InvisibleFerret Malware Evades Detection with .pyd
A North Korea-linked threat group has upgraded its InvisibleFerret malware, now deploying it as Python `.pyd` and `.so` files to evade script detection, according to a InvisibleFerret, an...
A North Korea-linked threat group has upgraded its InvisibleFerret malware, now deploying it as Python `.pyd` and `.so` files to evade script detection, according to a InvisibleFerret, an information-stealing malware tied to the threat actor known as Void Dokkaebi (also tracked as Famous Chollima), has been repackaged into a format that slips past many traditional detection methods.
Instead of arriving as plain Python scripts, it now comes disguised as compiled binary files. Void Dokkaebi has long targeted software developers who hold cryptocurrency wallet credentials, signing keys, and access to build pipelines or production systems.
The group poses as recruiters from cryptocurrency or AI firms, convincing developers to clone and run code repositories as part of fake job interviews. Once executed, the malicious code begins a multi-stage infection designed to steal sensitive data and maintain persistent access.
Analysts at Trend Micro identified that InvisibleFerret has now been obfuscated using Cython, a tool that converts Python code into native binaries.
Trend Micro said in a report shared with Cyber Security News (CSN) that the malware is distributed as .pyd files on Windows and .so files on macOS, rather than readable Python scripts. This means existing detection rules for Python-based threats may no longer identify the malware.
The update preserves InvisibleFerret’s full range of capabilities. The malware can open backdoor access, steal browser credentials, monitor clipboard activity, log keystrokes, and target cryptocurrency wallets.
The companion loader known as BeaverTail has also evolved from a basic downloader into a broader threat with its own credential harvesting and wallet-targeting functions.
The campaign is especially relevant to software developers, crypto users, and organizations whose staff have access to signing keys or CI/CD pipelines. Security teams relying on script-based detections now have a gap in coverage.
The shift to compiled binaries represents a calculated attempt to stay ahead of defenders who haven’t updated their detection strategies.
InvisibleFerret Malware
The core change in this updated variant is the move from Python scripts to Cython-compiled binaries. On Windows, the malware arrives as .pyd files, Python extension modules in DLL format. On macOS, the format is .so, a shared library, and neither type runs independently without a Python interpreter.
To handle this, the infection chain writes a companion .mod script to disk and uses it to launch the compiled binary. Security tools scanning for Python script patterns will not flag anything in these binary files.
While IP addresses and port numbers can still be extracted through binary analysis, runtime scripts can override these values with different command-and-control destinations passed as arguments.
The malware has four core modules with distinct roles. The mod module handles the initial connection and downloads further payloads. The pad module provides backdoor access and gathers system information.
The brw module steals authentication data and credit card details from browsers, while the mc module for macOS installs trojanized wallet extensions and downgrades Chrome to bypass Google’s newer extension security framework.
BeaverTail Expands Its Role in the Infection Chain
Alongside InvisibleFerret’s repackaging, BeaverTail has grown into a more complex threat.
It now operates through four variants: gjs handles data theft and downloads further components, njs provides backdoor functions, zjs steals wallet seed phrases and private keys, and cjs installs trojanized extensions in Chrome and Brave Browser targeting MetaMask, Coinbase Wallet, and Phantom.
BeaverTail’s obfuscation has also become notably stronger. The updated code shuffles a large array of Base64 fragments at startup, strips junk characters from encoded strings to defeat simple detection, and uses XOR encryption with a 4-byte key for sensitive strings like file paths.
Command-and-control IP addresses are split into halves and swapped before Base64 encoding to further complicate analysis. Defenders are advised to move from script-only detection toward binary-aware approaches that account for extension modules, embedded artifacts, and runtime execution scripts.
Teams should watch for Chrome version downgrades on macOS, trojanized wallet extensions, and unusual Python activity in .vscode directory paths. Analysts familiar with earlier InvisibleFerret versions can apply the same deobfuscation methods, since the core logic inside the compiled binaries remains unchanged.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Name | mod.pyd | Cython-compiled InvisibleFerret module for Windows (main) |
| File Name | mod.so | Cython-compiled InvisibleFerret module for macOS (main) |
| File Name | pad.pyd | InvisibleFerret backdoor/payload module for Windows |
| File Name | pad.so | InvisibleFerret backdoor/payload module for macOS |
| File Name | brw.pyd | InvisibleFerret browser-stealing module for Windows |
| File Name | brw.so | InvisibleFerret browser-stealing module for macOS |
| File Name | mc.so | InvisibleFerret wallet trojanization module for macOS |
| File Name | .mod | Python execution script that loads and runs the Cython binaries |
| File Name | pad0 | Runtime execution script for pad module |
| File Name | brw0 | Runtime execution script for brw module |
| File Name | mc0 | Runtime execution script for mc module |
| File Path | .vscodemod.pyd / .vscode/mod.so | Known drop path for InvisibleFerret main module |
| File Path | .vscodepad.pyd / .vscode/pad.so | Known drop path for InvisibleFerret pad module |
| File Path | .vscodebrw.pyd / .vscode/brw.so | Known drop path for InvisibleFerret brw module |
| File Path | .vscode/mc.so | Known drop path for InvisibleFerret mc module |
| IP Address | 45[.]59[.]160[.]199 | C&C server IP address extracted from Cython binary via XOR decoding |
| URL | hxxp://ip-api[.]com/json | External geolocation lookup abused by BeaverTail (njs) and pad modules |
| URL Pattern | /clw/{sType} | Windows C&C download path for Cython-compiled InvisibleFerret |
| URL Pattern | /clw1/{sType} | macOS C&C download path for Cython-compiled InvisibleFerret |
| Build Path | /Users/administrator/Pictures/Work/py_module_work/ | macOS build environment path embedded in .so binaries |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.