BeaverTail
BeaverTail is a malware that has both a JavaScript and C++ variant. Active since 2022, BeaverTail is capable of stealing logins from browsers and serves as a downloader for second stage payloads. BeaverTail has previously been leveraged by North Korea-affiliated actors identified as DeceptiveDevelopment or Contagious Interview. BeaverTail has been delivered to victims through code repository sites and has been embedded within malicious attachments.[1][2][3][4]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BeaverTail has used HTTP GET request to download malicious payloads to include InvisibleFerret and HTTP POST to exfiltrate data to C2 infrastructure.[5][1] |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
BeaverTail has collected and archived sensitive data in a zip file.[5] |
| Enterprise | T1217 | Browser Information Discovery |
BeaverTail has searched the victim device for browser extensions including those commonly associated with cryptocurrency wallets.[2][6][5][7][3][1][8] |
|
| Enterprise | T1059 | .007 | Command and Scripting Interpreter: JavaScript |
BeaverTail has executed malicious JavaScript code.[2][6][3][4][1] BeaverTail has also been compiled with the Qt framework to execute in both Windows and macOS.[8] |
| Enterprise | T1555 | Credentials from Password Stores |
BeaverTail has collected keys stored for Solana stored in |
|
| .001 | Keychain |
BeaverTail has collected keys associated with macOS within |
||
| .003 | Credentials from Web Browsers |
BeaverTail has stolen passwords saved in web browsers.[2][5][7][8] BeaverTail has also been known to collect login data from Firefox within key3.db, key4.db and logins.json from |
||
| Enterprise | T1005 | Data from Local System |
BeaverTail has exfiltrated data collected from local systems.[5][3][1][8] |
|
| Enterprise | T1001 | .001 | Data Obfuscation: Junk Data |
BeaverTail has added junk data or a dummy character prepended to a string to hamper decoding attempts.[3] |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
BeaverTail has staged collected data to the system’s temporary directory.[5] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
BeaverTail has exfiltrated data collected from victim devices to C2 servers.[5][1][8] |
|
| Enterprise | T1083 | File and Directory Discovery |
BeaverTail has searched for .ldb and .log files stored in browser extension directories for collection and exfiltration.[5][7][3] |
|
| Enterprise | T1657 | Financial Theft |
BeaverTail has searched the victim device for browser extensions commonly associated with cryptocurrency wallets.[2][6][3][1][8] |
|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
BeaverTail has deleted files from a compromised host after they were exfiltrated.[5] |
| Enterprise | T1105 | Ingress Tool Transfer |
BeaverTail has been used to download a malicious payload to include Python based malware InvisibleFerret.[2][5][7][3][1][8] |
|
| Enterprise | T1654 | Log Enumeration |
BeaverTail has identified .ldb and .log files stored in browser extension directories for collection and exfiltration.[3] |
|
| Enterprise | T1036 | Masquerading |
BeaverTail has masqueraded as MiroTalk installation packages: "MiroTalk.dmg" for macOS and "MiroTalk.msi" for Windows, and has included login GUIs with MiroTalk themes.[8] |
|
| Enterprise | T1571 | Non-Standard Port |
BeaverTail has communicated with C2 IP addresses over ports 1224 or 1244.[3][1][8] |
|
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
BeaverTail has obfuscated strings of code with Base64 encoding within the JavaScript version of the malware.[3][1][8] BeaverTail has also utilized the open-source tool JavaScript-Obfuscator to obfuscate strings and functions.[2][4] |
| Enterprise | T1195 | .001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
BeaverTail has been hosted on code repositories and disseminated to victims through NPM packages.[2][6][4][1][8] |
| Enterprise | T1082 | System Information Discovery |
BeaverTail has been known to collect basic system information.[2][1] BeaverTail has also collected data to include hostname and current timestamp prior to uploading data to the API endpoint |
|
| Enterprise | T1124 | System Time Discovery |
BeaverTail has obtained and sent the current timestamp associated with the victim device to C2.[3] |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
BeaverTail has been executed through lures involving malicious JavaScript projects or trojanized remote conferencing software such as MicroTalk or FreeConference.[3][8] BeaverTail has also been executed through macOS and Windows installers disguised as chat applications.[2][4] |
Groups That Use This Software
References
- Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
- eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025.
- Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
- Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
- Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025.
- Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
- Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025.
- Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025.