MalwareUsed by 1 actor

InvisibleFerrett

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Contagious Interview

The repository it links to has long been taken down, but it would have triggered a multi-stage infection chain leading to infostealing malware like OtterCookie or InvisibleFerrett.

via kmseckmsec.uk

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1189Drive-by CompromiseEvidence1

The repository it links to has long been taken down, but it would have triggered a multi-stage infection chain leading to infostealing malware like OtterCookie or InvisibleFerrett.

T1566.003Spearphishing via ServiceEvidence1

FAMOUS CHOLLIMA uses Google Docs to advertise fake jobs to steal data from developers... There are multiple tabs but they all lead to the same link: A Google Doc titled "Test Requirement", which details a coding test an interviewee must complete.

Execution

1 technique

T1204.001Malicious LinkEvidence1

The repository it links to has long been taken down, but it would have triggered a multi-stage infection chain leading to infostealing malware like OtterCookie or InvisibleFerrett.

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Other

8 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

uri●●●●●●●●●●●●View more in app12 days ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

kmsecNews

Jun 10, 2026

Hunting North Korea's job adverts on Google Docs | kmsec.uk

Infostealing malware used in FAMOUS CHOLLIMA's Contagious Interview campaign to steal data and drain cryptocurrency wallets from targeted developers.

kmsecNews

Mar 17, 2026

Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators | kmsec.uk

Named as a payload in the Contagious Interview infection chain.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.