Technical Evolution
The InvisibleFerret information-stealing malware, associated with the North Korean threat actor Void Dokkaebi (also known as Famous Chollima), has undergone a significant technical transformation. Instead of being distributed as plain Python scripts, the malware is now compiled into binary format using Cython. On Windows systems, it arrives as .pyd files (Python extension modules in DLL format), and on macOS, it comes as .so shared libraries. Neither format runs independently but requires a Python interpreter to execute.
This shift makes the malware harder to detect because many existing security rules are designed to flag malicious Python scripts rather than compiled binaries. The change represents a deliberate attempt by the attackers to stay ahead of defenders who have not updated their detection strategies.
Impact and Targeting
The updated InvisibleFerret retains all of its previous capabilities, including backdoor access, browser credential theft, clipboard monitoring, keystroke logging, and cryptocurrency wallet targeting. The companion loader, BeaverTail, has also evolved from a simple downloader into a more comprehensive threat with its own credential harvesting and wallet targeting functions.
Void Dokkaebi continues to target software developers, particularly those holding cryptocurrency wallet credentials, signing keys, or access to CI/CD pipelines and production systems. The group poses as recruiters from cryptocurrency or AI firms, convincing targets to clone and run code repositories as part of fake job interviews. Once executed, the malicious code initiates a multi-stage infection designed to steal sensitive data and maintain persistent access.
Source: Cyber Security News
