Invisibleferret Shift Raises Developer Risks Arabian Post

(MENAFN- The Arabian Post) clearfix">North Korea-linked hackers have upgraded the InvisibleFerret malware to bypass script-based security tools, converting its Python code into compiled modules that are harder for defenders to inspect and block.

The campaign is attributed to Void Dokkaebi, also tracked as Famous Chollima, a threat group associated with operations against software developers, cryptocurrency firms and technology workers. The latest version uses Cython-compiled files, appearing as. pyd modules on Windows and. so files on macOS, marking a technical shift from the readable Python scripts that earlier versions relied on.

The change does not alter the core purpose of InvisibleFerret. The malware remains focused on remote access, data theft, browser credential harvesting, clipboard monitoring, keylogging and cryptocurrency wallet targeting. The difference lies in delivery and detection evasion. Security tools built to identify suspicious Python scripts may miss compiled extension modules that behave more like native binaries.

The development deepens concerns around a long-running pattern of attacks in which developers are targeted through fake recruitment exercises, malicious coding tests and compromised repositories. Victims are often persuaded to clone project files, run test applications or install packages during what appears to be a hiring process. Once executed, the files can trigger malware chains that collect credentials, steal wallet data and establish persistence.

InvisibleFerret has been linked to campaigns where BeaverTail, a JavaScript-based malware family, acts as an initial loader or data stealer before deploying follow-on payloads. BeaverTail has commonly been distributed through NPM packages and software repositories, making developers a particularly valuable target. The overlap between recruitment lures, open-source workflows and code-sharing platforms has allowed attackers to exploit ordinary development habits rather than relying only on conventional phishing attachments.

See also Google ad scams tighten grip on crypto

The use of Cython gives the operators a practical advantage. Cython converts Python-like code into C or C++ extension modules, which are then compiled for specific operating systems. This makes the malware less transparent to analysts and reduces the effectiveness of static signatures based on plain-text Python code. It also complicates automated triage because defenders must now inspect compiled artefacts, import behaviour, execution wrappers and embedded strings rather than simply scanning readable scripts.

Windows systems may encounter the payload as a. pyd file, a Python extension module that can be imported by Python processes. macOS systems may see. so shared object files used in a similar role. In both cases, the payload can be loaded into an execution flow that appears to be part of a legitimate Python application or developer task.

The campaign reflects a wider trend in which state-linked cyber groups are blending espionage, financial theft and supply-chain compromise. Software developers with access to production systems, signing keys, cloud credentials, cryptocurrency wallets or continuous integration pipelines represent a high-value entry point. A single compromised workstation can expose source code, authentication tokens and deployment infrastructure.

The threat is also notable because it targets the trust layer of the technology sector. Recruitment processes, Git repositories and coding assessments are expected to involve file sharing and execution of sample projects. Attackers exploit that expectation by embedding malicious packages inside workflows that appear normal to developers under interview pressure.

Defenders are being urged to treat compiled Python modules as high-risk artefacts when they appear in unexpected repositories or job-test packages. Detection strategies need to move beyond script scanning and include behavioural analysis, binary inspection, process monitoring and checks for unusual Python imports. Security teams should also review developer machines for unauthorised browser extension changes, credential access attempts, suspicious clipboard activity and connections to unfamiliar command-and-control infrastructure.

See also Telegram bots fuel React2Shell raids

Organisations with software engineering teams face particular exposure if recruitment, open-source contribution or contractor onboarding processes are loosely controlled. Developers should avoid running code from unknown recruiters on primary workstations, use isolated environments for coding tests and verify company identities through official channels before engaging with technical assessments.

The campaign also underlines the continuing focus of North Korea-linked operators on cryptocurrency and digital infrastructure. Wallet credentials, seed phrases, password managers and browser-stored authentication data remain central targets. Compromised developers may provide access not only to personal crypto holdings but also to corporate repositories, cloud accounts and financial platforms.

MENAFN26052026000152002308ID1111170481