Threats Tagged 'invisibleferret'

Void Dokkaebi, also known as Famous Chollima, has evolved its operations into a self-propagating supply chain threat targeting software developers. The North Korea-aligned group uses fabricated job interviews to lure developers into cloning malicious repositories. Once compromised, the victim's machine becomes an infection vector through two mechanisms: malicious VS Code task configurations that execute automatically when workspaces are opened, and active injection of obfuscated JavaScript into source code files with Git history tampering to conceal modifications. This creates a worm-like propagation chain where each compromised developer seeds new repositories with infection vectors. Analysis in March 2026 identified over 750 infected repositories, with contamination reaching organizations including DataStax and Neutralinojs. The campaign delivers payloads via blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, deploying variants of DEV#POPPER RAT and other tools to steal cryptocurre...

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while pulling malicious dependencies containing the actual payload. Five malicious packages were identified, each containing obfuscated JavaScript files that execute via postinstall hooks. The toolchain steals credentials, files including Solana wallets and environment configurations, and exfiltrates data to Vercel-hosted C2 infrastructure. On Linux systems, it establishes persistence through SSH backdoor installation. The infrastructure overlaps with documented OtterCookie operations and connects to broader DPRK campaigns including Contagious Interview and Contagious Trader, demonstrating continued evolution in North Korean software supply chain attacks targeting developers.

The Contagious Interview campaign, attributed to North Korea, continues to target software developers through fake recruitment schemes. A new technique in their arsenal leverages Microsoft Visual Studio Code task files to execute malicious code when a project is opened. The report documents observations of this vector, presents GitHub-based discovery methods, highlights findings including a new malicious NPM package, and outlines detection opportunities. The campaign exploits VS Code's Task feature, using the runOptions property to automatically execute malicious shell commands when a workspace is opened. Various obfuscation techniques are employed, including hiding commands with whitespace and masquerading payloads as image or font files.

MediumMalwareUnited KingdomGermanyFrance+4#github#north korea#software developers

PurpleBravo, a North Korean state-sponsored threat group, targets software developers through fake recruitment efforts, particularly in cryptocurrency and software development sectors. Their toolkit includes BeaverTail, PyLangGhost, and GolangGhost, designed for stealing browser credentials and cryptocurrency information. The group has affected 3,136 IP addresses, mainly in South Asia and North America, compromising 20 organizations across various industries. PurpleBravo's tactics include using fictitious personas, malicious GitHub repositories, and sophisticated malware to infiltrate IT services companies, posing a significant supply-chain risk. The group shows overlap with PurpleDelta, another North Korean threat actor, sharing infrastructure and operational patterns. PurpleBravo's focus on the IT sector in South Asia presents an overlooked threat to organizations outsourcing IT services.

MediumCampaignUnited KingdomGermanyFrance+5#cryptocurrency#it services#social engineering

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use social engineering tactics, including fake recruiter profiles, to deliver trojanized code during staged job interviews. The malware payload includes BeaverTail and OtterCookie infostealers, along with the InvisibleFerret RAT. The attack chain involves multiple stages, from initial contact to malware delivery, utilizing legitimate websites like JSON Keeper and code repositories to operate stealthily. The campaign also incorporates additional components such as the Tsunami Payload, which adds exceptions to Windows Defender and creates scheduled tasks.

MediumMalwareGermanyNetherlandsUnited Kingdom+2#ottercookie#json storage#tsunami payload

The North Korea-aligned threat actor DeceptiveDevelopment employs social engineering tactics to target software developers, especially those in cryptocurrency and Web3 projects. They use fake job offers and trojanized code challenges to deliver malware like BeaverTail and InvisibleFerret. The group has evolved to include more sophisticated tools like TsunamiKit and AkdoorTea. There are connections between DeceptiveDevelopment and North Korean IT worker fraud campaigns, with both groups collaborating and sharing information. The IT workers use AI-generated fake identities and employ proxy interviewers to secure remote jobs, posing risks to employers. This hybrid threat combines traditional fraud with cybercrime, blurring the lines between targeted APT activity and cybercrime.

MediumMalwareFrancePoland#ottercookie#weaselstore#akdoortea

North Korean threat actor UNC5342 employs a novel malware delivery technique called 'EtherHiding,' embedding malicious code within smart contracts on public blockchains to create resilient command-and-control infrastructure. The attack chain begins with social engineering, targeting cryptocurrency and technology sector developers via fake recruitment schemes. Loader scripts are injected to fetch payloads from multiple blockchains and API services, complicating detection and mitigation. The malware suite includes JADESNOW, BEAVERTAIL, and INVISIBLEFERRET, which enable data theft and remote control of infected systems. This approach leverages the decentralized and immutable nature of blockchains to evade takedown efforts. The campaign primarily facilitates cryptocurrency theft and espionage. Exploitation does not require prior authentication but relies on user interaction through social engineering. The threat is medium severity but poses significant challenges due to its innovative use of blockchain technology for malware command and control.

MediumMalwareGermanyFranceNetherlands+3#invisibleferret#smart contracts#blockchain

Famous Chollima, a North Korean threat group, has deployed a new malware campaign targeting job seekers by impersonating hiring organizations. The attack involves a trojanized Node. js application named 'Chessfi' and uses evolving malware tools BeaverTail and OtterCookie, which now include keylogging and screenshot capabilities. A malicious Visual Studio Code extension embedding these tools was also discovered, indicating new infection vectors. The malware steals cryptocurrency credentials by targeting multiple browsers and wallet extensions, and it can upload files from compromised systems. This campaign leverages social engineering and developer tools to infiltrate victims, focusing on cryptocurrency theft and credential harvesting. The threat is medium severity due to its broad capabilities and stealth but requires user interaction for infection. European organizations involved in software development, cryptocurrency, and job recruitment are at particular risk.

MediumMalwareGermanyFranceNetherlands+4#vs code extension#beavertail#north korea

This analysis delves into the operations of DeceptiveDevelopment, a North Korea-aligned threat actor, and its connections to North Korean IT worker campaigns. The group targets software developers across major systems, focusing on cryptocurrency and Web3 projects. They use social engineering techniques like fake job offers and the ClickFix method to deliver malware. Their toolset includes multiplatform malware such as BeaverTail, InvisibleFerret, WeaselStore, and TsunamiKit. The group shows links to other North Korean cyber operations through shared malware like Tropidoor and AkdoorTea. The analysis also explores the activities of North Korean IT workers, who use stolen identities and AI-generated content to secure remote jobs, highlighting the interconnected nature of these cyber threats.

MediumCampaignUnited KingdomGermanyFrance+4#north korea#weaselstore#cryptocurrency

Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websites. These sites prompt users to 'fix' non-existent camera issues, tricking them into downloading malware disguised as Nvidia software updates. The malware deploys a Node.js environment and executes BeaverTail, a common Lazarus tool. On Windows 11 systems, an additional backdoor (drvUpdate.exe) is installed. The attack also affects macOS users. The malware establishes persistence and connects to command and control servers for further instructions and data exfiltration.

MediumMalwareUnited KingdomGermanyFrance+6#clickfix#node.js#beavertail