A North Korea-linked threat group, Void Dokkaebi, also known as Famous Chollima, has significantly upgraded its malware delivery techniques by converting its Python-based InvisibleFerret malware into compiled binary modules.
InvisibleFerret was previously deployed as readable Python scripts, making it easier for defenders to detect through static analysis and signature-based tools.
The latest campaign leverages Cython, a compiler that translates Python code into C or C++ and produces native binaries. These binaries are harder to inspect and evade many defenses that rely on scanning plain-text scripts.
Despite this transformation, the malware retains its core functionality. InvisibleFerret continues to provide attackers with backdoor access, browser credential theft, clipboard monitoring, keylogging, and cryptocurrency wallet targeting.
The campaign remains particularly dangerous for software developers and organizations where developers have access to sensitive assets such as wallet credentials, signing keys, and CI/CD pipelines.
The infection chain reflects a coordinated, cross-platform approach. Void Dokkaebi typically targets developers through fake job interview lures, encouraging victims to clone and execute malicious repositories.
Once executed, a JavaScript-based loader known as BeaverTail initiates the attack. BeaverTail has evolved beyond its original role as a downloader and information stealer, now functioning as a multi-stage malware with overlapping capabilities similar to InvisibleFerret.
Trend Micro said in a report shared with GBhackers, the group now distributes the malware as .pyd files on Windows and .so files on macOS, marking a shift designed to bypass traditional script-based detection mechanisms.
BeaverTail downloads the Cython-compiled payloads and creates a Python execution script, typically with a .mod extension, to run them. Since .pyd and .so files are Python extension modules rather than standalone executables, they require a Python interpreter to execute.
InvisibleFerret Malware Uses .pyd
This layered execution approach complicates detection, as security tools must analyze both the binary modules and the runtime scripts.
The updated BeaverTail variants employ multiple obfuscation techniques, including shuffled Base64 arrays, XOR encryption, and split-and-swap encoding of command-and-control (C2) infrastructure.
These techniques make it difficult to extract indicators such as IP addresses and domains. In some cases, C2 details are not fully embedded in the binary but are passed dynamically via command-line arguments from the execution script, further complicating analysis.
InvisibleFerret itself also incorporates advanced obfuscation. Even though it is compiled, remnants of the original Python logic remain embedded within the binaries in compressed form.
Analysts can recover these payloads by extracting and decompressing Zlib-compressed data segments, revealing that the malware still relies on layered Base64 decoding and XOR routines similar to earlier versions.
The malware’s modular design includes components for backdoor access, browser data theft, and trojanized cryptocurrency wallet extensions.
Notably, newer variants expand their targeting beyond MetaMask to include Coinbase Wallet and Phantom. On macOS systems, the malware may downgrade Chrome to bypass modern extension security restrictions, enabling malicious extensions to function.
Security researchers note that the shift to Cython-based binaries does not eliminate all forensic traces. Artifacts such as module initialization functions, embedded file paths, and references to source files remain visible within the binaries. However, these require more advanced analysis compared to traditional script-based investigations.
This evolution highlights a critical gap in many security defenses. Organizations relying solely on script detection may fail to identify these threats. Experts recommend transitioning to binary-aware detection strategies that account for compiled extension modules, runtime execution scripts, and browser extension manipulation.
As Void Dokkaebi continues to refine its tooling, defenders should prioritize monitoring developer environments, restricting execution of untrusted code, and analyzing both binaries and scripts within the attack chain. The campaign underscores the growing sophistication of threat actors targeting the software supply chain and cryptocurrency ecosystems.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
