Hackers Deploy InvisibleFerret Malware As Compiled Python Extensions

North Korea-aligned threat actors, tracked as Void Dokkaebi or Famous Chollima, are evolving their tactics to compromise software developers.

As discovered by TrendAI Research, the group uses fake job interviews at artificial intelligence and cryptocurrency firms to trick developers into downloading malicious code repositories.

These repositories deliver a highly capable infection chain featuring the InvisibleFerret and BeaverTail malware families. To evade detection, the attackers are now compiling their Python-based InvisibleFerret payload into native binaries using Cython.

InvisibleFerret Uses Compiled Extensions

Cython translates Python code into C/C++ and compiles it into native binaries. Instead of deploying readable Python scripts, Void Dokkaebi now distributes InvisibleFerret as .pyd files on Windows and .so shared libraries on macOS.

This significant shift renders existing security rules designed to detect plain-text Python malware largely ineffective.

Because Cython-generated binaries are extension modules rather than standalone executables, they cannot run independently.

The infection chain relies on a companion Python execution script, typically named .mod, to load the payload. This modular approach allows the malware to hide its command-and-control (C&C) infrastructure.

The runtime script passes encoded IP addresses and port numbers to the binary as command-line arguments, making it difficult for defenders to extract the final C&C destination solely through static binary analysis.

Alongside InvisibleFerret, the threat actors deploy BeaverTail, a JavaScript-based initial access and data theft module.

BeaverTail has grown into a multistage threat with capabilities that mirror those of InvisibleFerret. It relies on multiple layers of complex obfuscation to hide its core functions:

• Shuffles massive arrays of Base64 fragments using immediately invoked function expressions
• Strips randomly inserted junk bytes from encoded strings to bypass simple Base64 detection
• Encrypts sensitive file paths and execution commands using a 4-byte XOR key
• Splits and swaps C&C IP addresses before decoding them

The ultimate goal of this campaign is to steal cryptocurrency wallet credentials, signing keys, and access to a continuous integration pipeline.

The updated malware suite includes specialized modules designed to hijack browser extensions and drain developer assets.

According to Trend Micro research, Void Dokkaebi employs a clever workaround to bypass modern browser security features.

Google recently enforced Manifest V3 for Chrome extensions, which restricts the exact functionalities attackers need to tamper with crypto wallets.

To bypass this, a specific InvisibleFerret module downgrades Chrome on macOS to an older version that still supports Manifest V2. The threat actors also target the Brave browser due to its continued limited support for Manifest V2.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Hackers Deploy InvisibleFerret Malware As Compiled Python Extensions appeared first on Cyber Security News.