Skip to content

S1245 InvisibleFerret

InvisibleFerret is a modular python malware that is leveraged for data exfiltration and remote access capabilities.345 InvisibleFerret consists of four modules: main, payload, browser, and AnyDesk.3 InvisibleFerret malware has been leveraged by North Korea-affiliated threat actors identified as DeceptiveDevelopment or Contagious Interview since 2023.2456 InvisibleFerret has historically been introduced to the victim environment through the use of the BeaverTail malware.13456

Item Value
ID S1245
Associated Names
Type MALWARE
Version 1.0
Created 17 October 2025
Last Modified 24 October 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account InvisibleFerret has queried the victim device using Python scripts to obtain the User and Hostname.25
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols InvisibleFerret has used HTTP for C2 communications.135
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility InvisibleFerret has used 7zip, RAR and zip files to archive collected data for exfiltration.34
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder InvisibleFerret has established persistence within Windows devices by creating a .bat file “queue.bat” within the Startup folder to run a Python script.4
enterprise T1547.013 XDG Autostart Entries InvisibleFerret has established persistence within GNOME-based Linux environments by placing entries within .desktop that run on Startup.4
enterprise T1115 Clipboard Data InvisibleFerret has stolen data from the clipboard using the Python project “pyperclip”.135 InvisibleFerret has also captured clipboard contents during copy and paste operations.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell InvisibleFerret has utilized a PowerShell script created in the victim’s home directory named “conf.ps1” that is used to modify configuration files for AnyDesk remote services.3
enterprise T1059.006 Python InvisibleFerret is written in Python and has used Python scripts for execution.12345
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent InvisibleFerret has established persistence using LaunchAgents on macOS that run on Startup using a file named “com.avatar.update.wake.plist”.4
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers InvisibleFerret has stolen login data, autofill data, cryptocurrency wallets, and payment information saved in web browsers such as Chrome, Brave, Opera, Yandex and Edge, to include versions affiliated with major operating systems on Windows, Linux, and macOS.13 InvisibleFerret has also leveraged the command ssh_zcp to copy browser data to include extensions and cryptocurrency wallet data.4
enterprise T1555.005 Password Managers InvisibleFerret has utilized the command ssh_zcp to exfiltrate data from browser extensions and password managers via Telegram and FTP.34
enterprise T1005 Data from Local System InvisibleFerret has collected data utilizing a script that contained a list of excluded files and directory names and naming patterns of interest such as environment and configuration files, documents, spreadsheets, and other files that contained the words secret, wallet, private, and password.3
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging InvisibleFerret has staged data in consolidated folders prior to exfiltration.3
enterprise T1140 Deobfuscate/Decode Files or Information InvisibleFerret has decoded XOR-encrypted and Base-64-encoded payloads prior to execution.3
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol InvisibleFerret has used FTP to exfiltrate files and directories using the command ssh_upload which contains with six subcommands of .sdira, sdir, sfile, sfinda, sfindr and sfind that had varying functions.34 InvisibleFerret has exfiltrated stolen files and data to the C2 servers over ports 1224, 2245 and 8637.1
enterprise T1041 Exfiltration Over C2 Channel InvisibleFerret has used HTTP communications to the “/Uploads” URI for file exfiltration.4
enterprise T1567 Exfiltration Over Web Service InvisibleFerret has leveraged Telegram chat to upload stolen data using the Telegram API with a bot token.34
enterprise T1083 File and Directory Discovery InvisibleFerret has identified specific directories and files for exfiltration using the ssh_upload command which contains subcommands of .sdira, sdir, sfile, sfinda, sfindr, sfind.34 InvisibleFerret also has the capability to scan and upload files of interest from multiple OS systems through the use of scripts that check file names, file extensions, and avoids certain path names.15 InvisibleFerret has utilized the findstr on Windows or the macOS find commands to search for files of interest.6
enterprise T1657 Financial Theft InvisibleFerret has searched the victim device credentials and files commonly associated with cryptocurrency wallets.1345
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window InvisibleFerret has executed Python instances of the browser module “.n2/bow” utilizing the CREATE_NO_WINDOW process creation flag.3
enterprise T1105 Ingress Tool Transfer InvisibleFerret has downloaded “AnyDesk.exe” into the user’s home directory from the C2 server when checks for the service fail to identify its presence in the victim environment.3 InvisibleFerret has also been configured to download additional payloads using a command which calls to the /bow URI.45
enterprise T1056 Input Capture InvisibleFerret has collected mouse and keyboard events using “pyWinhook”.5
enterprise T1056.001 Keylogging InvisibleFerret has conducted keylogging using the Python project “pyWinHook” and “Pyhook”.135 InvisibleFerret has also captured keylogging thread checks for changes in an active window and key presses.4
enterprise T1095 Non-Application Layer Protocol InvisibleFerret has established a connection with the C2 server over TCP traffic.5 InvisibleFerret has also created a TCP reverse shell communicating via a socket connection over ports 1245, 80, 2245, 3001, and 5000.3
enterprise T1571 Non-Standard Port InvisibleFerret has been observed utilizing HTTP communications to the C2 server over ports 1224, 2245 and 8637.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.013 Encrypted/Encoded File InvisibleFerret has utilized the XOR and Base64 encoding for each of its modules.3 InvisibleFerret has also obfuscated files with a combination of zlib, Base64 and reverse string order.1 InvisibleFerret has also utilized the XOR and Base64 encoding some of its Python scripts.5
enterprise T1057 Process Discovery InvisibleFerret has the capability to query installed programs and running processes.4 InvisibleFerret has also identified running processes using the Python project “psutil”.5
enterprise T1219 Remote Access Tools InvisibleFerret has utilized remote access software including AnyDesk client through the “adc” module.135 InvisibleFerret has also downloaded the AnyDesk client should it not already exist on the compromised host by searching for C:/Program Files(x86)/AnyDesk/AnyDesk.exe.4
enterprise T1679 Selective Exclusion InvisibleFerret has the capability to scan for file names, file extensions, and avoids pre-designated path names and file types.15
enterprise T1489 Service Stop InvisibleFerret has terminated Chrome and Brave browsers using the taskkill command on Windows and the killall command on other systems such as Linux and macOS.3 InvisibleFerret has also utilized it’s ssh_kill command to terminate Chrome and Brave browser processes.5
enterprise T1518 Software Discovery InvisibleFerret has gathered installed programs and running processes.4
enterprise T1082 System Information Discovery InvisibleFerret has collected OS type, hostname and system version through the “pay” module.13 InvisibleFerret has also queried the victim device using Python scripts to obtain the User and Hostname.25
enterprise T1614 System Location Discovery InvisibleFerret has collected the internal IP address, IP geolocation information of the infected host and sends the data to a C2 server.5 InvisibleFerret has also leveraged the “pay” module to obtain region name, country, city, zip code, ISP, latitude and longitude using “http://ip-api.com/json”.3
enterprise T1016 System Network Configuration Discovery InvisibleFerret has collected the local IP address, and external IP.35
enterprise T1033 System Owner/User Discovery InvisibleFerret has identified the user’s UUID and username through the “pay” module.135

Groups That Use This Software

ID Name References
G1052 Contagious Interview 134562

References

  1. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025. 

  2. Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025. 

  3. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  4. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025. 

  5. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. 

  6. Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025.