Tag: invisibleferret

17 Attack Reports | 0 Vulnerabilities

Attack reports

Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories

Void Dokkaebi, also known as Famous Chollima, has evolved its operations into a self-propagating supply chain threat targeting software developers. The North Korea-aligned group uses fabricated job interviews to lure developers into cloning malicious repositories. Once compromised, the victim's mac…
north korea
beavertail
supply chain attack
invisibleferret
ottercookie
2026-04-21
blockchain infrastructure
dev#popper rat
developer targeting
fake job interview
git history tampering
omnistealer
repository poisoning
vs code exploitation
worm propagation
Published: April 21, 2026
Downloadable IOCs: 10

Tracking an OtterCookie Infostealer Campaign Across npm

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while …
supply-chain
north korea
infostealer
credential theft
npm
beavertail
contagious interview
invisibleferret
ssh backdoor
ottercookie
javascript obfuscation
2026-04-13
koalemos
vercel c2
Published: April 13, 2026
Downloadable IOCs: 9

Tracking the VS Code Tasks Infection Vector

The Contagious Interview campaign, attributed to North Korea, continues to target software developers through fake recruitment schemes. A new technique in their arsenal leverages Microsoft Visual Studio Code task files to execute malicious code when a project is opened. The report documents observa…
obfuscation
north korea
npm
github
beavertail
contagious interview
vs code
invisibleferret
software developers
2026-01-23
recruitment schemes
task files
Published: January 23, 2026
Downloadable IOCs: 13

PurpleBravo’s Targeting of the IT Software Supply Chain

PurpleBravo, a North Korean state-sponsored threat group, targets software developers through fake recruitment efforts, particularly in cryptocurrency and software development sectors. Their toolkit includes BeaverTail, PyLangGhost, and GolangGhost, designed for stealing browser credentials and cry…
social engineering
north korea
cryptocurrency
github
beavertail
remote access trojan
invisibleferret
software supply chain
astrill vpn
golangghost
pylangghost
2026-01-21
browser credential theft
it services
Published: January 21, 2026
Downloadable IOCs: 187

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use socia…
rat
social engineering
north korea
infostealer
cryptocurrency
beavertail
web3
invisibleferret
ottercookie
trojanized code
2025-11-14
json storage
tsunami payload
Published: November 14, 2025
Downloadable IOCs: 84

From primitive crypto theft to sophisticated AI-based deception

The North Korea-aligned threat actor DeceptiveDevelopment employs social engineering tactics to target software developers, especially those in cryptocurrency and Web3 projects. They use fake job offers and trojanized code challenges to deliver malware like BeaverTail and InvisibleFerret. The group…
malware
social engineering
north korea
cryptocurrency
remote access
information theft
beavertail
identity theft
invisibleferret
ottercookie
job scams
tropidoor
multiplatform
2025-09-25
weaselstore
postnaptea
tsunamikit
job offers
akdoortea
2025-11-09
it worker fraud
ai-based deception
Published: November 9, 2025
Downloadable IOCs: 1

DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

This analysis delves into the operations of DeceptiveDevelopment, a North Korea-aligned threat actor, and its connections to North Korean IT worker campaigns. The group targets software developers across major systems, focusing on cryptocurrency and Web3 projects. They use social engineering techni…
social engineering
north korea
cryptocurrency
remote access
information theft
beavertail
invisibleferret
ottercookie
tropidoor
multiplatform
2025-09-25
weaselstore
postnaptea
tsunamikit
job offers
akdoortea
Published: September 25, 2025
Downloadable IOCs: 33

Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique

Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websit…
phishing
social engineering
windows
macos
node.js
clickfix
beavertail
invisibleferret
2025-09-01
apt-q-1
Published: September 1, 2025
Downloadable IOCs: 18

Additional Features of OtterCookie Malware Used by WaterPlum

The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new…
north korea
windows
cryptocurrency
stealer
macos
credential theft
beavertail
invisibleferret
ottercookie
2025-05-11
financial institutions
Published: May 11, 2025
Downloadable IOCs: 0

Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads

North Korean threat actors have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the BeaverTail malware and introduce new remote access trojan loader functionality. The campaign, known as Contagious Interview, aims to compromise developer systems, …
north korea
cryptocurrency
beavertail
invisibleferret
2025-04-08
Published: April 8, 2025
Downloadable IOCs: 6

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaig…
backdoor
phishing
north korea
infostealer
cryptocurrency
downloader
beavertail
recruitment
invisibleferret
2025-04-03
lightlesscan
tropidoor
Published: April 3, 2025
Downloadable IOCs: 6

Targeting of freelance developers

North Korea-aligned cybercriminals are targeting freelance software developers through fake job offers and coding challenges containing malware. The campaign, dubbed DeceptiveDevelopment, uses two main malware families - BeaverTail and InvisibleFerret - to steal cryptocurrency wallets and login cre…
north korea
spearphishing
infostealer
cryptocurrency
beavertail
invisibleferret
2025-02-21
job scams
freelancers
Published: February 21, 2025
Downloadable IOCs: 0

Inside the Scam: North Korea's IT Worker Threat

North Korea has exploited remote work opportunities to infiltrate international companies with fraudulent IT workers, generating revenue and posing cybersecurity risks. The group PurpleBravo targets cryptocurrency firms using malware like BeaverTail and InvisibleFerret. At least seven suspected Nor…
malware
espionage
north korea
cryptocurrency
beavertail
invisibleferret
remote work
2025-02-13
ottercookie
front companies
it workers
Published: February 13, 2025
Downloadable IOCs: 43

InvisibleFerret Malware: Technical Analysis

A recent surge in North Korean activity involves fake job interviews to distribute malware, including InvisibleFerret. This Python-based malware targets the technology, finance, and cryptocurrency sectors, focusing on developers. It steals source code, wallets, and sensitive files. InvisibleFerret …
stealer
beavertail
rustdoor
invisibleferret
2025-01-21
qrlog
Published: January 21, 2025
Downloadable IOCs: 4

Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack

Unit 42 researchers identified a North Korean IT worker activity cluster, CL-STA-0237, involved in phishing attacks using malware-infected video conference apps. The cluster likely operates from Laos and exploited a U.S.-based SMB IT services company to apply for other jobs, securing a position at …
phishing
north korea
supply chain
beavertail
contagious interview
invisibleferret
wagemole
2024-11-15
insider threat
fake it workers
Published: November 15, 2024
Downloadable IOCs: 6

North Korean remote workers landing jobs in the West

North Korean threat actors are utilizing Contagious Interview and WageMole campaigns to secure remote employment in Western countries, evading financial sanctions. The Contagious Interview campaign has been updated with improved script obfuscation and multi-platform support, targeting over 100 devi…
social engineering
cryptocurrency
data theft
beavertail
contagious interview
invisibleferret
2024-11-06
wagemole
sanctions evasion
remote work
job fraud
Published: November 6, 2024
Downloadable IOCs: 56

Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview

Datadog Security Research discovered three malicious npm packages: passports-js, bcrypts-js, and blockscan-api, containing BeaverTail malware associated with North Korean threat actors. The packages, downloaded 323 times, targeted job-seekers in the US tech industry through a campaign named Contagi…
infostealer
cryptocurrency
npm
dprk
beavertail
contagious interview
2024-10-25
invisibleferret
software supply chain
namesquatting
Published: October 25, 2024
Downloadable IOCs: 1
Click here to see more Attack Reports