{ "id": "6b11a1f9-b917-4b25-8af3-8404b82e55d6", "created_at": "2026-04-06T00:07:50.699425Z", "updated_at": "2026-04-10T03:38:19.706625Z", "deleted_at": null, "sha1_hash": "dd6be1ff6fde3fbdc9b0fa45a8a8a31ef8dbe0d8", "title": "BeaverTail and Tropidoor Malware Distributed via Recruitment Emails", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1184261, "plain_text": "BeaverTail and Tropidoor Malware Distributed via Recruitment\r\nEmails\r\nBy ATCP\r\nPublished: 2025-04-01 · Archived: 2026-04-05 20:57:48 UTC\r\nOn November 29, 2024, a case was disclosed in which threat actors impersonated a recruitment email from a\r\ndeveloper community called Dev.to to distribute malware. [1] In this case, the attacker provided a BitBucket link\r\ncontaining a project, and the victim discovered malicious code within the project and disclosed it to the\r\ncommunity. The project contained BeaverTail, a malware disguised as “tailwind.config.js,” and a downloader\r\nmalware called “car.dll”.\r\nFigure 1. Attack disclosed in the developer community\r\nAlthough the link is currently unavailable for download, VirusTotal contains compressed files including the\r\n“car.dll” downloader and BeaverTail. Analysis based on these files confirmed the execution logs of “car.dll” and\r\nhttps://asec.ahnlab.com/en/87299/\r\nPage 1 of 8\n\nthe presence of BeaverTail in South Korea. BeaverTail is known to be used by North Korean attackers for\r\ninformation theft and downloading additional payloads.\r\nThe “car.dll” downloader is characterized by implementing Windows commands internally, similar to the\r\nLightlessCan malware of the Lazarus group disclosed in a past ESET report.\r\n1. Attack Details\r\nThe project file obtained from VirusTotal contain the downloader malware “car.dll” and BeaverTail malware\r\n“tailwind.config.js” responsible for executing the downloader. Another compressed file also contained similar\r\nBeaverTail and the same downloader, distributed under the name “img_layer_generate.dll”.\r\nFigure 2. Inside the project file\r\nBeaverTail is known to be distributed primarily in phishing attacks disguised as job offers, such as the ones\r\ntargeting LinkedIn users. While most of the known cases involve attacks from overseas, there have been related\r\ncases in Korea as well. The case above is also a foreign case, but it is characterized by the fact that related logs\r\nhave been found in Korea. The installation path, too, is similar to the one mentioned in the above post, with the\r\npresence of the “autopart” keyword in “%SystemDrive%\\0_***workfile\\_work\\autosquare\\autopart\\car.dll”.\r\nhttps://asec.ahnlab.com/en/87299/\r\nPage 2 of 8\n\nFigure 3. Downloader execution logs\r\nAdditionally, logs suspected to be from BeaverTail were confirmed a few minutes after the downloader was\r\ninstalled on the system. The use of Curl for downloading and the names of the downloaded files, “p.zi” and\r\n“p2.zip”, are known behaviors of BeaverTail. [2] The download address also matches the address mentioned in the\r\nBeaverTail report published by Zscaler in November 2024.  \r\nThe JavaScript malware named “tailwind.config.js” includes obfuscated routine and a routine to execute “car.dll”\r\nlocated in the same path.\r\nFigure 4. Obfuscation routine and car.dll execution routine\r\nThe obfuscated routine is BeaverTail malware, which performs Infostealer and downloader functions, targeting\r\nweb browsers to steal credential information and cryptocurrency wallet data, and downloading additional malware\r\nlike InvisibleFerret. \r\nhttps://asec.ahnlab.com/en/87299/\r\nPage 3 of 8\n\nFigure 5. Uploading exfiltrated information and downloading additional payload\r\n3. Tropidoor\r\nThe malware operating in memory through the downloader is a backdoor. Upon execution, it decrypts and\r\nattempts to connect to 4 C\u0026C server addresses. After successful connection, it collects basic system information\r\nand generates a random 0x20 byte key, which is encrypted with an RSA public key and transmitted. The RSA\r\npublic key is encrypted with Base64, and the randomly generated 0x20 byte key is used for packet encryption\r\nduring C\u0026C communication.\r\nFigure 6. Decrypted RSA public key and encryption routine\r\nhttps://asec.ahnlab.com/en/87299/\r\nPage 4 of 8\n\nIn the first communication with the C\u0026C server, the system information obtained above and a random key\r\nencrypted with the RSA public key are encoded in Base64 and transmitted through the “tropi2p” and “gumi”\r\nparameters, respectively. A random 5-byte string is then generated, which is likely used as a Session ID because it\r\nis used with the “s_width” parameter in other communication processes. \r\nURL Format Description\r\ntropi2p=[Info]\u0026gumi=[Key]\u0026s_width=[SessionID] Transfer information\r\nletter=400BadRequest\u0026s_width=[SessionID] Receive commands\r\nletter=[Result]\u0026s_width=[SessionID] Send command execution results\r\nTable 1. URL format for C\u0026C communication\r\nAfterward, “400BadRequest” is inserted in the “letter” parameter and sent to the C\u0026C server, which allows the\r\nthreat actor to receive commands from the C\u0026C server. After executing the received commands, the results are\r\nencoded in the same way and sent through the “letter” parameter.\r\nThe following commands can be received from the C\u0026C server. Most of them are similar to commands found in\r\nother backdoors, but command #34 is unique.\r\nCommand No. Description\r\n3 “nestat -ano” command\r\n4 “ipconfig /all” command\r\n5 “systeminfo” command\r\n6 “dir” command\r\n7 File deletion (overwrite with NULL data)\r\n8 File time modification\r\n9 Screenshot capture\r\n10 File scan\r\n12 Process execution\r\n13 Process execution (user token)\r\n14 Process termination\r\n15 Specific address scan\r\n16 Inject downloaded payload into another process or load in memory\r\nhttps://asec.ahnlab.com/en/87299/\r\nPage 5 of 8\n\nCommand No. Description\r\n17 File deletion (overwrite with random values)\r\n19 Compress and send files as zip\r\n23 Collect drive information\r\n24 Collect file information\r\n25 Set wait time\r\n26\r\nSave as configuration file \r\n(“C:\\ProgramData\\Microsoft\\DeviceSync\\WinRT_DeviceSync.etl”)\r\n28 Send configuration data\r\n29 Modify configuration data\r\n30 Send string “tZeqxYw”\r\n32 Send data read via pipe communication\r\n34 Execute Windows commands\r\nTable 2. C\u0026C command no.\r\nCommand 34 involves directly implementing basic Windows commands such as “schtasks”, “ping”, and “reg”.\r\nThis method is similar to the LightlessCan malware reported by ESET in the past. [3]\r\nFigure 7. Windows commands implemented in the code\r\n4. Conclusion\r\nhttps://asec.ahnlab.com/en/87299/\r\nPage 6 of 8\n\nRecently, attacks suspected to be carried out by North Korean attackers have been continuously confirmed. The\r\ncase revealed this time confirmed the attack details of BeaverTail malware, which is known to be used in attacks\r\ntargeting overseas. Additionally, the malware used in this case also showed connections to previous attack cases.\r\nUsers should be cautious not only with email attachments but also with executable files from unknown sources.\r\nUpdating V3 to the latest version can help prevent malware infection in advance.\r\nMD5\r\n3aed5502118eb9b8c9f8a779d4b09e11\r\n84d25292717671610c936bca7f0626f5\r\n94ef379e332f3a120ab16154a7ee7a00\r\nb29ddcc9affdd56a520f23a61b670134\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//103[.]35[.]190[.]170/Proxy[.]php\r\nhttp[:]//86[.]104[.]72[.]247/Proxy[.]php\r\nhttps[:]//45[.]8[.]146[.]93/proxy/Proxy[.]php\r\nhttps[:]//86[.]104[.]72[.]247/proxy/Proxy[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\n135[.]181[.]242[.]24\r\n191[.]96[.]31[.]38\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/87299/\r\nPage 7 of 8\n\nSource: https://asec.ahnlab.com/en/87299/\r\nhttps://asec.ahnlab.com/en/87299/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/87299/" ], "report_names": [ "87299" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434070, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dd6be1ff6fde3fbdc9b0fa45a8a8a31ef8dbe0d8.pdf", "text": "https://archive.orkl.eu/dd6be1ff6fde3fbdc9b0fa45a8a8a31ef8dbe0d8.txt", "img": "https://archive.orkl.eu/dd6be1ff6fde3fbdc9b0fa45a8a8a31ef8dbe0d8.jpg" } }