North Korea-linked hacking group, tracked as Void Dokkaebi and Famous Chollima, has migrated its InvisibleFerret malware from readable Python scripts to Cython-compiled binaries.
The updated InvisibleFerret malware is now distributed as .pyd files on Windows and .so files on macOS. The malware still has its main features, including backdoor access, browser credential theft, clipboard monitoring, keylogging, and cryptocurrency wallet targeting, but it is now more difficult to trace.
“From a detection evasion perspective, these changes mean that existing detection rules targeting Python scripts might fail to identify the malware,” TrendMicro explains in its report. “Although IP addresses and port numbers can be extracted from the Cython binaries through binary analysis, the runtime Python execution scripts could override these values with different C&C destinations passed as command-line arguments. Consequently, for some modules, the actual C&C destination cannot be determined from the binary alone without the accompanying execution script.”
Researchers also found that BeaverTail, previously known mainly as a downloader and information stealer, has expanded into a more advanced malware platform. The new versions now include backdoor capabilities, browser credential theft, and trojanized cryptocurrency wallet installation features.
The campaign mainly targets software developers, cryptocurrency users, and organizations whose employees have access to wallet credentials, signing keys, CI/CD pipelines, or production systems. The group is known for posing as recruiters from cryptocurrency and AI companies, tricking developers into cloning and running malicious code repositories during fake job interviews.
Because the Cython-generated files are not standalone programs, the infection chain creates Python execution scripts to load the malware. Researchers said BeaverTail now acts as a multistage component capable of downloading platform-specific InvisibleFerret payloads for both Windows and macOS systems.
BeaverTail’s obfuscation methods have also become more advanced, using multiple layers of string protection and decoding logic to make analysis harder.
Based on technical evidence, attack methods, and overlaps in code and infrastructure, researchers attributed the campaign to Void Dokkaebi with high confidence.