Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware

What Happened

A cyber threat group known as Void Dokkaebi is targeting software developers with fake job interviews to install malware that has been upgraded to avoid detection. Software developers, especially those handling cryptocurrency wallets or company code, are the primary targets. This attack is dangerous because the attackers can steal passwords, monitor typing, and hijack cryptocurrency wallets by secretly downgrading web browsers to bypass modern security features. Organizations should warn developers about coding interview scams and update their security monitoring to look for these specific hidden compiled files.

Key Takeaways

• Void Dokkaebi migrated InvisibleFerret from Python scripts to Cython-compiled binaries (.pyd/.so) to evade script-based detections.
• BeaverTail has evolved into a multi-stage component with capabilities overlapping InvisibleFerret, including backdoor access and wallet trojanization.
• The macOS variant (mc.so) downgrades Google Chrome to bypass Manifest V3 restrictions and install trojanized wallet extensions.
• Despite Cython compilation, core deobfuscation logic remains unchanged, allowing defenders to extract embedded Python payloads and C2 configurations.
• The campaign specifically targets software developers with access to cryptocurrency wallets, signing keys, and CI/CD pipelines.

Affected Systems

• Windows
• macOS
• Google Chrome
• Brave Browser

Attack Chain

The attack begins with the BeaverTail JavaScript module, likely delivered via fake job interviews, which acts as a stealer and downloader. BeaverTail downloads Cython-compiled InvisibleFerret binaries (.pyd or .so) and writes a Python execution script (.mod) to disk. The Python interpreter is invoked to run the .mod script, which imports the Cython binary and passes C2 IP addresses and ports as arguments. The Cython module deobfuscates an embedded Python payload in memory and executes it, enabling backdoor access, browser credential theft, and the installation of trojanized cryptocurrency wallets via browser downgrades.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Trend Vision One XDR

The article provides Trend Vision One XDR hunting queries looking for specific file paths associated with the malware in the .vscode directory.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can monitor file creation events in suspicious directories (like .vscode), track Python process executions with unusual arguments, and detect browser downgrades. Network Visibility: Medium — Network traffic to C2 servers can be detected, but the payload is obfuscated and C2 IPs are dynamically decoded at runtime. Detection Difficulty: Moderate — The shift from plain Python scripts to Cython-compiled binaries bypasses simple script-based detections, requiring defenders to focus on behavioral indicators like Python loading unusual .pyd/.so files or browser version downgrades.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• File Creation (Sysmon Event ID 11)
• Command Line Logging

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for Python processes executing scripts named .mod, pad0, brw0, or mc0, especially within hidden directories like .vscode.	Process Creation	Execution	Low
Monitor for the creation of .pyd or .so files in user profile directories (e.g., .vscode) followed by Python execution.	File Creation	Execution	Low
Detect attempts to downgrade Google Chrome or Brave Browser on macOS systems, which may indicate preparation for malicious extension installation.	Process Creation	Defense Evasion	Medium

Control Gaps

• Static analysis of Python scripts (bypassed by Cython compilation)
• Manifest V3 enforcement (bypassed by downgrading the browser)

Key Behavioral Indicators

• Python loading .pyd/.so files from the .vscode directory
• Browser downgrade commands executed on macOS
• Execution of scripts that delete themselves after running (mc.so behavior)

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Search endpoint telemetry for the presence of .pyd or .so files within the .vscode directory.
• Isolate systems exhibiting Python processes executing .mod, pad0, or brw0 scripts from hidden directories.

Infrastructure Hardening

• Consider restricting the execution of Python interpreters from user-writable directories.
• Evaluate enforcing strict application control policies to prevent unauthorized browser downgrades.

User Protection

• If applicable, monitor developer endpoints for unauthorized cryptocurrency wallet extensions.
• Consider implementing hardware-backed MFA for access to CI/CD pipelines and production infrastructure.

Security Awareness

• Educate software developers about the risks of executing code from unverified repositories, especially during technical interviews.
• Train staff to recognize social engineering lures posing as recruiters from cryptocurrency or AI firms.

MITRE ATT&CK Mapping

• T1059 - Command and Scripting Interpreter
• T1027 - Obfuscated Files or Information
• T1562.001 - Disable or Modify Tools
• T1070.004 - Indicator Removal: File Deletion
• T1547.001 - Boot or Logon AutoStart Execution: Registry Run Key / Startup Folder
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1082 - System Information Discovery
• T1083 - File and Directory Discovery
• T1518 - Software Discovery
• T1057 - Process Discovery
• T1555.003 - Credentials from Password Stores: Credentials from Web Browser
• T1056.001 - Input Capture: Keylogging
• T1115 - Clipboard Data
• T1071.001 - Application Layer Protocol: Web Protocols
• T1071.002 - Application Layer Protocol: File Transfer Protocols
• T1219.002 - Remote Access Software: Remote Desktop Software
• T1102.001 - Web Service: Dead Drop Resolver
• T1571 - Non-Standard Port
• T1048 - Exfiltration Over Alternative Protocol
• T1041 - Exfiltration Over C&C Channel

Additional IOCs

• Ips:
  • 45[.]59[.]160[.]199 - C2 server for InvisibleFerret and BeaverTail
• Urls:
  • /clw/{sType} - URL path pattern used to download InvisibleFerret on Windows
  • /clw1/{sType} - URL path pattern used to download InvisibleFerret on macOS
• File Paths:
  • \.vscode\mod.pyd - Path for Windows InvisibleFerret loader
  • /.vscode/mod.so - Path for macOS InvisibleFerret loader
  • \.vscode\pad.pyd - Path for Windows InvisibleFerret backdoor
  • /.vscode/pad.so - Path for macOS InvisibleFerret backdoor
  • \.vscode\brw.pyd - Path for Windows InvisibleFerret browser module
  • /.vscode/brw.so - Path for macOS InvisibleFerret browser module
  • /.vscode/mc.so - Path for macOS InvisibleFerret wallet installer
  • \.vscode\.mod - Path for Windows Python execution script
  • /.vscode/.mod - Path for macOS Python execution script
  • \.vscode\pad0 - Path for Windows Python execution script (pad module)
  • /.vscode/pad0 - Path for macOS Python execution script (pad module)
  • \.vscode\brw0 - Path for Windows Python execution script (brw module)
  • /.vscode/brw0 - Path for macOS Python execution script (brw module)
  • /.vscode/mc0 - Path for macOS Python execution script (mc module)
  • /Users/administrator/Pictures/Work/py_module_work/build/temp.macosx-10.13-universal2-cpython-312/mod.o - macOS build artifact path embedded in compiled binary
• Command Lines:
  • Purpose: Execute Cython-compiled InvisibleFerret module via Python | Tools: python, py.exe | Stage: Execution | \.py2\py.exe .mod
  • Purpose: Import and execute Cython module from Python script | Tools: python | Stage: Execution | import mod\nmod.start