"First exposed by Palo Alto Networks in late 2023, BeaverTail and InvisibleFerret have been deployed by North Korean operatives as part of a long-running campaign dubbed Contagious Interview (aka Gwisin Gang), wherein the malware is distributed to software developers under the pretext of a job assessment. Assessed to be a subset of the umbrella group Lazarus, the cluster has been active since at least December 2022."
"An important evolution of the campaign involves the use of the ClickFix social engineering tactic to deliver malware such as GolangGhost, PylangGhost, and FlexibleFerret - a sub-cluster of activity tracked as ClickFake Interview. The latest attack wave, observed in late May 2025, is worth highlighting for two reasons: Employing ClickFix to deliver BeaverTail (rather than GolangGhost or FlexibleFerret) and delivering the stealer in the form of a compiled binary produced using tools like pkg and PyInstaller for Windows, macOS, and Linux systems."
Threat actors tied to the Democratic People's Republic of Korea used ClickFix-style lures to deliver BeaverTail and InvisibleFerret to marketing and trader positions in cryptocurrency and retail organizations rather than to software development roles. BeaverTail and InvisibleFerret previously targeted software developers under the pretext of job assessments in the Contagious Interview/Gwisin Gang campaign, linked to the Lazarus umbrella. BeaverTail is JavaScript-based, acting as an information stealer and downloader for the Python backdoor InvisibleFerret, and has spread via malicious npm packages and fake videoconferencing apps. The campaign evolved to deliver multiple families and in May 2025 distributed BeaverTail as compiled binaries across Windows, macOS, and Linux.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]