Keypoints
- CL-STA-240 uses social engineering (fake recruiters/interviews) to convince victims to run malicious installers.
- BeaverTail was reimplemented in Qt to produce cross-platform installers for both macOS (MiroTalk.dmg) and Windows (MiroTalk.msi / FreeConference MSI).
- BeaverTail runs a silent background collector that exfiltrates data and then downloads Python and the InvisibleFerret backdoor from the attacker C2.
- InvisibleFerret is a Python backdoor with modules for fingerprinting, remote control, keylogging, file exfiltration, browser credential theft, and optional AnyDesk deployment.
- The Qt BeaverTail variant expanded crypto targeting to 13 browser wallet extensions and added macOS browser password theft.
- InvisibleFerret received iterative code updates (e.g., improved file searching using find/findstr, changes to ssh_cmd behavior, and expanded .env file harvesting on Windows).
- Notable IOCs include specific SHA256 hashes for BeaverTail and InvisibleFerret components and C2 IPs 95.164.17.24 and 185.235.241.208.
MITRE Techniques
- [T1003] Credential Dumping – BeaverTail and InvisibleFerret collect stored credentials and browser data to harvest passwords and secrets (‘Stealing browser passwords and credentials.’)
- [T1203] Exploitation for Client Execution – Social engineering during fake interviews prompts victims to execute installer packages, enabling malicious code execution (‘Convincing victims to execute malicious code during online interviews.’)
- [T1071] Command and Control – Malware establishes C2 communications to download Python and additional payloads and to exfiltrate data (‘Establishing communication with the attacker’s command and control server.’)
- [T1022] Data Encrypted (Exfiltration) – Collected data and credentials are packaged and sent back to attacker-controlled servers (‘Exfiltrating sensitive data back to the attackers.’)
- [T1219] Remote Access Tools – InvisibleFerret provides persistent remote control, keylogging, file exfiltration, and can deploy AnyDesk for interactive remote access (‘Using the InvisibleFerret backdoor for remote control of infected endpoints.’)
Indicators of Compromise
- [File hash – BeaverTail macOS DMG] installer samples – 000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923, 9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c
- [File hash – BeaverTail macOS Mach-O] executable examples – 0f5f0a3ac843df675168f82021c24180ea22f764f87f82f9f77fe8f0ba0b7132, d801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31e
- [File hash – BeaverTail Windows MSI/EXE] installer and exe samples – 36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670, 0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd (and other MSI/EXE hashes)
- [File hash – InvisibleFerret components] backdoor modules – 07183a60ebcb02546c53e82d92da3ddcf447d7a1438496c4437ec06b4d9eb287, 10f86be3e564f2e463e45420eb5f9fbdb14f7427eac665cd9cc7901efbc4cc59 (and 17 more hashes)
- [IP addresses] C2 servers used for download/exfiltration – 95.164.17[.]24:1224, 185.235.241[.]208
- [Filenames] installer artifacts and packaging – MiroTalk.dmg (macOS), MiroTalk.msi / FreeConference.msi (Windows)
BeaverTail’s infection chain begins with social-engineered delivery: actors send fake recruiter invites and provide what appears to be a legitimate meeting app installer (MiroTalk.dmg for macOS or MiroTalk/FreeConference .msi for Windows). The Qt reimplementation allows a single codebase to compile cross-platform installers that display legitimate-looking GUIs while running a silent background collector. Once executed, BeaverTail collects local artifacts, browser data and targeted wallet extension information, then contacts a C2 server (examples: 95.164.17.24:1224, 185.235.241.208) to exfiltrate data and retrieve additional components.
After initial collection, BeaverTail downloads a Python runtime from hxxp://:1224/pdown and then fetches the first-stage InvisibleFerret payload from hxxp://:1224/client/. InvisibleFerret is a modular Python backdoor with an initial downloader plus components for endpoint fingerprinting, remote command execution, keylogging, targeted file harvesting (including .env files across drives and home directories), browser credential theft, and the ability to drop AnyDesk for interactive remote access. Recent code changes include more efficient file searching (using find/findstr), OS-aware process-killing in ssh_cmd, and expanded collection of .env files and patterns.
Technical indicators include multiple BeaverTail and InvisibleFerret SHA256 hashes for DMG, Mach-O, MSI and EXE artifacts, the C2 IPs above, and the specific wallet extension IDs targeted (13 browser extension IDs including MetaMask, Phantom, Coinbase Wallet, BNB Chain Wallet, Argent X, etc.). Detection opportunities: block known C2 IPs/domains, inspect installer files for embedded network endpoints, monitor for process launches that download Python from unusual hosts, and flag post-install behaviors such as silent background collection, spawning Python to run remote scripts, and attempts to access browser extension storage or known wallet extension directories.