InvisibleFerret Malware Now Ships as .pyd and .so Files to Evade Script Detection

HomeCyber Security News InvisibleFerret Malware Now Ships as .pyd and .so Files to Evade Script Detection By Tushar Subhra Dutta May 25, 2026 A North Korea-linked hacker group has quietly upgraded one of its most dangerous tools, making it harder for security software to detect. InvisibleFerret, an information-stealing malware tied to the threat actor known as Void Dokkaebi (also tracked as Famous Chollima), has been repackaged into a format that slips past many traditional detection methods. Instead of arriving as plain Python scripts, it now comes disguised as compiled binary files. Void Dokkaebi has long targeted software developers who hold cryptocurrency wallet credentials, signing keys, and access to build pipelines or production systems. The group poses as recruiters from cryptocurrency or AI firms, convincing developers to clone and run code repositories as part of fake job interviews. Once executed, the malicious code begins a multi-stage infection designed to steal sensitive data and maintain persistent access. Analysts at Trend Micro identified that InvisibleFerret has now been obfuscated using Cython, a tool that converts Python code into native binaries.  Trend Micro said in a report shared with Cyber Security News (CSN) that the malware is distributed as .pyd files on Windows and .so files on macOS, rather than readable Python scripts. This means existing detection rules for Python-based threats may no longer identify the malware. The update preserves InvisibleFerret’s full range of capabilities. The malware can open backdoor access, steal browser credentials, monitor clipboard activity, log keystrokes, and target cryptocurrency wallets. The companion loader known as BeaverTail has also evolved from a basic downloader into a broader threat with its own credential harvesting and wallet-targeting functions. The campaign is especially relevant to software developers, crypto users, and organizations whose staff have access to signing keys or CI/CD pipelines. Security teams relying on script-based detections now have a gap in coverage. The shift to compiled binaries represents a calculated attempt to stay ahead of defenders who haven’t updated their detection strategies. InvisibleFerret Malware The core change in this updated variant is the move from Python scripts to Cython-compiled binaries. On Windows, the malware arrives as .pyd files, Python extension modules in DLL format. On macOS, the format is .so, a shared library, and neither type runs independently without a Python interpreter. Infection chain (Source – Trend Micro) To handle this, the infection chain writes a companion .mod script to disk and uses it to launch the compiled binary. Security tools scanning for Python script patterns will not flag anything in these binary files. While IP addresses and port numbers can still be extracted through binary analysis, runtime scripts can override these values with different command-and-control destinations passed as arguments. The malware has four core modules with distinct roles. The mod module handles the initial connection and downloads further payloads. The pad module provides backdoor access and gathers system information. The brw module steals authentication data and credit card details from browsers, while the mc module for macOS installs trojanized wallet extensions and downgrades Chrome to bypass Google’s newer extension security framework. BeaverTail Expands Its Role in the Infection Chain Alongside InvisibleFerret’s repackaging, BeaverTail has grown into a more complex threat. It now operates through four variants: gjs handles data theft and downloads further components, njs provides backdoor functions, zjs steals wallet seed phrases and private keys, and cjs installs trojanized extensions in Chrome and Brave Browser targeting MetaMask, Coinbase Wallet, and Phantom. The execution process (Source – Trend Micro) BeaverTail’s obfuscation has also become notably stronger. The updated code shuffles a large array of Base64 fragments at startup, strips junk characters from encoded strings to defeat simple detection, and uses XOR encryption with a 4-byte key for sensitive strings like file paths. Command-and-control IP addresses are split into halves and swapped before Base64 encoding to further complicate analysis. Defenders are advised to move from script-only detection toward binary-aware approaches that account for extension modules, embedded artifacts, and runtime execution scripts. Teams should watch for Chrome version downgrades on macOS, trojanized wallet extensions, and unusual Python activity in .vscode directory paths. Analysts familiar with earlier InvisibleFerret versions can apply the same deobfuscation methods, since the core logic inside the compiled binaries remains unchanged. Indicators of Compromise (IoCs):- Type Indicator Description File Name mod.pyd Cython-compiled InvisibleFerret module for Windows (main) File Name mod.so Cython-compiled InvisibleFerret module for macOS (main) File Name pad.pyd InvisibleFerret backdoor/payload module for Windows File Name pad.so InvisibleFerret backdoor/payload module for macOS File Name brw.pyd InvisibleFerret browser-stealing module for Windows File Name brw.so InvisibleFerret browser-stealing module for macOS File Name mc.so InvisibleFerret wallet trojanization module for macOS File Name .mod Python execution script that loads and runs the Cython binaries File Name pad0 Runtime execution script for pad module File Name brw0 Runtime execution script for brw module File Name mc0 Runtime execution script for mc module File Path .vscode\mod.pyd / .vscode/mod.so Known drop path for InvisibleFerret main module File Path .vscode\pad.pyd / .vscode/pad.so Known drop path for InvisibleFerret pad module File Path .vscode\brw.pyd / .vscode/brw.so Known drop path for InvisibleFerret brw module File Path .vscode/mc.so Known drop path for InvisibleFerret mc module IP Address 45[.]59[.]160[.]199 C&C server IP address extracted from Cython binary via XOR decoding URL hxxp://ip-api[.]com/json External geolocation lookup abused by BeaverTail (njs) and pad modules URL Pattern /clw/{sType} Windows C&C download path for Cython-compiled InvisibleFerret URL Pattern /clw1/{sType} macOS C&C download path for Cython-compiled InvisibleFerret Build Path /Users/administrator/Pictures/Work/py_module_work/ macOS build environment path embedded in .so binaries Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX Servers Hackers Exploit F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks World Cup Phishing Campaign Nearly Triples With 203 Unique IP Addresses Critical Drupal Core Security Vulnerability Exposes Websites to Cyberattack Latest News Cyber Security News Cybercriminals Use Telegram Channels to Sell Verified Bank and Fintech Mule Accounts Cyber Security News Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation Cyber Attack News Russian Hacker Used Jailbroken Gemini to Steal Admin Credentials and Drain Crypto Wallets Cyber Security News Hackers Abuse Shared CDN Infrastructure to Bypass Domain Reputation Security Controls Cyber Attack News KnowledgeDeliver LMS Zero-Day Exploited to Deploy BLUEBEAM Web Shell