA face direct risks from the Aeternum botnet's potential to disrupt transactions and APT37's data theft. Critical infrastructure sectors covered by NIS2, such as energy and health, are vulnerable to operational downtime from similar attacks. The low cost of the Aeternum botnet—starting from $200—makes it accessible to threat actors, increasing attack frequency. APT37's state-backed nature suggests targeted espionage, with implications for national security. Organizations in these sectors must prioritize compliance to avoid penalties: up to EUR 10 million or 2% of global turnover under NIS2, and operational disruptions under DORA. For insights into related governance gaps, see our analysis of AI talent departures.

Conclusion: Proactive Governance for Emerging Threats

The Aeternum botnet and APT37 Ruby Jumper campaign underscore the need for proactive cybersecurity governance in 2026. By addressing compliance gaps under NIS2 and DORA, organizations can enhance their resilience against evolving threats. Key takeaways include the importance of adaptive threat detection, robust incident response, and supply chain security. As regulations evolve, tools like AIGovHub's vendor comparisons for NIS2/DORA readiness can help organizations stay compliant. In a landscape where threats like blockchain-based malware and air-gapped breaches are rising, proactive measures are essential for safeguarding critical assets.

Key Takeaways

• The Aeternum botnet uses Polygon blockchain for resilient C&C, challenging traditional detection methods.
• APT37 breaches air-gapped networks via removable drives, highlighting physical security gaps.
• NIS2 and DORA compliance requires enhanced risk management, incident reporting, and resilience testing.
• Actionable steps include updating incident response plans and strengthening supply chain security.
• Financial and critical infrastructure sectors must prioritize compliance to mitigate real-world risks.

This content is for informational purposes only and does not constitute legal advice. Organizations should verify current regulatory timelines and consult with experts for compliance guidance. To assess your cybersecurity posture, explore AIGovHub's compliance monitoring tools and vendor comparisons for NIS2 and DORA readiness.