BeaverTail
BeaverTail is a JavaScript infostealer and downloader malware associated with DPRK-linked activity, especially the Contagious Interview / DeceptiveDevelopment / Famous Chollima cluster, with reporting also linking related operations to Lazarus-aligned tradecraft. It has been used to target software developers, particularly those involved in cryptocurrency and Web3 projects, through fake job interviews, trojanized coding challenges, malicious npm packages, compromised repositories, phishing lures, malicious JavaScript projects, Git hooks, VS Code task abuse, and trojanized conferencing or chat applications such as MicroTalk, FreeConference, and FCCCall-related delivery chains. Samples have been disguised as files such as tailwind.config.js and embedded in otherwise legitimate-looking source code or package branches.
Its primary role is theft of already stored data on the victim system plus follow-on payload delivery. Reported collection includes saved browser logins and browser credentials, browser secrets, cryptocurrency wallet data, Solana keys from .config/solana/id.json, macOS login keychain data from /Library/Keychains/login.keychain, Linux keyring data from /.local/share/keyrings, keychains, private keys, seed phrases, and other wallet-related artifacts. Some reporting also states BeaverTail variants harvested clipboard content, keystrokes, and screenshots. BeaverTail stages collected data in the system temporary directory and exfiltrates it to command-and-control servers; one observed infrastructure pattern used an FTP exfiltration sink on 195.201.104.53, where victim folders contained browser-stored credentials, session cookies, saved form data, and adjacent secrets.
BeaverTail also functions as a downloader and staging component for additional malware. Multiple reports state it commonly downloads or deploys InvisibleFerret, a cross-platform Python backdoor/persistence implant. Other reporting links BeaverTail delivery chains to Tropidoor and places it alongside OtterCookie as part of broader DPRK developer-targeting operations. In newer campaigns, BeaverTail has been delivered through increasingly obfuscated loaders, including blockchain dead-drop retrieval and in-memory reconstruction. Related reporting describes Base64 fragmentation, lookup by hexadecimal keys, prepended junk bytes, and XOR protection of sensitive strings and paths. Updated variants were also reported to support installation of trojanized browser extensions targeting MetaMask, Coinbase Wallet, and Phantom, including downgrade routines to bypass Chrome Manifest V3 migration.
High-confidence infrastructure and campaign links in the provided content include the marker global['!']='9-0264-2', which researchers tied to Famous Chollima operations and malware families including DEV#POPPER RAT, OmniStealer, and BeaverTail; malicious Packagist branch dev-drewroberts/feature/test-case of roberts/leads with tailwind.js SHA-256 96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3 and archive SHA-256 522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f; TRON dead-drop wallets TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP and TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG used in one loader chain; and Git-hook delivery infrastructure at precommit[.]vercel[.]app with endpoints including /percival[.]macflag, /minimal[.]macflag, and /winds[.]cmd. Additional reporting cited BeaverTail-related C2 or download infrastructure including 103.35.190.170/Proxy.php, 86.104.72.247/Proxy.php, 45.8.146.93/proxy/Proxy.php, and IPs 135.181.242.24 and 191.96.31.38 in a chain where BeaverTail executed car.dll / img_layer_generate.dll and led to Tropidoor.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
8 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The campaign marker global['!']='9-0264-2' embedded in the code is a known identifier tied to prior Famous Chollima operations, linking this directly to malware families including DEV#POPPER RAT, OmniStealer, and BeaverTail payloads.
DeceptiveDevelopment's usual payloads include BeaverTail and InvisibleFerret, both of which are fairly simple but obfuscated scripts. BeaverTail is an infostealer and downloader that collects data from cryptocurrency wallets, keychains, and saved browser logins.
Once run locally on the machine, the package referenced in the supposed project acts as a stealer (i.e., BeaverTail) to harvest browser credentials, cryptocurrency wallet data, macOS Keychain, keystrokes, clipboard content, and screenshots. The malware is designed to download additional payloads, including a cross-platform Python backdoor codenamed InvisibleFerret.
The campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.
The campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.
The code in index.js implements the Node.js fetch API to send an HTTP request to that URL and retrieve BeaverTail malware.
"Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure... DPRK’s BeaverTail malware"
"Beavertail Malware Returns: North Korean Hackers Use NPM Packages to Steal Crypto & Secrets"
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesClickFix, which tricks users into following bogus prompts such as fake CAPTCHAs, and then infects victims' computers with trojanized codebases during the fake interview process.
A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist... The package itself belongs to a legitimate maintainer named Drew Roberts, suggesting either a branch-level compromise or a poisoned workflow injection rather than a wholly fabricated fake package.
On November 29, 2024, a case was disclosed in which threat actors impersonated a recruitment email from a developer community called Dev.to to distribute malware. In this case, the attacker provided a BitBucket link containing a project... BeaverTail is known to be distributed primarily in phishing attacks disguised as job offers, such as the ones targeting LinkedIn users.
Execution
5 techniquesIt can also quietly launch a second hidden process in the background using child_process.spawn() with the windowsHide flag set to true, keeping everything out of sight on Windows systems.
Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js... then runs the result directly inside Node.js using eval().
The malware sits quietly inside what looks like a standard Tailwind CSS configuration file... Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
They then tricked victims into cloning compromised repositories locally. As a result, the engineering workstations ran the malicious components seamlessly.
Persistence
1 techniquethe specialized mc.so module installs trojanized browser extensions directly into Chrome and Brave. To achieve this goal, the malware explicitly targets extensions like MetaMask, Coinbase Wallet, and Phantom.
Stealth
6 techniquesThe harmful code is tucked away far to the right of the screen, hidden behind a large block of blank space that keeps it invisible during casual code review.
This component shuffles an extensive array of Base64 fragments during system initialization. Next, a specialized lookup function extracts these pieces using unique hexadecimal keys.
The project contained BeaverTail, a malware disguised as “tailwind.config.js,” and a downloader malware called “car.dll”.
Several entries explicitly state files were deleted after exfiltration or upload, such as 'AppleSeed can delete files from a compromised host after they are exfiltrated,' 'Attor’s plugin deletes the collected files and log files after exfiltration,' and 'Ursnif has deleted data staged in tmp files after exfiltration.' | The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
The malware sits quietly inside what looks like a standard Tailwind CSS configuration file... Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js.
The loader uses hardcoded XOR keys to decrypt the material it retrieves and then runs the result directly inside Node.js using eval().
Credential Access
2 techniquesThe updated BeaverTail variants now harvest critical credentials, private master keys, and seed phrases.
the delivered malware can read environment variables holding cloud credentials and CI secrets, grab local files such as .env files and SSH keys, access stored tokens
Discovery
1 techniqueThe content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Collection
2 techniquesthe delivered malware can read environment variables holding cloud credentials and CI secrets, grab local files such as .env files and SSH keys
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
Command and Control
3 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
This dead-drop method means there is no traditional command-and-control domain to block... it contacts public blockchain services, specifically TRON, Aptos, and BNB Smart Chain, to pull down encrypted payload data stored inside blockchain transaction records.
Instead, it contacts public blockchain services, specifically TRON, Aptos, and BNB Smart Chain, to pull down encrypted payload data stored inside blockchain transaction records.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
240 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
146 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware payload family associated with Famous Chollima; in this campaign, the malicious code acts as a JavaScript/Node.js loader that retrieves encrypted payloads from blockchain transaction data.
A multi-stage payload delivery and data-harvesting component that obfuscates strings with Base64 fragments, junk bytes, and XOR encryption, and is used to steal credentials, private keys, and seed phrases while supporting browser extension tampering.
Post lazarusholic lazarusholic.bsky.social did:plc:iqisolaecmif2zmpfbmsq2te "Hunting Lazarus Part IX: The Google Mirror" published by RedAsgard. #BeaverTail, #OtterCookie, #DPRK, #CTI
Malware used earlier in the campaign to get code execution on the developer workstation and collect saved workstation data, files, credentials, and tokens.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.