Threats Tagged 'beavertail'

Void Dokkaebi, also known as Famous Chollima, has evolved its operations into a self-propagating supply chain threat targeting software developers. The North Korea-aligned group uses fabricated job interviews to lure developers into cloning malicious repositories. Once compromised, the victim's machine becomes an infection vector through two mechanisms: malicious VS Code task configurations that execute automatically when workspaces are opened, and active injection of obfuscated JavaScript into source code files with Git history tampering to conceal modifications. This creates a worm-like propagation chain where each compromised developer seeds new repositories with infection vectors. Analysis in March 2026 identified over 750 infected repositories, with contamination reaching organizations including DataStax and Neutralinojs. The campaign delivers payloads via blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, deploying variants of DEV#POPPER RAT and other tools to steal cryptocurre...

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while pulling malicious dependencies containing the actual payload. Five malicious packages were identified, each containing obfuscated JavaScript files that execute via postinstall hooks. The toolchain steals credentials, files including Solana wallets and environment configurations, and exfiltrates data to Vercel-hosted C2 infrastructure. On Linux systems, it establishes persistence through SSH backdoor installation. The infrastructure overlaps with documented OtterCookie operations and connects to broader DPRK campaigns including Contagious Interview and Contagious Trader, demonstrating continued evolution in North Korean software supply chain attacks targeting developers.

The Contagious Trader campaign is a sophisticated malware operation targeting cryptocurrency users, attributed to North Korea with high confidence. It involves malicious cryptocurrency trading bot projects on GitHub that exfiltrate sensitive data and private keys using various techniques, including malicious npm dependencies. The campaign demonstrates overlaps with known North Korean tactics, particularly those of FAMOUS CHOLLIMA, including the use of GitHub, npm, and Vercel infrastructure, Base64-encoded payload URLs, and anonymizing VPNs for npm package publishing. The operation represents a shift in tactics, expanding beyond the previous Contagious Interview campaign to target a broader range of cryptocurrency users.

MediumMalwareUnited StatesSouth KoreaJapan+7#pylangghost#invisibleferrett#bigsquatrat

This intelligence report details the evolution of malware delivery techniques targeting integrated development environments (IDEs) like Visual Studio Code and Cursor. The threat actors, known as Contagious Interview, have expanded their payload staging methods to include GitHub Gists, URL shorteners, Google Drive, and custom domains. New infection chains involve complex loaders, including a custom stack-based bytecode VM and PyArmor-protected Python malware. The report highlights the actors' adaptability in response to takedowns and community reporting, showcasing their use of various obfuscation techniques and masquerading tactics. Detection opportunities and indicators of compromise are provided, including suspicious process behaviors, file paths, and network requests.

MediumMalwareUnited StatesGermanyUnited Kingdom+7#bytecode vm#weaselstore#visual studio code

The Contagious Interview campaign, attributed to North Korea, continues to target software developers through fake recruitment schemes. A new technique in their arsenal leverages Microsoft Visual Studio Code task files to execute malicious code when a project is opened. The report documents observations of this vector, presents GitHub-based discovery methods, highlights findings including a new malicious NPM package, and outlines detection opportunities. The campaign exploits VS Code's Task feature, using the runOptions property to automatically execute malicious shell commands when a workspace is opened. Various obfuscation techniques are employed, including hiding commands with whitespace and masquerading payloads as image or font files.

MediumMalwareUnited KingdomGermanyFrance+4#github#north korea#software developers

PurpleBravo, a North Korean state-sponsored threat group, targets software developers through fake recruitment efforts, particularly in cryptocurrency and software development sectors. Their toolkit includes BeaverTail, PyLangGhost, and GolangGhost, designed for stealing browser credentials and cryptocurrency information. The group has affected 3,136 IP addresses, mainly in South Asia and North America, compromising 20 organizations across various industries. PurpleBravo's tactics include using fictitious personas, malicious GitHub repositories, and sophisticated malware to infiltrate IT services companies, posing a significant supply-chain risk. The group shows overlap with PurpleDelta, another North Korean threat actor, sharing infrastructure and operational patterns. PurpleBravo's focus on the IT sector in South Asia presents an overlooked threat to organizations outsourcing IT services.

MediumCampaignUnited KingdomGermanyFrance+5#cryptocurrency#it services#social engineering

A North Korean malware was discovered in an Upwork cryptocurrency project, leading to a five-day investigation into active Lazarus Group infrastructure. The malware utilized three infection mechanisms: VSCode auto-execution, backend RCE via Function Constructor, and cookie payload delivery. The infrastructure included Vercel-hosted Stage 1 C2 servers and dedicated Stage 2 C2 servers. A timing oracle allowed for token enumeration, revealing three active campaigns. The payload chain consisted of various modules for data extraction, RAT functionality, and cryptocurrency mining. The investigation uncovered sophisticated persistence mechanisms, masquerading techniques, and a custom binary protocol. Real-time defensive responses from the operators were observed during reconnaissance. The infrastructure blended legitimate-looking development projects with malicious activities for cover.

MediumMalwareGermanyUnited KingdomFrance+3#beavertail#upwork#vercel

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use social engineering tactics, including fake recruiter profiles, to deliver trojanized code during staged job interviews. The malware payload includes BeaverTail and OtterCookie infostealers, along with the InvisibleFerret RAT. The attack chain involves multiple stages, from initial contact to malware delivery, utilizing legitimate websites like JSON Keeper and code repositories to operate stealthily. The campaign also incorporates additional components such as the Tsunami Payload, which adds exceptions to Windows Defender and creates scheduled tasks.

MediumMalwareGermanyNetherlandsUnited Kingdom+2#ottercookie#json storage#tsunami payload

The North Korea-aligned threat actor DeceptiveDevelopment employs social engineering tactics to target software developers, especially those in cryptocurrency and Web3 projects. They use fake job offers and trojanized code challenges to deliver malware like BeaverTail and InvisibleFerret. The group has evolved to include more sophisticated tools like TsunamiKit and AkdoorTea. There are connections between DeceptiveDevelopment and North Korean IT worker fraud campaigns, with both groups collaborating and sharing information. The IT workers use AI-generated fake identities and employ proxy interviewers to secure remote jobs, posing risks to employers. This hybrid threat combines traditional fraud with cybercrime, blurring the lines between targeted APT activity and cybercrime.

MediumMalwareFrancePoland#ottercookie#weaselstore#akdoortea

WaterPlum, a North Korean-associated attack group, has been using a new malware called OtterCandy in their ClickFake Interview campaign. OtterCandy, implemented in Node.js, combines features of RATatouille and OtterCookie. It targets Windows, macOS, and Linux systems, stealing browser credentials, cryptocurrency wallets, and confidential files. The malware communicates with C2 servers via Socket.IO and has persistence mechanisms. An August 2025 update (v2) enhanced user identification, expanded theft targets, and added trace deletion capabilities. OtterCandy's evolution and its use in ongoing campaigns highlight the need for continued vigilance against WaterPlum's activities.

MediumMalwareGermanyUnited KingdomFrance+3#ratatouille#info stealer#ottercandy