InvisibleFerret Malware Now Ships as .pyd and .so Files to Evade Script Detection

A North Korea-linked hacker group has quietly upgraded one of its most dangerous tools, making it harder for security software to detect.

InvisibleFerret, an information-stealing malware tied to the threat actor known as Void Dokkaebi (also tracked as Famous Chollima), has been repackaged into a format that slips past many traditional detection methods.

Instead of arriving as plain Python scripts, it now comes disguised as compiled binary files.

The group poses as recruiters from cryptocurrency or AI firms, convincing developers to clone and run code repositories as part of fake job interviews. Once executed, the malicious code begins a multi-stage infection designed to steal sensitive data and maintain persistent access.

Analysts at Trend Micro identified that InvisibleFerret has now been obfuscated using Cython, a tool that converts Python code into native binaries. 

Trend Micro said in a report shared with Cyber Security News (CSN) that the malware is distributed as .pyd files on Windows and .so files on macOS, rather than readable Python scripts. This means existing detection rules for Python-based threats may no longer identify the malware.

The update preserves InvisibleFerret’s full range of capabilities. The malware can open backdoor access, steal browser credentials, monitor clipboard activity, log keystrokes, and target cryptocurrency wallets.

The companion loader known as BeaverTail has also evolved from a basic downloader into a broader threat with its own credential harvesting and wallet-targeting functions.

The campaign is especially relevant to software developers, crypto users, and organizations whose staff have access to signing keys or CI/CD pipelines. Security teams relying on script-based detections now have a gap in coverage.

The shift to compiled binaries represents a calculated attempt to stay ahead of defenders who haven’t updated their detection strategies.

InvisibleFerret Malware

The core change in this updated variant is the move from Python scripts to Cython-compiled binaries. On Windows, the malware arrives as .pyd files, Python extension modules in DLL format. On macOS, the format is .so, a shared library, and neither type runs independently without a Python interpreter.

To handle this, the infection chain writes a companion .mod script to disk and uses it to launch the compiled binary. Security tools scanning for Python script patterns will not flag anything in these binary files.

While IP addresses and port numbers can still be extracted through binary analysis, runtime scripts can override these values with different command-and-control destinations passed as arguments.

The malware has four core modules with distinct roles. The mod module handles the initial connection and downloads further payloads. The pad module provides backdoor access and gathers system information.

The brw module steals authentication data and credit card details from browsers, while the mc module for macOS installs trojanized wallet extensions and downgrades Chrome to bypass Google’s newer extension security framework.

BeaverTail Expands Its Role in the Infection Chain

Alongside InvisibleFerret’s repackaging, BeaverTail has grown into a more complex threat.

It now operates through four variants: gjs handles data theft and downloads further components, njs provides backdoor functions, zjs steals wallet seed phrases and private keys, and cjs installs trojanized extensions in Chrome and Brave Browser targeting MetaMask, Coinbase Wallet, and Phantom.

BeaverTail’s obfuscation has also become notably stronger. The updated code shuffles a large array of Base64 fragments at startup, strips junk characters from encoded strings to defeat simple detection, and uses XOR encryption with a 4-byte key for sensitive strings like file paths.

Command-and-control IP addresses are split into halves and swapped before Base64 encoding to further complicate analysis.

Teams should watch for Chrome version downgrades on macOS, trojanized wallet extensions, and unusual Python activity in .vscode directory paths. Analysts familiar with earlier InvisibleFerret versions can apply the same deobfuscation methods, since the core logic inside the compiled binaries remains unchanged.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
File Name	mod.pyd	Cython-compiled InvisibleFerret module for Windows (main)
File Name	mod.so	Cython-compiled InvisibleFerret module for macOS (main)
File Name	pad.pyd	InvisibleFerret backdoor/payload module for Windows
File Name	pad.so	InvisibleFerret backdoor/payload module for macOS
File Name	brw.pyd	InvisibleFerret browser-stealing module for Windows
File Name	brw.so	InvisibleFerret browser-stealing module for macOS
File Name	mc.so	InvisibleFerret wallet trojanization module for macOS
File Name	.mod	Python execution script that loads and runs the Cython binaries
File Name	pad0	Runtime execution script for pad module
File Name	brw0	Runtime execution script for brw module
File Name	mc0	Runtime execution script for mc module
File Path	.vscodemod.pyd / .vscode/mod.so	Known drop path for InvisibleFerret main module
File Path	.vscodepad.pyd / .vscode/pad.so	Known drop path for InvisibleFerret pad module
File Path	.vscodebrw.pyd / .vscode/brw.so	Known drop path for InvisibleFerret brw module
File Path	.vscode/mc.so	Known drop path for InvisibleFerret mc module
IP Address	45[.]59[.]160[.]199	C&C server IP address extracted from Cython binary via XOR decoding
URL	hxxp://ip-api[.]com/json	External geolocation lookup abused by BeaverTail (njs) and pad modules
URL Pattern	/clw/{sType}	Windows C&C download path for Cython-compiled InvisibleFerret
URL Pattern	/clw1/{sType}	macOS C&C download path for Cython-compiled InvisibleFerret
Build Path	/Users/administrator/Pictures/Work/py_module_work/	macOS build environment path embedded in .so binaries

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.