Void Dokkaebi (aka Famous Chollima), a North Korea-aligned threat group, has evolved its InvisibleFerret malware by migrating from plain Python scripts to Cython-compiled binaries distributed as .pyd files on Windows and .so files on macOS. This shift bypasses script-based detections while preserving core capabilities: backdoor access, browser credential theft, clipboard monitoring, keylogging, and cryptocurrency wallet targeting. The companion downloader BeaverTail has also expanded into a multi-module toolkit with overlapping functionality. Despite the obfuscation, forensic artifacts such as build paths, export table symbols, and Zlib-compressed string tables remain recoverable from the binaries, allowing analysts to extract C&C infrastructure. The mc module now targets MetaMask, Coinbase, and Phantom wallets, and downgrades Chrome on macOS to bypass Manifest V3 restrictions. The campaign primarily targets software developers with access to wallet credentials, signing keys, and CI/CD pipelines. Hunting queries and IoCs are provided.
Sort: