Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Void Dokkaebi, a North Korea-linked threat actor, has enhanced its InvisibleFerret malware by compiling it with Cython into native .pyd and .so binaries. This shift helps the malware avoid detections that focus only on Python scripts while retaining its core functions, including credential theft, keylogging, clipboard capture, and cryptocurrency wallet hijacking. BeaverTail serves as the multistage loader that retrieves and runs the compiled modules. The campaign is aimed at software developers and cryptocurrency users who may hold wallet credentials, signing keys, or other high-value secrets.
Investigation
Researchers analyzed the full infection chain and found a clear move away from readable Python scripts toward Cython-compiled extension modules. They also documented several obfuscation methods, including Base64 encoding, XOR encryption, and split-and-swap string manipulation. During the investigation, they extracted hard-coded IP addresses, ports, and filenames, and observed the creation of temporary Python .mod scripts used to load the malicious binaries. String analysis further revealed build-environment traces and references to browser-based cryptocurrency wallet extensions.
Mitigation
Defenders should expand beyond script-focused detections and monitor for suspicious .pyd and .so files appearing in unusual locations, as well as temporary .mod loader scripts. Additional detection opportunities include the observed filenames, outbound requests to ip-api.com, and downloads involving cryptocurrency wallet extensions. Removing or isolating the temporary loader scripts after execution can also help reduce persistence opportunities.
Response
If related indicators are detected, isolate the affected endpoint immediately, block outbound traffic to the identified command-and-control IP address, and hunt for the listed binaries and scheduled task artifacts. Investigators should analyze any recovered .mod scripts to extract embedded payloads and better understand the execution chain. Any exposed cryptocurrency credentials, wallet secrets, or signing keys should be rotated without delay.
Attack Flow
We are still updating this part. Sign up to get notified
Notify MeDetections
Possible C2 Communications Over HTTP To Direct IP With Uncommon Port (via proxy)
View
Possible IP Lookup Domain Communications Attempted (via dns)
View
Hidden File Was Created On Linux Host (via file_event)
View
Detection of Cython-Compiled InvisibleFerret Modules [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
The attacker has obtained a set of Cython‑compiled modules (mod.pyd,pad.pyd,brw.pyd) that implement credential‑harvesting and C2 communication. To achieve persistence, the adversary copies these modules into the current user’s VS Code configuration directory (%USERPROFILE%.vscode). VS Code periodically scans this folder for extensions, causing the malicious modules to be loaded by a later malicious Python script. The copy operation generates a Sysmon FileCreate event that matches the Sigma rule. -
Regression Test Script:
# ------------------------------------------------- # Simulation of InvisibleFerret Cython module drop # ------------------------------------------------- $vscodePath = "$env:USERPROFILE.vscode" # Ensure the target folder exists if (-not (Test-Path -Path $vscodePath)) { New-Item -ItemType Directory -Path $vscodePath | Out-Null } # Simulated malicious binaries (random garbage content) $modules = @("mod.pyd","pad.pyd","brw.pyd") foreach ($mod in $modules) { $dest = Join-Path -Path $vscodePath -ChildPath $mod # Write 1 KB of random bytes to mimic a compiled extension $bytes = New-Object byte[] 1024 (New-Object System.Random).NextBytes($bytes) [System.IO.File]::WriteAllBytes($dest, $bytes) Write-Host "Created $dest" } -
Cleanup Commands:
# ------------------------------------------------- # Cleanup of simulated malicious files # ------------------------------------------------- $vscodePath = "$env:USERPROFILE.vscode" $modules = @("mod.pyd","pad.pyd","brw.pyd") foreach ($mod in $modules) { $file = Join-Path -Path $vscodePath -ChildPath $mod if (Test-Path $file) { Remove-Item -Path $file -Force Write-Host "Removed $file" } }