Void Dokkaebi Upgrades InvisibleFerret Malware with Cython Compilation to Evade Script-Based Detection
North Korea-aligned threat actor Void Dokkaebi has updated its InvisibleFerret information stealer, compiling Python malware into Cython binaries to bypass script-based security tools.
Trend Micro researchers have published a detailed analysis of Void Dokkaebi, a North Korea-aligned intrusion set, and its updated InvisibleFerret information-stealing malware. The group, also tracked as Famous Chollima, has shifted the malware's delivery format from readable Python scripts to Cython-compiled binaries, distributing InvisibleFerret as .pyd files on Windows and .so files on macOS. This change gives the threat actor an additional layer of evasion while preserving the malware's core capabilities, including backdoor access, browser credential theft, clipboard monitoring, keylogging, and cryptocurrency wallet targeting.
Cython is a tool that translates Python code into C/C++ source code and then compiles it into native binaries, improving execution speed. Because Cython-generated binaries are not standalone executables but Python extension modules, they require a Python script or interpreter to load them. Consequently, the infection chain generates a Python execution script to run the Cython-obfuscated InvisibleFerret. From a detection evasion perspective, these changes mean that existing detection rules targeting Python scripts might fail to identify the malware. Although IP addresses and port numbers can be extracted from the Cython binaries through binary analysis, the runtime Python execution scripts could override these values with different C&C destinations passed as command-line arguments.
The campaign remains especially relevant to software developers, cryptocurrency users, and organizations whose developers have access to wallet credentials, signing keys, CI/CD pipelines, or production systems. Void Dokkaebi systematically targets software developers who hold cryptocurrency wallet credentials, signing keys, and access to continuous integration/continuous delivery (CI/CD) pipelines and production infrastructure. As previously documented by TrendAI Research, the group poses as recruiters from cryptocurrency and AI firms, luring developers into cloning and executing code repositories as part of fabricated job interviews.
Trend Micro's analysis also reveals notable changes in BeaverTail, the downloader component used in the infection chain. BeaverTail now appears to function as a multistage component with capabilities similar to those of InvisibleFerret. This allows the threat not only to establish a JavaScript-only infection chain based on its development language, but also to download platform-specific versions of InvisibleFerret (e.g., mod.pyd, mod.so). BeaverTail's obfuscation techniques have become more complex compared with earlier versions, using several layers of string protection and decoding logic, including array shuffling and index lookup, Base64 encoding with character stripping, XOR encryption, and split-and-swap IP address encoding.
Defenders should move from script-only detection to binary-aware detection to account for extension modules, embedded artifacts, runtime execution scripts, and browser extension tampering. Trend Micro has provided hunting rules and indicators of compromise (IoCs) to help identify and mitigate threats associated with Void Dokkaebi. The full analysis is available on the Trend Micro Research blog.