1. Home
  2. Software
  3. InvisibleFerret

InvisibleFerret

InvisibleFerret is a modular python malware that is leveraged for data exfiltration and remote access capabilities.[1][2][3] InvisibleFerret consists of four modules: main, payload, browser, and AnyDesk.[1] InvisibleFerret malware has been leveraged by North Korea-affiliated threat actors identified as DeceptiveDevelopment or Contagious Interview since 2023.[4][2][3][5] InvisibleFerret has historically been introduced to the victim environment through the use of the BeaverTail malware.[6][1][2][3][5]

ID: S1245
Type: MALWARE
Platforms: Linux, macOS, Windows
Version: 1.0
Created: 17 October 2025
Last Modified: 24 October 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

InvisibleFerret has queried the victim device using Python scripts to obtain the User and Hostname.[4][3]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

InvisibleFerret has used HTTP for C2 communications.[6][1][3]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

InvisibleFerret has used 7zip, RAR and zip files to archive collected data for exfiltration.[1][2]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

InvisibleFerret has established persistence within Windows devices by creating a .bat file "queue.bat" within the Startup folder to run a Python script.[2]
.013 Boot or Logon Autostart Execution: XDG Autostart Entries

InvisibleFerret has established persistence within GNOME-based Linux environments by placing entries within .desktop that run on Startup.[2]
Enterprise T1115 Clipboard Data

InvisibleFerret has stolen data from the clipboard using the Python project "pyperclip".[6][1][3] InvisibleFerret has also captured clipboard contents during copy and paste operations.[2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

InvisibleFerret has utilized a PowerShell script created in the victim’s home directory named "conf.ps1" that is used to modify configuration files for AnyDesk remote services.[1]
.006 Command and Scripting Interpreter: Python

InvisibleFerret is written in Python and has used Python scripts for execution.[6][4][1][2][3]
Enterprise T1543 .001 Create or Modify System Process: Launch Agent

InvisibleFerret has established persistence using LaunchAgents on macOS that run on Startup using a file named "com.avatar.update.wake.plist".[2]
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

InvisibleFerret has stolen login data, autofill data, cryptocurrency wallets, and payment information saved in web browsers such as Chrome, Brave, Opera, Yandex and Edge, to include versions affiliated with major operating systems on Windows, Linux, and macOS.[6][1] InvisibleFerret has also leveraged the command ssh_zcp to copy browser data to include extensions and cryptocurrency wallet data.[2]
.005 Credentials from Password Stores: Password Managers

InvisibleFerret has utilized the command ssh_zcp to exfiltrate data from browser extensions and password managers via Telegram and FTP.[1][2]
Enterprise T1005 Data from Local System

InvisibleFerret has collected data utilizing a script that contained a list of excluded files and directory names and naming patterns of interest such as environment and configuration files, documents, spreadsheets, and other files that contained the words secret, wallet, private, and password.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

InvisibleFerret has staged data in consolidated folders prior to exfiltration.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

InvisibleFerret has decoded XOR-encrypted and Base-64-encoded payloads prior to execution.[1]
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

InvisibleFerret has used FTP to exfiltrate files and directories using the command ssh_upload which contains with six subcommands of .sdira, sdir, sfile, sfinda, sfindr and sfind that had varying functions.[1][2] InvisibleFerret has exfiltrated stolen files and data to the C2 servers over ports 1224, 2245 and 8637.[6]
Enterprise T1041 Exfiltration Over C2 Channel

InvisibleFerret has used HTTP communications to the "/Uploads" URI for file exfiltration.[2]
Enterprise T1567 Exfiltration Over Web Service

InvisibleFerret has leveraged Telegram chat to upload stolen data using the Telegram API with a bot token.[1][2]
Enterprise T1083 File and Directory Discovery

InvisibleFerret has identified specific directories and files for exfiltration using the ssh_upload command which contains subcommands of .sdira, sdir, sfile, sfinda, sfindr, sfind.[1][2] InvisibleFerret also has the capability to scan and upload files of interest from multiple OS systems through the use of scripts that check file names, file extensions, and avoids certain path names.[6][3] InvisibleFerret has utilized the findstr on Windows or the macOS find commands to search for files of interest.[5]

Enterprise T1657 Financial Theft

InvisibleFerret has searched the victim device credentials and files commonly associated with cryptocurrency wallets.[6][1][2][3]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

InvisibleFerret has executed Python instances of the browser module ".n2/bow" utilizing the CREATE_NO_WINDOW process creation flag.[1]
Enterprise T1105 Ingress Tool Transfer

InvisibleFerret has downloaded "AnyDesk.exe" into the user’s home directory from the C2 server when checks for the service fail to identify its presence in the victim environment.[1] InvisibleFerret has also been configured to download additional payloads using a command which calls to the /bow URI.[2][3]
Enterprise T1056 Input Capture

InvisibleFerret has collected mouse and keyboard events using "pyWinhook".[3]
.001 Keylogging

InvisibleFerret has conducted keylogging using the Python project "pyWinHook" and "Pyhook".[6][1][3] InvisibleFerret has also captured keylogging thread checks for changes in an active window and key presses.[2]
Enterprise T1095 Non-Application Layer Protocol

InvisibleFerret has established a connection with the C2 server over TCP traffic.[3] InvisibleFerret has also created a TCP reverse shell communicating via a socket connection over ports 1245, 80, 2245, 3001, and 5000.[1]
Enterprise T1571 Non-Standard Port

InvisibleFerret has been observed utilizing HTTP communications to the C2 server over ports 1224, 2245 and 8637.[6]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

InvisibleFerret has utilized the XOR and Base64 encoding for each of its modules.[1] InvisibleFerret has also obfuscated files with a combination of zlib, Base64 and reverse string order.[6] InvisibleFerret has also utilized the XOR and Base64 encoding some of its Python scripts.[3]
Enterprise T1057 Process Discovery

InvisibleFerret has the capability to query installed programs and running processes.[2] InvisibleFerret has also identified running processes using the Python project "psutil".[3]
Enterprise T1219 Remote Access Tools

InvisibleFerret has utilized remote access software including AnyDesk client through the "adc" module.[6][1][3] InvisibleFerret has also downloaded the AnyDesk client should it not already exist on the compromised host by searching for C:/Program Files(x86)/AnyDesk/AnyDesk.exe.[2]
Enterprise T1679 Selective Exclusion

InvisibleFerret has the capability to scan for file names, file extensions, and avoids pre-designated path names and file types.[6][3]
Enterprise T1489 Service Stop

InvisibleFerret has terminated Chrome and Brave browsers using the taskkill command on Windows and the killall command on other systems such as Linux and macOS.[1] InvisibleFerret has also utilized it’s ssh_kill command to terminate Chrome and Brave browser processes.[3]
Enterprise T1518 Software Discovery

InvisibleFerret has gathered installed programs and running processes.[2]
Enterprise T1082 System Information Discovery

InvisibleFerret has collected OS type, hostname and system version through the "pay" module.[6][1] InvisibleFerret has also queried the victim device using Python scripts to obtain the User and Hostname.[4][3]
Enterprise T1614 System Location Discovery

InvisibleFerret has collected the internal IP address, IP geolocation information of the infected host and sends the data to a C2 server.[3] InvisibleFerret has also leveraged the "pay" module to obtain region name, country, city, zip code, ISP, latitude and longitude using "http://ip-api.com/json".[1]
Enterprise T1016 System Network Configuration Discovery

InvisibleFerret has collected the local IP address, and external IP.[1][3]
Enterprise T1033 System Owner/User Discovery

InvisibleFerret has identified the user’s UUID and username through the "pay" module.[6][1][3]

Groups That Use This Software

ID Name References
G1052 Contagious Interview

[6][1][2][3][5][4]

References

  1. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  2. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
  3. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
  1. Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
  2. Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025.
  3. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025.