Malware Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware Void Dokkaebi, a North Korea-aligned intrusion set, has updated its information-stealing malware, InvisibleFerret, shifting its delivery format to evade script-based detections. By: Kazuki Fujisawa May 22, 2026 Read time: ( words) Save to Folio Key takeaways Void Dokkaebi (aka Famous Chollima) has migrated InvisibleFerret from readable Python scripts to Cython-compiled binaries, distributing the malware as .pyd files on Windows and .so files on macOS. The update gives the intrusion set an additional layer of evasion while preserving InvisibleFerret’s core capabilities, including backdoor access, browser credential theft, clipboard monitoring, keylogging, and cryptocurrency wallet targeting. BeaverTail has also expanded beyond its original downloader and stealer role into a broader malware with overlapping functions, including credential harvesting and wallet trojanization. The campaign remains especially relevant to software developers, cryptocurrency users, and organizations whose developers have access to wallet credentials, signing keys, CI/CD pipelines, or production systems. Defenders should move from script-only detection to binary-aware detection to account for extension modules, embedded artifacts, runtime execution scripts, and browser extension tampering. Hunting rules and indicators of compromise (IoCs) are provided below to help identify and mitigate threats associated with Void Dokkaebi. Introduction Void Dokkaebi, also tracked as Famous Chollima, is a North Korea-aligned intrusion set that systematically targets software developers who hold cryptocurrency wallet credentials, signing keys, and access to continuous integration/continuous delivery (CI/CD) pipelines and production infrastructure. As previously documented by TrendAI™ Research , the group poses as recruiters from cryptocurrency and AI firms, luring developers into cloning and executing code repositories as part of fabricated job interviews. TrendAI™ Research observed that InvisibleFerret, a Python-based malware family composed of multiple modules and delivered through the infection chain, has been obfuscated using Cython. Cython is a tool that translates Python code into C/C++ source code and then compiles into native binaries, which improves execution speed. As a result, InvisibleFerret is now distributed as .pyd files (Python extension modules in DLL format) on Windows and .so files (shared libraries) on macOS, rather than as plain Python scripts. Because Cython-generated binaries are not standalone executables but Python extension modules, they cannot run on their own and require a Python script or interpreter to load them. Consequently, the infection chain generates a Python execution script to run the Cython-obfuscated InvisibleFerret. From a detection evasion perspective, these changes mean that existing detection rules targeting Python scripts might fail to identify the malware. Although IP addresses and port numbers can be extracted from the Cython binaries through binary analysis, the runtime Python execution scripts could override these values with different C&C destinations passed as command-line arguments. Consequently, for some modules, the actual C&C destination cannot be determined from the binary alone without the accompanying execution script. Infection chain: Cross-platform targeting Figure 1. Infection chain of the Void Dokkaebi intrusion set that abuses Cython to obfuscate its InvisibleFerret malware While the initial attack vector has not been confirmed in this campaign, Void Dokkaebi has historically targeted software developers through fake job interviews. Our analysis of the infection chain reveals notable changes in both BeaverTail and InvisibleFerret. BeaverTail now appears to function as a multistage component with capabilities similar to those of InvisibleFerret. This allows the threat not only to establish a JavaScript-only infection chain based on its development language, but also to download platform-specific versions of InvisibleFerret (e.g., mod.pyd, mod.so). This establishes the InvisibleFerret infection chain as well. An analysis of BeaverTail Initially, BeaverTail handled both data theft (e.g., browser credentials, cryptocurrency wallets) and InvisibleFerret payload delivery. The new variant of BeaverTail now carries functionality similar to InvisibleFerret. In addition, BeaverTail's obfuscation techniques have become more complex compared with earlier versions, using several layers of string protection and decoding logic: Array shuffling and index lookup: At startup, a large array containing approximately 300 Base64 fragments is shuffled using an immediately invoked function expression (IIFE). A lookup function is then used to retrieve each fragment by its hexadecimal index. Figure 2. Code snippet showing a shuffled array function using IIFE download Figure 3. Code snippet showing the IIFE shuffle function download Figure 4. Code snippet showing the lookup function to retrieve the Base64 fragments download Base64 encoding with character stripping: The first character of each encoded string is a randomly inserted junk byte, which is used to evade simple Base64 detection. Figure 5. Code snippet showing how the first character is stripped then base64-decoded download XOR encryption: The most sensitive strings, such as file paths and execution commands, are XOR-encrypted using a 4-byte key. Figure 6. Code snippet showing XOR function for decryption and 4-byte key download Split-and-swap IP address encoding: C&C IP addresses are split into two halves, which are swapped before Base64 decoding. Figure 7. Code snippet showing the split-and-swap technique BeaverTail variants BeaverTail has evolved into a set of multiple variants that use the same obfuscation techniques. In addition to the original information-stealing and downloader module, it now includes a backdoor, browser-stealing, and trojanized cryptocurrency wallet installation modules. These variants appeared by the end of October 2025. They are identified based on the names used when they are downloaded. Table 1 lists the main features of each BeaverTail variant. Name Main Features Information-stealing and downloader module: BeaverTail (gjs) Steals information stored in web browsers and cryptocurrency wallet data Downloads and executes BeaverTail (njs), BeaverTail (zjs), and InvisibleFerret Backdoor module: BeaverTail (njs) Possesses backdoor capabilities with backdoor execution functions starting with "ssh_" , and downloads and executes BeaverTail (cjs) as the next stage payload based on commands Collects system and network information, and accesses hxxp://ip-api[.]com/json to gather geolocation data based on the IP address Backdoor execution functions starting with "ssh_" and the collection of OS and network information identical to those implemented in InvisibleFerret (pay) Browser-stealing module: BeaverTail (zjs) Steals cryptocurrency wallet data, seed phrases, private keys, and passwords Steals other information related to developer settings Trojanized cryptocurrency wallet installation module: BeaverTail (cjs) Downloads and installs trojanized browser extensions in Chrome and Brave Browser, including wallet-related extensions, such as MetaMask, Coinbase Wallet, and Phantom Downgrades the Chrome version on macOS; this functionality is equivalent to InvisibleFerret (mc) Table 1. Key features of the BeaverTail modules InvisibleFerret download process The Cython-obfuscated InvisibleFerret is downloaded by BeaverTail (gjs). In the code, the _rum() function is used to initiate the InvisibleFerret infection chain for both non-Windows and Windows environments, as shown in Figure 8. Figure 8. The function call to start InvisibleFerret’s infection chain The dnp_m() and dnp() functions are responsible for downloading and executing InvisibleFerret. The Windows version of the dnp() function is shown in Figure 9. Figure 9. Code snippet showing how the function downloads and runs InvisibleFerret via a “.mod” script (Note: Comments in the code were added for clarity) download In previously observed BeaverTail (gjs) samples, InvisibleFerret (main) was downloaded from a URL path in the format /client/{sType} where sType is an identifier used by the threat actor. It is saved with the filename, main_{sType}.py. In this campaign, InvisibleFerret is downloaded from /clw/{sType}. A .mod file is then created and executed via Python. On non-Windows systems, the payload is instead downloaded from /clw1/{sType}, after which a similar .mod file is created and executed. However, the binary is in Mach-O format and operates only in macOS environments. Because the Cython-generated binaries are not self-contained executables, they depend on the CPython runtime as extension modules. As a result, they must be launched through a Python script or interpreter. The .mod file serves this purpose, and BeaverTail creates and executes it accordingly. The execution flow is shown in Figure 4. BeaverTail (gjs) is a JavaScript-based module, so it can’t load Cython extension modules directly. Instead, it does the following: Downloads the Cython binary (mod.pyd or mod.so) from the C&C server Writes a Python script (.mod) to disk Invokes the Python interpreter to execute it The .mod script then imports mod.pyd or mod.so as a Python extension module, passing sType, encoded IP addresses, and a port number as command-line arguments. The Cython module deobfuscates the embedded Python payload and executes it via exec, as shown in Figure 10. Figure 10. The execution process from BeaverTail to InvisibleFerret download An analysis of the Cython-obfuscated InvisibleFerret Cython compilation obfuscates the original Python source by converting it into native binaries. With this technique, defenders should not rely on simple text-based searches for Python scripts. However, numerous forensic artifacts remain in the resulting bina