The North Korea-linked threat actor known as Void Dokkaebi (also tracked as Famous Chollima) has quietly deployed a major evasion upgrade to its tactical arsenal. The group’s primary information-stealer, the InvisibleFerret malware, has been re-engineered into a compiled format specifically designed to slip past traditional endpoint detection and response (EDR) solutions.
By pivoting away from human-readable Python scripts, the threat actors are now leveraging native binaries to disguise their operations. This calculated modification explicitly exploits a common blind spot in security setups that rely on static script analysis to flag malicious automation.
Key Details
According to a technical intelligence report published by Trend Micro, Void Dokkaebi is systematically targeting software developers, devops engineers, and cryptocurrency personnel. The group typically leverages highly targeted social engineering campaigns on platforms like LinkedIn, masquerading as technical recruiters from prominent cryptocurrency or artificial intelligence firms.
Targeted developers are lured into cloning and executing malicious code repositories under the guise of a technical interview or coding assessment. Once executed, the underlying codebase kicks off a highly sophisticated, multi-stage infection chain built to harvest cryptocurrency credentials, digital signing keys, and access tokens for continuous integration and continuous delivery (CI/CD) pipelines.
The newest variants identified by security analysts indicate that the core components of the InvisibleFerret malware framework are no longer being dropped onto target filesystems as raw Python (.py) files. Instead, the malware arrives as compiled, platform-specific binaries—utilizing .pyd files on Windows and .so shared libraries on macOS systems.
Technical Analysis
To achieve this elevated level of stealth, the developers of InvisibleFerret utilized Cython, a mathematical compiler that translates standard Python code directly into native C/C++ extensions.
Because .pyd (essentially a Windows Dynamic Link Library) and .so (macOS shared object) architectures cannot execute completely independently, the malware drops a lightweight, companion execution script named .mod to handle memory loading and boot-strapping.
Fake Repository Execution (Job Interview Phishing)
│
▼
Drops Hidden Runtime Scripts (.mod, pad0, brw0)
│
▼
Loads Cython-Compiled Binaries (.pyd / .so)
┌───────────┼───────────┬───────────┐
▼ ▼ ▼ ▼
mod.pyd pad.pyd brw.pyd mc.so
(Loader) (Backdoor) (Browser) (macOS Wallet)
The modular toolkit is split into four primary functional components:
modmodule: Formulates the initial outbound handshake to the command-and-control (C&C) infrastructure and orchestrates downstream module downloads.padmodule: Functions as an active backdoor environment, executing remote commands and aggregating baseline system intelligence.brwmodule: Extracts browser authentication stores, session cookies, and stored credit card numbers.mcmodule (macOS exclusive): Forces an intentional downgrade of the local Google Chrome installation to circumvent modern extension blockades, allowing the injection of trojanized cryptocurrency wallet extensions.
BeaverTail Extends Its Reach
Operating concurrently within this chain is the BeaverTail loader, which has evolved into a highly dangerous credential harvester. BeaverTail now deploys across four distinct variants (gjs, njs, zjs, and cjs), targeting private keys and seed phrases from browser extensions including MetaMask, Coinbase Wallet, and Phantom.
Trend Micro highlights that BeaverTail’s internal string obfuscation has been heavily upgraded. The routine shuffles large, fragmented Base64 arrays at runtime, strips randomized junk characters from strings to defeat signature scanning, and locks down internal asset strings using XOR encryption tied to a static 4-byte key. Crucially, C&C target IPs are split completely in half and inverted before encoding, severely obstructing automated sandbox extraction.
Impact and Risks
The pivot toward compiled Cython assets creates an immediate detection gap for security operations teams. Traditional signature scanners and file integrity tools configured to inspect structural Python patterns will find nothing anomalous within the compiled binary blocks.
Furthermore, while the hardcoded network infrastructure (such as the C&C hub at 45.59.160.199) can be found via deeper binary analysis or XOR decoding, the runtime scripts can seamlessly override these configurations by passing dynamic, secondary IP addresses as inline execution arguments. This gives the adversary fluid network agility during an active breach.
Expert Recommendations
Defenders must shift their inspection focus from pure script-level monitoring toward binary-aware analysis and runtime behavioral defense.
- Monitor Local Development Artifacts: Implement file-system alerting for unexpected
.pydor.sobinary drops inside hidden directories, particularly within local workspace metadata paths such as.vscode\. - Enforce Binary Execution Guardrails: Restrict unauthorized Python runtimes from pulling and loading arbitrary external modules or extensions outside verified enterprise package registries.
- Track Application Tampering: Configure endpoint detection systems to immediately flag application degradation patterns, such as unexpected version downgrades of Google Chrome on macOS endpoints.
Industry Context
The modernization of the InvisibleFerret ecosystem reflects a broader pattern observed among North Korean state-sponsored threat groups. Threat actors are highly aware that security software has grown adept at identifying raw script-based attacks.
By incorporating compilation utilities like Cython, state-backed syndicates can convert generic, easily developed scripting tools into hardened binaries that mimic standard commercial software extensions, maximizing their operational lifespan inside target environments.
Conclusion
The evolution of InvisibleFerret into compiled binary modules marks an aggressive escalation in Void Dokkaebi’s corporate espionage tactics. By engineering their tools to slide under script detection layers, they present a prolonged risk to software supply chains and decentralized finance organizations. Neutralizing this threat requires a modern defensive approach that correlates initial social engineering delivery vectors with runtime behavioral anomalies rather than relying solely on static file signatures.
FAQ SECTION
Why did the InvisibleFerret malware switch to .pyd and .so extensions?
The switch allows the malware to bypass traditional security software that scans for readable text patterns in Python scripts. Compiling the code via Cython converts the scripts into binary files, hiding the malicious logic from basic file scanners.
Who is the primary target of this campaign?
The threat group Void Dokkaebi specifically targets individual software developers and engineers working within cryptocurrency, Web3, and artificial intelligence sectors, frequently using fraudulent job recruitment profiles as a delivery hook.
Does the malware run completely without python installed?
No. .pyd and .so files are compiled extension modules that still require a Python interpreter environment to run. The malware handles this by executing a small runtime script (such as .mod) that initializes and calls the compiled binaries.
What is the purpose of the Chrome downgrade tactic used by the malware?
On macOS systems, the malware’s mc module intentionally downgrades Google Chrome to an older version. This allows it to bypass newer extension manifest protections implemented by Google, making it easier to install trojanized crypto wallet extensions.
How can security analysts reverse-engineer these new variants?
Because Cython compilation preserves the core software execution flow, analysts familiar with older Python versions of InvisibleFerret can utilize standard binary deobfuscation and XOR decoding routines to recover the underlying command-and-control logic.
