BeaverTail variant distributed via malicious repositories and ClickFix lure
Contents
Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure
17 September 2025 - Oliver Smith, GitLab Threat Intelligence
Key Points
- We’ve identified infrastructure used to distribute BeaverTail and InvisibleFerret malware variants since at least May 2025. BeaverTail and InvisibleFerret are malware families operated by North Korean nation-state threat actors tracked under identifiers including Contagious Interview and Famous Chollima.
- We’re publicizing this campaign because it contains slight shifts in threat actor tradecraft that may provide insight into the direction of future operations:
- The threat actor used ClickFix lures to target marketing and trader roles in cryptocurrency and retail sector organizations rather than targeting software development roles.
- The threat actor’s malware was compiled into executables rather than typical distribution as scripts reliant on interpreters already present on target systems.
- We assess that this activity was likely being tested by the threat actor and related malware is unlikely to have been distributed …
17 September 2025 - Oliver Smith, GitLab Threat Intelligence
Key Points
- We’ve identified infrastructure used to distribute BeaverTail and InvisibleFerret malware variants since at least May 2025. BeaverTail and InvisibleFerret are malware families operated by North Korean nation-state threat actors tracked under identifiers including Contagious Interview and Famous Chollima.
- We’re publicizing this campaign because it contains slight shifts in threat actor tradecraft that may provide insight into the direction of future operations:
- The threat actor used ClickFix lures to target marketing and trader roles in cryptocurrency and retail sector organizations rather than targeting software development roles.
- The threat actor’s malware was compiled into executables rather than typical distribution as scripts reliant on interpreters already present on target systems.
- We assess that this activity was likely being tested by the threat actor and related malware is unlikely to have been distributed …
IoC
https://nvidiasdk.fly..dev/nvs
http://businesshire.top
http://nvidiasdk.fly.dev
https://dmytroviv1.github.io/
https://nvidiasdk.fly.dev/nvs
https://www.linkedin.com/in/dmytro-vivsuk-a568242b6/
http://188.43.33.250
http://172.86.93.139:3000/pawr/
http://172.86.93.139
118.148.107.73
81.34.167.92
198.50.130.118
81.184.178.102
87.249.132.144
94.224.115.64
94.71.186.249
134.228.221.237
50.67.15.10
128.203.96.252
77.166.75.76
49.145.111.7
190.120.252.13
172.86.93.139
188.43.33.250
[email protected]
[email protected]
[email protected]
[email protected]
eba9fdb2f077f9a3e14cf428162b967b5e6c189db19c33c5b11601efcd02b3d3
e79b827b3cc29e940736dc20cc9c25958c0b09c25fc0bc8aacbd6365f38db71f
6a16b1ef16e999a0d32a4b9189f6f179d629ba143b5b03db06c95156ee089615
25c9fc5c5564a74430b92cb658d43e441dee1b3c0f692dc2571ac2918efa9a52
9bc46c59e734b2389328a5103739f42bed7d820c73f75c49cc5a2e8cacfe8940
65665c3faba4fbfed12488e945306b10131afb9d3ad928accdcef75e0945a086
247fdba5fbfd076d9c530d937406aa097d6794b9af26bfc64bf6ea765ed51a50
17891f7db5a633c0186f3c2c8311a16a989b55bb0ba0430da7d2afb7f616c79c
e224a1db42ae2164d6b2f2a7f1f0e02056e099fc8d669ce37cdaa0a2a2750e3b
4a1588e27a3f322e94e490173fe2bfa8d6e2f407b81a77af8787619b0d3d10bd
05ae07783d30b37aa5f0ffff86adde57d0d497fe915537a3fc010230b54e1ee8
http://businesshire.top
http://nvidiasdk.fly.dev
https://dmytroviv1.github.io/
https://nvidiasdk.fly.dev/nvs
https://www.linkedin.com/in/dmytro-vivsuk-a568242b6/
http://188.43.33.250
http://172.86.93.139:3000/pawr/
http://172.86.93.139
118.148.107.73
81.34.167.92
198.50.130.118
81.184.178.102
87.249.132.144
94.224.115.64
94.71.186.249
134.228.221.237
50.67.15.10
128.203.96.252
77.166.75.76
49.145.111.7
190.120.252.13
172.86.93.139
188.43.33.250
[email protected]
[email protected]
[email protected]
[email protected]
eba9fdb2f077f9a3e14cf428162b967b5e6c189db19c33c5b11601efcd02b3d3
e79b827b3cc29e940736dc20cc9c25958c0b09c25fc0bc8aacbd6365f38db71f
6a16b1ef16e999a0d32a4b9189f6f179d629ba143b5b03db06c95156ee089615
25c9fc5c5564a74430b92cb658d43e441dee1b3c0f692dc2571ac2918efa9a52
9bc46c59e734b2389328a5103739f42bed7d820c73f75c49cc5a2e8cacfe8940
65665c3faba4fbfed12488e945306b10131afb9d3ad928accdcef75e0945a086
247fdba5fbfd076d9c530d937406aa097d6794b9af26bfc64bf6ea765ed51a50
17891f7db5a633c0186f3c2c8311a16a989b55bb0ba0430da7d2afb7f616c79c
e224a1db42ae2164d6b2f2a7f1f0e02056e099fc8d669ce37cdaa0a2a2750e3b
4a1588e27a3f322e94e490173fe2bfa8d6e2f407b81a77af8787619b0d3d10bd
05ae07783d30b37aa5f0ffff86adde57d0d497fe915537a3fc010230b54e1ee8