{ "id": "c831eb7f-d7d3-4b56-8479-d1fe22e9435c", "created_at": "2026-04-06T00:16:50.933933Z", "updated_at": "2026-04-10T13:11:41.586363Z", "deleted_at": null, "sha1_hash": "dc04134bd165e4ca4139a600e8647620593becb6", "title": "Bored BeaverTail \u0026 InvisibleFerret Yacht Club – A Lazarus Lure Pt.2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6108256, "plain_text": "Bored BeaverTail \u0026 InvisibleFerret Yacht Club – A Lazarus Lure\r\nPt.2\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 18:38:33 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn October 2024, the eSentire Threat Response Unit (TRU) responded to an incident where a software developer\r\ndownloaded a JavaScript project that contained BeaverTail malware. Upon installing the project through the Node\r\nPackage Manager (NPM) command, it executed malicious JavaScript files and subsequently deployed the\r\nInvisibleFerret malware to the host. The InvisibleFerret malware was executed through a Python command, which\r\nfingerprinted the host's information and stole the browser's credentials.\r\nIn response, our team of 24/7 SOC Cyber Analysts responded by isolating the impacted host and alerting the\r\ncustomer with the relevant details.\r\nUpon further investigation by eSentire’s TRU team, it was determined that the observed Tactics, Techniques, and\r\nProcedures (TTPs) were consistent with those reported to be used by North Korea threat actors, also tracked as\r\nContagious Interview.\r\nInitial Access\r\nA ZIP file named 'task-space-eshop-aeea6cc51a7c.zip' was found in the user's download directory. eSentire Threat\r\nIntelligence team assesses the chances as probable that the victim downloaded the zip from a BitBucket project\r\nnamed “eshop” (Figure 1).\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 1 of 20\n\nFigure 1 eshop project hosted on Bitbucket.\r\nThe malicious “eshop” repository was committed by the user “francesco zaid” (Figure 2).\r\nFigure 2 Author “francesco zaid” (screenshot taken October 24th, 2024).\r\nThe commits to eshop occurred roughly five days after a job posting for a freelancer was published on a freelance\r\njob board. The job was posted by a user named “francesco zaid” on the “www.freelancermap[.]com” (Figure 3).\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 2 of 20\n\nFigure 3 Possible Fake Job posting associated with the Contagious Interview Campaign.\r\nIt should be noted that the eSentire Threat Intelligence team reviewed the job posting and was unable to find a\r\ndirect link to the eshop repository from the posting; however, given the contact person’s name being the same\r\nname used to upload content to the repository, it is a notable finding and is consistent with the Contagious\r\nInterview campaign Tactics, Techniques and Procedures (TTPs) of luring software developers with fraudulent\r\njobs.\r\nThe victim in the incident eSentire responded to appears to be a software developer, which aligns with the TTPs of\r\npreviously reported on campaigns by North Korean threat actors where software developers were targeted.\r\nExecution Chain\r\nThe ZIP file downloaded by the victim contained a malicious NPM package that once installed by the victim,\r\nexecuted “server.js” file that is defined in the “package.json” and subsequently, loads a malicious JavaScript file\r\n(error.js) (Figure 4).\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 3 of 20\n\nFigure 4 “server.js” file was defined to be executed in the “package.json” file\r\nThe “server.js” file is used as an entry point to load the file located in “backend/middlewares/helpers/error.js”,\r\nwhich facilitates further malicious activities on the victim machine such as: steal saved login credentials in the\r\nbrowsers; collect system information; enumerates crypto wallet extensions in the targeted browsers; and, steal\r\nconfiguration data from crypto wallets like Exodus and Solana. This JavaScript file (error.js) is highly obfuscated\r\nand after analysis it was determined to be a component for the Beavertail malware (Figure 5).\r\nFigure 5 Screenshot of ‘error.js’ found on the BitBucket Repository that is a component of\r\nBeaverTail.\r\nAfter the JavaScript file is loaded, it uses a cURL command to download InvisibleFerret malware components\r\nfrom a command and control (C2) server; in this case the C2 was located at 185[.]235[.]241[.]208[:]1224.\r\nBeaverTail then downloads the initial Python script of InvisibleFerret. It is saved on the victim machine as\r\n“.sysinfo” file in the victim’s home directory (Figure 6).\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 4 of 20\n\nFigure 6 Initial BeaverTail Python Script that Fetches InvisibleFerret.\r\nOnce the file “.sysinfo” is downloaded onto the machine, InvisibleFerret’s loader file “.sysinfo” is then executed\r\nwith the command “C:\\Users\\{username}\\.pyp\\python.exe\" \"C:\\Users\\{username}/.sysinfo”. It’s worth noting that\r\nthis observation is different from what was reported by Unit 42 where the initial Python script was named “.npl”.\r\nIt’s also worth noting that a total of 21 crypto extensions were targeted by the BeaverTail in our observed sample;\r\nthe full list can be found in the Appendix at the end of the blog (Figure 7).\r\nFigure 7 Crypto Wallet Browser Extensions Targeted by BeaverTail.\r\nAnalysis of InvisibleFerret Python Files\r\nThe eSentire Threat Intelligence team conducted analysis of four Python files that were dropped in the incident;\r\none loader (.sysinfo in this instance) and three payloads stored under “\\.n2” folder in the user’s home directory\r\n(Figure 8).\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 5 of 20\n\nTable 1: Observed Invisible Ferret Python File Locations\r\nRequest URL Note\r\nDestination File Path\r\n(Windows)\r\nhxxp[://]185[.]235[.]241[.]208:1224/client/99/29\r\nHTTP request for\r\nInvisibleFerret\r\nPython Loader\r\n(client)\r\n%USERPROFILE%\\.sysinfo\r\nhxxp[://]185[.]235[.]241[.]208:1224/payload/99/29\r\nHTTP GET request\r\nfor InvisibleFerret\r\nComponent\r\n(Fingerprint, Remote\r\nControl, and\r\nInformation Stealer\r\nComponent)\r\n%USERPROFILE%\\.n2\\pay\r\nhxxp[://]185[.]235[.]241[.]208:1224/brow/99/29\r\nHTTP GET request\r\nfor InvisibleFerret\r\nComponent (Browser\r\nStealer Component)\r\n%USERPROFILE%\\.n2\\bow\r\nhxxp[://]185[.]235[.]241[.]208:1224/mclip/99/29\r\nHTTP GET request\r\nfor InvisibleFerret\r\nComponent\r\n(Clipboard Stealer\r\nComponent)\r\n%USERPROFILE%\\.n2\\mlip\r\nLoader Component Overview\r\nFigure 8 Python Loader (.sysinfo) Parameters (commented line was included).\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 6 of 20\n\nIt's worth noting that the internal IP address (10.10.51.212) was excluded from the initial loader script, but still\r\nreappears in the various InvisibleFerret python payloads (Figure 8). This suggests that the IP address may be used\r\nfor testing purposes. Furthermore, our analysis revealed that excluded or commented-out code sections are a\r\ncommon trait of these scripts, potentially indicative of the malware's development or testing stages.\r\nThe sample downloads three distinct payloads which are appended with a campaign ID and sub ID (sType and\r\ngType respectively, as seen in Figure 8 above and Figure 9 below): pay_campaignid_subid.py;\r\nbrow_campaignid_subid.py; and, mlip_campaignid_subid.py. On disk these files are saved to the\r\n%USERPROFILE%\\.n2 path without these identifiers or file extensions (Figure 9).\r\nFigure 9 InvisibleFerret Python Files.\r\nSome of these files are obfuscated with a combination of zlib, base64 and reverse string order (Figure 10). The\r\nscript loops through the lambda function continuously until the final cleartext payload is executed.\r\nFigure 10 Payload Retrieval\r\nAn overview of the three InvisibleFerret components can be found in the table below.\r\nTable 2: InvisibleFerret Components\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 7 of 20\n\nInvisibleFerret\r\nComponent\r\nPurpose Notable Network Indicators\r\npay\r\nHost Fingerprinting\r\nFile Stealer\r\nBrowser Credential Stealer\r\nRemote Access\r\nDeploys AnyDesk\r\nhxxp://185.235.241[.]208:1224/uploads\r\nhxxp://185.235.241[.]208:1224/keys\r\nhxxp://185.235.241[.]208:1224/brow\r\nhxxp://185.235.241[.]208:1224/adc\r\n185.235.241[.]208:2245\r\nbrow Browser credential stealer hxxp://:185.235.241[.]208:1224/keys\r\nmlip\r\nStandalone clipboard stealer and\r\nkeylogger targeting web browsers.\r\nhxxp://95.164.7[.]171:8637/api/clip\r\n“Pay” Component Overview\r\nThe pay component conducts various host fingerprinting activities including the internal IP, external IP, OS\r\nversion, username and a number of other parameters (Figure 11). It also initiates a backdoor session with the C2\r\nserver and scans and uploads sensitive files from the infected host.\r\nFigure 11 Host Fingerprinting functionality.\r\nOnce the fingerprinting activity is concluded, it is packaged up and exfiltrated via HTTP POST request to\r\nhxxp://185.235.241[.]208:1224/keys (Figure 12). The C2 IP address is de-obfuscated by shifting the first nine\r\ncharacters to the end of the string then base64 decoding the set.\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 8 of 20\n\nFigure 12 Partial screenshot of pay_campaignid_subid.py exfil process (the commented line was\r\nleft in by the author of the script)\r\nOn non-Windows systems, the script attempts to run the client instance by calling client.run().\r\nOn Windows systems, the main backdoor client is initiated alongside a keylogger and clipboard stealer which\r\nutilizes the pyHook, pythoncom and pyperclip Python libraries (Figure 13)\r\nFigure 13 Initializing the backdoor and keylogger/clipboard stealer.\r\nCaptured keystrokes and clipboard data are written to the global “e_buf” variable then sent back to the C2 (via\r\nTCP connection to 185.235.241[.]208:2245) when the ssh_clip command is called within the backdoor session.\r\nThe backdoor session is defined within the Client (Figure 14), Session and Shell classes. It initiates a network\r\nconnection over port 2245 to the C2 server using sockets and accepts JSON-formatted messages containing\r\nvarious commands shown below. Notably, it also calls an auto_up() function which in this sample initiates an\r\nautomatic file upload. This sample also contained placeholder code for automatically dropping AnyDesk (as\r\nopposed to manually via the backdoor).\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 9 of 20\n\nFigure 14 Client class which manages the overall connection logic and initiates a file upload (code\r\nformatting and inline comments added for clarity)\r\nInvisibleFerret contains logic to scan for and upload files of interest from multiple operating systems. Various\r\nfunctions in the script expedite identification of noteworthy files:\r\nin_pk: Checks if a string contains a private key by searching for specific hexadecimal patterns that match\r\ntypical private key lengths.\r\nismnemonic: Determines if a string contains a valid mnemonic phrase by checking for typical word counts\r\nand validating the phrase.\r\nis_exceptFile: Checks if a file name has an extension that should be excluded from processing.\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 10 of 20\n\nis_exceptPath: Checks if a path name matches any directories that should be excluded.\r\nis_pat: Checks if a file name contains specific patterns related to environment variables and other sensitive\r\nfiles\r\nAs each file is processed, the script checks if the file name contains any of these patterns:\r\n[\r\n'.env', 'config.js', 'secret', 'metamask', 'wallet', 'private', 'mnemonic', 'password', 'account', '.xls', '.xlsx', '.doc',\r\n'.docx', '.rtf', '.txt', 'recovery'\r\n]\r\nIf the file is not a common document type, additional filtering is performed using ismnemonic and in_pk to target\r\nsensitive file content such as private keys. This is noteworthy given developers (likely those involved in\r\nblockchain/crypto applications) are targeted. Any system found infected with InvisibleFerret should assume these\r\nkeys are compromised and take appropriate action.\r\nFiles are uploaded to hxxp://185.235.241[.]208:1224/uploads. Filenames are prepended with the current time and\r\nthe hostname is prepended with the subid “29”, as seen in Figure 15.\r\nFigure 15 Example HTTP headers from auto_upload activity.\r\nA record of uploaded files is kept within the flist file contained within the .n2 directory. While it’s a notable\r\nforensic artifact, since this file can be arbitrarily cleared, it should not be considered a reliable record of exfiltrated\r\nfiles.\r\nAs has been documented by other researchers, the backdoor component contains 8 commands which are briefly\r\noutlined below.\r\nssh_obj\r\nChange directories, execute arbitrary commands via subprocess.Popen. Results/errors are reported\r\nback[PC18] via the shell.\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 11 of 20\n\nssh_cmd\r\nTerminates the Python process, likely to terminate the session.\r\nssh_clip\r\nSends captured keystrokes and clipboard data to the C2.\r\nssh_run\r\nDownloads and runs the browser stealer component.\r\nssh_upload\r\nUpload specific files, all files from a directory or search for files with specific patterns.\r\nssh_kill\r\nKills Chrome and Brave browser processes.\r\nssh_any\r\nDownloads and runs AnyDesk.\r\nssh_env\r\nScans for environment (.env) files similar to the auto-upload function described above. If they match\r\ncertain conditions (not in exception lists, contains private keys/phrases etc) the files are uploaded.\r\n“Brow” Component Overview\r\nThis InvisibleFerret component is a cross-platform browser infostealer targeting Windows, Linux and MacOS\r\noperating systems. It targets Chrome, Brave, Opera, Yandex and MsEdge browsers, uploading sensitive data to\r\nhxxp://:185.235.241[.]208:1224/keys (Figure 16).\r\nEach OS type initializes its own class, which is inherited[BZ19] from the ChromeBase class. Each class provides\r\ninstructions for decrypting browser-stored passwords on Windows, Linux and MacOS operating systems.\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 12 of 20\n\nFigure 16 Browser infostealer. Comments from original author.\r\nThe script contains functionality to retrieve, decrypt and upload stored browser passwords, credit cards using\r\nmethods commonly found in infostealing malware (Figure 17).\r\nFigure 17 Snippet of credential stealing code. Original comments are from the script author(s).\r\n“Mlip” (Mclip) Component Overview\r\nThe third payload contains a standalone keylogger and clipboard stealer implemented in Python using the\r\npyWinhook, psutil, pywin32 and wx libraries. The sample analyzed targeted Chrome and Brave browsers,\r\nuploading stolen data to hxxp://95.164.7[.]171:8637/api/clip (Figure 18).\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 13 of 20\n\nFigure 18 Data upload structure in Mlip Python script.\r\nThe primary function OnKeyBoardEvent (Figure 19) is triggered by a keyboard event handler via the\r\nHookManager from the pyWinhook library. When a keypress is detected, this function is called and will check the\r\nactive window process pid, process name and window name via the act_win_pn() function using the win32gui\r\nlibrary. If the process name matches a browser (\"chrome.exe\", \"brave.exe\"), it proceeds.\r\nFigure 19 OnKeyboardEvent funtion in mlip file.\r\nIf the caption of the active window is empty (indicating no specific page title or a blank tab), the function then\r\nproceeds to handle individual keystrokes for logging purposes.\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 14 of 20\n\nThe function checks for printable ASCII characters [PC20] and uses several modifiers to handle special\r\nkeypresses such as CTL or enter. For example, when enter is pressed, it’s formatted as a newline character to\r\nbreak up the text and make it easier to process by the operator. If CTL + V is detected (signifying data being\r\npasted into the browser), the GetTextFromClipboard() function is triggered. Data is appended to the key_log\r\nvariable until a newline character is detected.\r\nIf a newline character is detected (“\\n”) and the key_log is not empty, the save_log() function is triggered,\r\nuploading the data to the C2 and clearing the log. If the window caption changes, the accumulated logs are also\r\nuploaded and cleared.\r\nGetTextFromClipboard Function\r\nThe script appears to use the the wx (wxPython) library to handle clipboard operations. It initializes a new\r\ninstance of wx.Clipboard, checks that the clipboard data is text (to avoid images or binaries) then uploads it to the\r\nC2 using the save_log() function shown in Figure 20. Interestingly, it can check the clipboard for private keys and\r\nmnemonic phrases, but that line was commented out in this sample.\r\nFigure 20 GetTextFromClipboard function.\r\nA quick test with the wx library shows clipboard data can be extracted with a simple Python script:\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 15 of 20\n\nFigure 21 Screenshot testing whether clipboard data can be extracted through a python script\r\nWhat did we do?\r\nOur team of 24/7 SOC Cyber Analysts isolated the affected host to contain the infection.\r\nWe alerted the customer of the incident and supported them through the remediation process.\r\nWhat can you learn from this TRU Positive?\r\nThe case showcases the importance of endpoint security solutions, such as Endpoint Detection and\r\nResponse (EDR), and the implementation of security training programs to educate users about such\r\nsophisticated threats.\r\nUsing company-issued computers for personal activities outside of work, such as job interviews, can put\r\ncorporate networks at risk.\r\nDevelopers should exercise caution when engaging with public code repositories that have a sparse\r\nportfolio – typically a single repository with minimal activity. This behavior can be a red flag, as threat\r\nactors often misuse free platforms like GitHub or BitBucket to host malicious code or distribute malware.\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 16 of 20\n\nRecommendations from the Threat Response Unit (TRU):\r\nAssume compromise of sensitive keys, passwords and files on infected hosts and take appropriate action\r\nsuch as rotating keys, passwords etc.\r\nConfirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.\r\nImplement a Phishing and Security Awareness Training (PSAT) program that educates and informs your\r\nemployees on emerging threats in the threat landscape.\r\nEnsure your organization has a corporate policy for acceptable use of corporate devices.\r\nIndicators of Compromise\r\nYou can access the indicators of compromise here.\r\nReferences\r\nhttps://www.esentire.com/blog/bored-beavertail-yacht-club-a-lazarus-lure\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nhttps://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\nAppendix – Crypto Wallet Extensions Targeted by BeaverTail\r\nBrowser Extension ID Browser Extesion Name Target Browser\r\nnkbihfbeogaeaoehlefnkodbefgpgknn MetaMask Chrome\r\nejbalbakoplchlghecdalmeeeajnimhm MetaMask Edge\r\nfhbohimaelbohpjbbldcngcnapndodjp BNB Chain Walle Chrome\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TronLink Chrome\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom Chrome\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 17 of 20\n\naeachknmefphepccionboohckonoeemg Coin98 Wallet Chrome\r\nhifafgmccdpekplomjjkcfgodnhcellj Crypto[.]com Chrome\r\njblndlipeogpafnldhgmapagcccfchpi Kaia Wallet Chrome\r\nacmacodkjbdgmoleebolmdjonilkdbch Rabby Wallet Chrome\r\ndlcobpjiigpikoobohmabehhmhfoodbb Argent X Chrome\r\nmcohilncbfahbmgdjkbpemcciiolgcge OKX Wallet Chrome\r\nagoakfejjabomempkjlepdflaleeobhb Core Chrome\r\nomaabbefbmiijedngplfjmnooppbclkk Tonkeeper Chrome\r\naholpfdialjgjfhomihkjbmgjidlcdno Exodus Web3 Wallet Chrome\r\nnphplpgoakhhjchkkhmiggakijnkhfnd TON Wallet Chrome\r\npenjlddjkjgpnkllboccdgccekpkcbin OpenMask Chrome\r\nlgmpcpglpngdoalbgeoldeajfclnhafa SafePal Chrome\r\nfldfpgipfncgndfolcbkdeeknbbbnhcc MyTonWallet Chrome\r\nbhhhlbepdkbapadjdnnojkbgioiodbic Solflare Wallet Chrome\r\ngjnckgkfmgmibbkoficdidcljeaaaheg Atomic Wallet Chrome\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 18 of 20\n\nafbcbjpbpfadlkmhmclhkeeodmamcflc Math Wallet Chrome\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 19 of 20\n\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nSource: https://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2" ], "report_names": [ "bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2" ], "threat_actors": [ { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434610, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc04134bd165e4ca4139a600e8647620593becb6.pdf", "text": "https://archive.orkl.eu/dc04134bd165e4ca4139a600e8647620593becb6.txt", "img": "https://archive.orkl.eu/dc04134bd165e4ca4139a600e8647620593becb6.jpg" } }