S1246 BeaverTail
BeaverTail is a malware that has both a JavaScript and C++ variant. Active since 2022, BeaverTail is capable of stealing logins from browsers and serves as a downloader for second stage payloads. BeaverTail has previously been leveraged by North Korea-affiliated actors identified as DeceptiveDevelopment or Contagious Interview. BeaverTail has been delivered to victims through code repository sites and has been embedded within malicious attachments.4123
| Item | Value |
|---|---|
| ID | S1246 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 19 October 2025 |
| Last Modified | 24 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | BeaverTail has used HTTP GET request to download malicious payloads to include InvisibleFerret and HTTP POST to exfiltrate data to C2 infrastructure.54 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | BeaverTail has collected and archived sensitive data in a zip file.5 |
| enterprise | T1217 | Browser Information Discovery | BeaverTail has searched the victim device for browser extensions including those commonly associated with cryptocurrency wallets.1658247 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.007 | JavaScript | BeaverTail has executed malicious JavaScript code.16234 BeaverTail has also been compiled with the Qt framework to execute in both Windows and macOS.7 |
| enterprise | T1555 | Credentials from Password Stores | BeaverTail has collected keys stored for Solana stored in .config/solana/id.json and other login details associated with macOS within /Library/Keychains/login.keychain or for Linux within /.local/share/keyrings.2 |
| enterprise | T1555.001 | Keychain | BeaverTail has collected keys associated with macOS within /Library/Keychains/login.keychain.582 |
| enterprise | T1555.003 | Credentials from Web Browsers | BeaverTail has stolen passwords saved in web browsers.1587 BeaverTail has also been known to collect login data from Firefox within key3.db, key4.db and logins.json from /.mozilla/firefox/ for exfiltration.2 |
| enterprise | T1005 | Data from Local System | BeaverTail has exfiltrated data collected from local systems.5247 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.001 | Junk Data | BeaverTail has added junk data or a dummy character prepended to a string to hamper decoding attempts.2 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | BeaverTail has staged collected data to the system’s temporary directory.5 |
| enterprise | T1041 | Exfiltration Over C2 Channel | BeaverTail has exfiltrated data collected from victim devices to C2 servers.547 |
| enterprise | T1083 | File and Directory Discovery | BeaverTail has searched for .ldb and .log files stored in browser extension directories for collection and exfiltration.582 |
| enterprise | T1657 | Financial Theft | BeaverTail has searched the victim device for browser extensions commonly associated with cryptocurrency wallets.16247 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | BeaverTail has deleted files from a compromised host after they were exfiltrated.5 |
| enterprise | T1105 | Ingress Tool Transfer | BeaverTail has been used to download a malicious payload to include Python based malware InvisibleFerret.158247 |
| enterprise | T1654 | Log Enumeration | BeaverTail has identified .ldb and .log files stored in browser extension directories for collection and exfiltration.2 |
| enterprise | T1036 | Masquerading | BeaverTail has masqueraded as MiroTalk installation packages: “MiroTalk.dmg” for macOS and “MiroTalk.msi” for Windows, and has included login GUIs with MiroTalk themes.7 |
| enterprise | T1571 | Non-Standard Port | BeaverTail has communicated with C2 IP addresses over ports 1224 or 1244.247 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | BeaverTail has obfuscated strings of code with Base64 encoding within the JavaScript version of the malware.247 BeaverTail has also utilized the open-source tool JavaScript-Obfuscator to obfuscate strings and functions.13 |
| enterprise | T1195 | Supply Chain Compromise | - |
| enterprise | T1195.001 | Compromise Software Dependencies and Development Tools | BeaverTail has been hosted on code repositories and disseminated to victims through NPM packages.16347 |
| enterprise | T1082 | System Information Discovery | BeaverTail has been known to collect basic system information.14 BeaverTail has also collected data to include hostname and current timestamp prior to uploading data to the API endpoint /uploads on the C2 server.2 |
| enterprise | T1124 | System Time Discovery | BeaverTail has obtained and sent the current timestamp associated with the victim device to C2.2 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | BeaverTail has been executed through lures involving malicious JavaScript projects or trojanized remote conferencing software such as MicroTalk or FreeConference.27 BeaverTail has also been executed through macOS and Windows installers disguised as chat applications.13 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1052 | Contagious Interview | 234716 |
References
-
eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025. ↩↩↩↩↩↩↩↩↩↩↩
-
Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025. ↩↩↩↩↩↩
-
Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025. ↩↩↩↩↩↩↩↩↩↩↩
-
Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025. ↩↩↩↩↩
-
Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025. ↩↩↩↩↩