On Thursday, December 18, 2025, cybersecurity firm Darktrace released new research regarding a dangerous new variant of BeaverTail malware, a JavaScript-based information stealer.
Linked to North Korea’s notorious Lazarus Group, the software is part of an increasingly aggressive campaign targeting the financial and cryptocurrency sectors. The research, which was shared with Hackread.com, is part of Darktrace’s latest report, The State of Cybersecurity.
According to researchers, the software often spreads through fake job offers. Hackers pose as recruiters and lure developers or crypto traders into “technical interviews” that require downloading tools like MiroTalk or FreeConference. In reality, these are traps designed to compromise the victim’s system.
A History of Evolution
It is worth noting that BeaverTail isn’t new; it has been active since 2022, but it has undergone a massive transformation. Hackread.com previously noted in October 2025 that BeaverTail was beginning to merge with another malware strain called OtterCookie.
This evolution has been steady. Darktrace researchers noted that while 2024 versions were mostly interested in browser profiles, by early 2025, the hackers added tools to steal anything copied to a user’s clipboard.
The most recent V5 version is even more invasive, recording every keystroke and snapping a screenshot of the victim’s desktop every four seconds. “Once installed, BeaverTail exfiltrated browser credentials, credit card data, and cryptocurrency wallet keys,” the report reads.
Modern Tactics and Blockchain Tricks
Researchers noted that catching this latest version is harder than ever because the hackers are now hiding the malware inside VS Code extensions and npm packages (the standard building blocks used to create apps). It has become a “modular, cross-platform” threat, meaning it can jump between Windows, Mac, and Linux without missing a beat.
Further investigation revealed that this new version uses “over 128 layers” of concealment to hide its code. This deep protection is far beyond anything seen in earlier versions. The campaigns, which target everyone from marketing professionals to retail employees, are attributed to North Korean clusters like Famous Chollima, Gwisin Gang, and Tenacious Pungsan, all linked to the larger Lazarus Group.
Interestingly, these groups are now using EtherHiding, a technique that stores commands inside blockchain smart contracts. This makes the attacks almost impossible to shut down. To stay safe, experts recommend verifying any job offer through a company’s official HR department before running any “technical assessments.”
Expert Comment
“Darktrace’s identification of a hyper-obfuscated BeaverTail variant marks a significant escalation in tradecraft, transforming a lightweight stealer into a signature-evasive framework shielded by over 128 layers of concealment,“ said Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM).
“By weaponising the software supply chain through trojanized npm packages and VS Code extensions, Lazarus Group is exploiting developer trust while ensuring infrastructure resilience via “EtherHiding,” storing command-and-control payloads on blockchain smart contracts to effectively immunise operations against takedowns,“ explained Soroko.
“This technical maturation culminates in the strategic convergence of BeaverTail with the OtterCookie strain, yielding a unified, cross-platform instrument designed for persistent financial theft and surveillance across Windows, macOS, and Linux environments,“ he warned.