{ "id": "e79d0517-2fba-4142-b9c2-5609e3039d58", "created_at": "2026-04-06T00:17:23.649787Z", "updated_at": "2026-04-10T03:28:28.707118Z", "deleted_at": null, "sha1_hash": "886fe6a305c8a548ca541725e0b85ec6b1c23ec5", "title": "Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3511708, "plain_text": "Contagious Interview: DPRK Threat Actors Lure Tech Industry\r\nJob Seekers to Install New Variants of BeaverTail and\r\nInvisibleFerret Malware\r\nBy Unit 42\r\nPublished: 2024-10-09 · Archived: 2026-04-05 13:53:06 UTC\r\nExecutive Summary\r\nUnit 42 has tracked activity from threat actors associated with the Democratic People’s Republic of Korea\r\n(DPRK), where they pose as recruiters to install malware on tech industry job seekers’ devices. We call this\r\nactivity the CL-STA-240 Contagious Interview campaign, and we first published about it in November 2023.\r\nSince that publication, we’ve observed additional online activity from the fake recruiters, as well as code updates\r\nto two pieces of malware associated with the campaign; the BeaverTail downloader and the InvisibleFerret\r\nbackdoor.\r\nThe BeaverTail malware associated with this campaign has been compiled using the Qt framework as early as July\r\n2024. We have observed multiple samples of BeaverTail that are compiled for both macOS and Windows\r\nplatforms. In addition, we observed continuous code updates to the InvisibleFerret backdoor delivered by the\r\nBeaverTail downloader.\r\nIn this article, we will discuss the online activity of fake recruiters and technical details of the campaign, including\r\nthe following specifics:\r\nAnalyzing the macOS, Windows and Python malware\r\nProviding examples of Cortex XDR detecting and preventing this cross-platform threat\r\nPalo Alto Networks customers are better protected from the threats discussed in this article through our Network\r\nSecurity solutions, Prisma Cloud offerings and the Cortex line of products.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nSocial Engineering and Infection: Fake Recruiters and Job Interviews\r\nAs described in our previous article on Contagious Interview, the threat actor behind CL-STA-0240 contacts\r\nsoftware developers through job search platforms by posing as a prospective employer. The attackers invite the\r\nvictim to participate in an online interview, where the threat actor attempts to convince the victim to download and\r\ninstall malware. Recent reporting and social media activity like this thread on X (formerly Twitter) indicate this\r\nactivity continues.\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 1 of 13\n\nA June 2024 Medium article describes a relatively recent example. In this case, a fake recruiter account using the\r\nname Onder Kayabasi contacted the writer over LinkedIn.\r\nWhile this LinkedIn account is no longer available, a similar account for Onder Kayabasi remained active on X\r\n(formerly known as Twitter) as recently as August 2024. Figure 1 shows the X profile for this user.\r\nFigure 1. Profile of “Onder Kayabasi,” a fake recruiter on X. Source: X.\r\nAfter the attacker set up a technical interview online, the attacker convinced the potential victim to execute\r\nmalicious code. In this case, the potential victim purposefully ran the code in a virtual environment, which\r\neventually connected back to the attacker's command and control (C2) server 95.164.17[.]24:1224, as noted below\r\nin Figure 2.\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 2 of 13\n\nFigure 2. A LinkedIn post describing an attempted malware infection from CL-STA-0240. Source:\r\nLinkedIn.\r\nAnother social media post noted the same type of activity and IP address on Reddit as noted below in Figure 3.\r\nThis is the same IP address and TCP port used by the new version of the BeaverTail malware that we analyze in\r\nthe next section.\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 3 of 13\n\nFigure 3. A Reddit post describing an attempted malware infection from CL-STA-024.\r\nThis activity is consistent with our previous report on the CL-STA-0240 Contagious Interview campaign. And like\r\nprevious activity from this campaign, the initial malware is BeaverTail.\r\nAnalysis of BeaverTail's New Cross-Platform Version\r\nBeaverTail is a downloader and infostealer associated with the CL-STA-0240 campaign, which we first reported\r\non in 2023. In this campaign the attackers delivered BeaverTail via files masquerading as the following\r\napplications:\r\nMiroTalk, a real-time video call application\r\nFreeConference, a service that offers free conference calling\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 4 of 13\n\nThreat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not\r\nimply that the legitimate product is flawed or malicious.\r\nSimilar findings were also detailed in GROUP-IB’s recent research.\r\nIn recent months, the attackers created new versions of the BeaverTail malware. This time instead of coding it in\r\nJavaScript like previous versions, they wrote the new version in Qt.\r\nSince Qt enables developers to create cross-platform applications, the attackers could use the same source code to\r\ncompile applications for both Windows and macOS simultaneously. Figure 4 shows the installation process of\r\nBeaverTail in both Windows and macOS.\r\nFigure 4. Left: Fake MiroTalk BeaverTail installation in Windows. Right: Fake MiroTalk BeaverTail\r\ninstallation in macOS.\r\nWhen installing the macOS variant of BeaverTail in the form of a fake MiroTalk package, the victim must mount\r\nthe MiroTalk.dmg disk image and run the package within that image. For Windows, the respective installation\r\npackage file is named MiroTalk.msi.\r\nObjective-See published an article in July 2024 analyzing the macOS version of BeaverTail, describing its main\r\ncapabilities, such as data exfiltration and execution of additional payloads.\r\nAfter the malicious applications are successfully installed, when the victim opens the applications for the first\r\ntime, they see a GUI as shown in Figure 5.\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 5 of 13\n\nFigure 5. Left: BeaverTail opens a fake login window for FreeConference.com. Right: BeaverTail\r\nopens a fake login window for MiroTalk.\r\nMeanwhile, BeaverTail executes its malicious code in the background, collecting data and exfiltrating it from the\r\nvictim's host without any visible indicators.\r\nThis Qt-based version of BeaverTail has largely the same functionality as the JavaScript-based version we\r\nanalyzed in November 2023. Additional features in this new Qt version of BeaverTail include:\r\nStealing browser passwords in macOS\r\nStealing cryptocurrency wallets in both macOS and Windows (shown in Figure 6)\r\nThis last feature is consistent with the ongoing financial interests of North Korean threat actors.\r\nFigure 6. A snippet of BeaverTail Qt code stealing cryptocurrency wallets.\r\nAdditionally, this newer Qt version of BeaverTail targets 13 different cryptocurrency wallet browser extensions,\r\ncompared to only nine wallets previously targeted by the JavaScript variant. Of the current 13 extensions, the\r\nauthors added 5 for new wallets, and removed one. Table 1 lists the cryptocurrency wallet browser extensions IDs,\r\nnames and targeted browsers.\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 6 of 13\n\nBrowser Extension ID Browser Extension Name Targeted Browser\r\nnkbihfbeogaeaoehlefnkodbefgpgknn MetaMask Wallet Chrome\r\nejbalbakoplchlghecdalmeeeajnimhm MetaMask Wallet Microsoft Edge\r\nfhbohimaelbohpjbbldcngcnapndodjp BNB Chain Wallet (Binance) Chrome\r\nhnfanknocfeofbddgcijnmhnfnkdnaad Coinbase Wallet Chrome\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TronLink Wallet Chrome\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom Wallet Chrome\r\naeachknmefphepccionboohckonoeemg Coin98 Wallet Chrome\r\nhifafgmccdpekplomjjkcfgodnhcellj Crypto[.]com Wallet Chrome\r\njblndlipeogpafnldhgmapagcccfchpi Kaikas Wallet Chrome\r\nacmacodkjbdgmoleebolmdjonilkdbch Rabby Wallet Chrome\r\ndlcobpjiigpikoobohmabehhmhfoodbb Argent X - Starknet wallet Chrome\r\naholpfdialjgjfhomihkjbmgjidlcdno Exodus Web3 Wallet Chrome\r\nTable 1. Cryptocurrency wallet extension IDs, names and targeted browsers.\r\nAfter exfiltrating collected data to the C2, BeaverTail attempts to download the Python programming language to\r\nthe infected machine from the URL hxxp://\u003cc2_server\u003e:1224/pdown. Downloading Python is essential to\r\nsuccessfully executing the InvisibleFerret backdoor payload, which is written in Python. This enables\r\nInvisibleFerret to be cross platform as well.\r\nFigure 7 below shows the code responsible for downloading Python from BeaverTail’s C2 server.\r\nFigure 7. Snippet of BeaverTail Qt code downloading Python.\r\nNext, the malware will download the first stage of InvisibleFerret from the URL\r\nhxxp://\u003cc2_server\u003e:1224/client/\u003ccampaign_id\u003e, as shown in Figure 8.\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 7 of 13\n\nFigure 8. Snippet of BeaverTail Qt variant code downloading InvisibleFerret.\r\nThe Final Python Backdoor Payload: InvisibleFerret\r\nInvisibleFerret is a Python backdoor that we fully analyzed in our previous article on the Contagious Interview\r\ncampaign. InvisibleFerret has multiple components:\r\nAn initial downloader: Responsible for downloading the other two components listed below\r\nMain payload component - Its capabilities include:\r\nFingerprinting the infected endpoint\r\nRemote control of the infected endpoint\r\nKeylogging\r\nExfiltrating sensitive files\r\nDownloading the AnyDesk client on-demand for additional remote control capabilities\r\nBrowser stealer component: Enables the attackers to steal browser credentials and credit card information\r\nFigure 9 shows the execution flow of InvisibleFerret’s components as described in our previous analysis.\r\nFigure 9. InvisibleFerret components infographic. Source: Unit 42.\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 8 of 13\n\nBy examining the latest InvisibleFerret versions deployed in this campaign during the past year, we saw slight\r\ncode changes implemented over time. While its general functionality remains nearly identical, these changes\r\nsuggest that the malware authors are actively working on the malware’s code in between the waves of their\r\nattacks.\r\nIn this section we will examine the code changes between the InvisibleFerret backdoor deployed by the\r\nBeaverTail installer that masquerades as MiroTalk and the BeaverTail installer that masquerades as the\r\nFreeConference service application. Noticeable code modifications are shown in Table 2.\r\nCommand\r\nInvisibleFerret Installed by Fake\r\nMiroTalk Installer\r\nInvisibleFerret Installed by Fake FreeConference\r\nInstaller\r\nssh_cmd\r\nChecks if the argument value is equal\r\nto delete and if so, closes the session.\r\nTo notify the C2 server, it sends the\r\nmessage string [close].\r\nChecks the OS type. If the OS type is Windows, it\r\ntries to kill python.exe via the taskkill command.\r\nIf the OS type is not Windows, it tries to kill Python\r\nvia the killall command\r\nssh_env\r\nCollects content from specific folders\r\n(Documents and Downloads for\r\nWindows, /home and /Volumes for\r\nothers), and uploads these files to the\r\nattacker’s FTP server.\r\nOn Windows:\r\nCollects .env files from all folders under the\r\nfollowing drives:  C:\\, D:\\, E\\, F:\\, G:\\ while\r\nignoring folders named node_modules. Other OSes:\r\nCollects .env files from all folders under the home\r\ndirectory (~) while ignoring folders named\r\nnode_modules\r\nTable 2. InvisibleFerret code updates.\r\nFigure 10 shows a comparison of the ssh_cmd function code between the different versions of InvisibleFerret.\r\nFigure 10. ssh_cmd code comparison between the different versions of InvisibleFerret.\r\nAnother interesting change was implemented in one of the subcommands of ssh_upload named ss_ufind. This\r\nsubcommand enables the attackers to search for files matching a given pattern.\r\nIn the older InvisibleFerret version, the attackers first collected the names of all the files and only then did the\r\nPython code filter out names by pattern. In the newer version, InvisibleFerret uses the Windows findstr or macOS\r\nfind commands to search for the files by a specific pattern, thus making the code more efficient.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 9 of 13\n\nIn this article, we present recent activity from the CL-STA-0240 Contagious Interview campaign.\r\nIn this campaign, the attackers targeted job-seeking individuals on LinkedIn, luring them to download and execute\r\nmalware that masquerades as a legitimate video call application. This campaign is a continuation of activity we\r\ninitially reported in November 2023.\r\nThe attackers behind this campaign introduced a new Qt version of the BeaverTail malware as early as July 2024.\r\nThe malware authors compiled BeaverTail variants for both Windows and macOS from the same source code\r\nusing the Qt programming language.\r\nNorth Korean threat actors are known to conduct financial crimes for funds to support the DPRK regime. This\r\ncampaign may be financially motivated, since the BeaverTail malware has the capability of stealing 13 different\r\ncryptocurrency wallets.\r\nThe infection chain culminates in deploying the InvisibleFerret Python backdoor, which enabled the attackers to\r\nmaintain control of the machine and exfiltrate sensitive data. We also detailed new features of the InvisibleFerret\r\nPython backdoor variant seen in this campaign.\r\nAnother important risk that this campaign poses is potential infiltration of the companies who employ the targeted\r\njob seekers. A successful infection on a company-owned endpoint could result in collection and exfiltration of\r\nsensitive information.\r\nIt is essential for individuals and organizations to be aware of such advanced social engineering campaigns. We\r\nencourage the community to leverage our findings to inform the deployment of protective measures to defend\r\nagainst such threats.\r\nProtections and Mitigations\r\nBeaverTail and InvisibleFerret are detected and prevented in Cortex XDR both on macOS and Windows\r\nplatforms. Figure 11 shows the execution, detection and prevention of the BeaverTail Windows variant and\r\nInvisibleFerret as seen in Cortex XDR.\r\nFigure 11. Cortex XDR alert for BeaverTail and InvisibleFerret execution in Windows.\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 10 of 13\n\nFigure 12 shows the execution, detection and prevention of the BeaverTail macOS version and InvisibleFerret as\r\nseen in Cortex XDR.\r\nFigure 12. Cortex XDR alert for BeaverTail and InvisibleFerret execution in macOS.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup:\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated\r\nin light of the IoCs shared in this research.\r\nAdvanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with\r\nthis activity as malicious.\r\nThe Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block\r\nthe attacks with best practices via the following Threat Prevention signatures: 86817, 86818 and 86819.\r\nCortex XDR and XSIAM are designed to:\r\nPrevent the execution of known malicious malware and prevent the execution of unknown malware\r\nusing Behavioral Threat Protection as well as machine learning based on the Local Analysis module\r\nProtect against credential gathering tools and techniques using the new Credential Gathering\r\nProtection available from Cortex XDR\r\nProtect from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection, newly released in Cortex XDR\r\nProtect against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using\r\nthe Anti-Exploitation modules as well as Behavioral Threat Protection, including credential-based\r\nattacks, with behavioral analytics, through Cortex XDR Pro\r\nPrisma Cloud Compute and Advanced WildFire integration can help detect and prevent malicious\r\nexecution of the malware within Windows-based VM, container and serverless cloud infrastructure\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nIndicators of Compromise\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 11 of 13\n\nBeaverTail Installer - macOS DMG disk image:\r\n000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923\r\n9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c\r\nSHA256 hash for BeaverTail - macOS Mach-O executable file:\r\n0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132\r\nd801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31e\r\nSHA256 hashes for BeaverTail Installers - Windows MSI files:\r\n36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670\r\nde6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170\r\nfd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0\r\nSHA256 hashes for BeaverTail - Windows EXE files:\r\n0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd\r\n9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4\r\nd5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6\r\nIP addresses for BeaverTail \u0026 InvisibleFerret C2 servers:\r\n95.164.17[.]24\r\n185.235.241[.]208\r\nSHA256 hashes for InvisibleFerret related components:\r\n07183a60ebcb02546c53e82d92da3ddcf447d7a1438496c4437ec06b4d9eb287\r\n10f86be3e564f2e463e45420eb5f9fbdb14f7427eac665cd9cc7901efbc4cc59\r\n1c218d15b35b79d762b966db8bc2ca90fc62a95903bd78ac85648de1d828dbce\r\n34170bda5eb84d737577096438a776a968cb36eff88817f12317edcb9d144b35\r\n4343fa4e313a61f10de08fa5b1b8acb98589faf5739ab5b606f540983b630f79\r\n486a9a79bbb81abee2e81679ace6267c3f3e37d9b8c8074f9ec7aebc9be75cdd\r\n589e22005aa166b207a7aa7384dd3c7f90b71775688e587108801c3894a43358\r\n5e820d8b2bd139b3018574c349cd48ce77e7b31cf85e9462712167fcab99b30a\r\n6e065f1e4d1d8232da5de830d270a13fff8284a91e81c060377ebe66aa75d81d\r\n8563eecbc85a0c43b689b9d9f31fe5977e630c276dee0d7dbfe1a47ab1ab4550\r\n8de446957ce96826628c88da9fd4e7ff9d6327d8004afc4e9e86d59e7d6948dc\r\n9ece783ac52c9ec2f6bdfa669763a7ed1bbb24af1e04e029a0a91954582690cf\r\na69e89a62203b8f2f89ec12a13e46c71b6b4d505deb19527ff73fd002df9bc6b\r\nad8a819d7b68905fa6a8425295755c329504dd0bb48b2fba8dd17e54562b0c6f\r\nb9be6b0ac414ac2a033c17c3ac649417e97e5d0580db796a8ff55169299de50e\r\ncde5afd20b7bb5c9457b68e02c13094125025fb974df425020361303dc6fcdfc\r\nd0a5b9dc988834cc930624661e6e7dd1943d480d75594fff0f4bc39d229c5999\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 12 of 13\n\ne0568196f1494137a5bbee897a37bc4fe15f87175b57a30403450a88486190c4\r\nf08e88c7397443e35697e145887af2683a83d2415ccd0c7536cea09e35da9ef7\r\nSource: https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/" ], "report_names": [ "north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters" ], "threat_actors": [ { "id": "32e2c6f9-a1f5-42bc-ac1d-5d9dc301cf0e", "created_at": "2025-08-07T02:03:25.078429Z", "updated_at": "2026-04-10T02:00:03.811418Z", "deleted_at": null, "main_name": "NICKEL ALLEY", "aliases": [ "CL-STA-0240 ", "Purplebravo Recorded Future", "Storm-1877 ", "Tenacious Pungsan " ], "source_name": "Secureworks:NICKEL ALLEY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434643, "ts_updated_at": 1775791708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/886fe6a305c8a548ca541725e0b85ec6b1c23ec5.pdf", "text": "https://archive.orkl.eu/886fe6a305c8a548ca541725e0b85ec6b1c23ec5.txt", "img": "https://archive.orkl.eu/886fe6a305c8a548ca541725e0b85ec6b1c23ec5.jpg" } }