InvisibleFerret
InvisibleFerret is a modular python malware that is leveraged for data exfiltration and remote access capabilities.[1][2][3]InvisibleFerret consists of four modules: main, payload, browser, and AnyDesk.[1]InvisibleFerret malware has been leveraged by North Korea-affiliated threat actors identified as DeceptiveDevelopment orContagious Interview since 2023.[4][2][3][5]InvisibleFerret has historically been introduced to the victim environment through the use of theBeaverTail malware.[6][1][2][3][5]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery:Local Account | InvisibleFerret has queried the victim device using Python scripts to obtain the User and Hostname.[4][3] |
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | InvisibleFerret has used HTTP for C2 communications.[6][1][3] |
| Enterprise | T1560 | .001 | Archive Collected Data:Archive via Utility | InvisibleFerret has used 7zip, RAR and zip files to archive collected data for exfiltration.[1][2] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder | InvisibleFerret has established persistence within Windows devices by creating a .bat file "queue.bat" within the Startup folder to run a Python script.[2] |
| .013 | Boot or Logon Autostart Execution:XDG Autostart Entries | InvisibleFerret has established persistence within GNOME-based Linux environments by placing entries within | ||
| Enterprise | T1115 | Clipboard Data | InvisibleFerret has stolen data from the clipboard using the Python project "pyperclip".[6][1][3]InvisibleFerret has also captured clipboard contents during copy and paste operations.[2] | |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter:PowerShell | InvisibleFerret has utilized a PowerShell script created in the victim’s home directory named "conf.ps1" that is used to modify configuration files for AnyDesk remote services.[1] |
| .006 | Command and Scripting Interpreter:Python | InvisibleFerret is written in Python and has used Python scripts for execution.[6][4][1][2][3] | ||
| Enterprise | T1543 | .001 | Create or Modify System Process:Launch Agent | InvisibleFerret has established persistence using LaunchAgents on macOS that run on Startup using a file named "com.avatar.update.wake.plist".[2] |
| Enterprise | T1555 | .003 | Credentials from Password Stores:Credentials from Web Browsers | InvisibleFerret has stolen login data, autofill data, cryptocurrency wallets, and payment information saved in web browsers such as Chrome, Brave, Opera, Yandex and Edge, to include versions affiliated with major operating systems on Windows, Linux, and macOS.[6][1]InvisibleFerret has also leveraged the command |
| .005 | Credentials from Password Stores:Password Managers | InvisibleFerret has utilized the command | ||
| Enterprise | T1005 | Data from Local System | InvisibleFerret has collected data utilizing a script that contained a list of excluded files and directory names and naming patterns of interest such as environment and configuration files, documents, spreadsheets, and other files that contained the words secret, wallet, private, and password.[1] | |
| Enterprise | T1074 | .001 | Data Staged:Local Data Staging | InvisibleFerret has staged data in consolidated folders prior to exfiltration.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | InvisibleFerret has decoded XOR-encrypted and Base-64-encoded payloads prior to execution.[1] | |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol:Exfiltration Over Unencrypted Non-C2 Protocol | InvisibleFerret has used FTP to exfiltrate files and directories using the command |
| Enterprise | T1041 | Exfiltration Over C2 Channel | InvisibleFerret has used HTTP communications to the "/Uploads" URI for file exfiltration.[2] | |
| Enterprise | T1567 | Exfiltration Over Web Service | InvisibleFerret has leveraged Telegram chat to upload stolen data using the Telegram API with a bot token.[1][2] | |
| Enterprise | T1083 | File and Directory Discovery | InvisibleFerret has identified specific directories and files for exfiltration using the | |
| Enterprise | T1657 | Financial Theft | InvisibleFerret has searched the victim device credentials and files commonly associated with cryptocurrency wallets.[6][1][2][3] | |
| Enterprise | T1564 | .003 | Hide Artifacts:Hidden Window | InvisibleFerret has executed Python instances of the browser module ".n2/bow" utilizing the |
| Enterprise | T1105 | Ingress Tool Transfer | InvisibleFerret has downloaded "AnyDesk.exe" into the user’s home directory from the C2 server when checks for the service fail to identify its presence in the victim environment.[1]InvisibleFerret has also been configured to download additional payloads using a command which calls to the /bow URI.[2][3] | |
| Enterprise | T1056 | Input Capture | InvisibleFerret has collected mouse and keyboard events using "pyWinhook".[3] | |
| .001 | Keylogging | InvisibleFerret has conducted keylogging using the Python project "pyWinHook" and "Pyhook".[6][1][3]InvisibleFerret has also captured keylogging thread checks for changes in an active window and key presses.[2] | ||
| Enterprise | T1095 | Non-Application Layer Protocol | InvisibleFerret has established a connection with the C2 server over TCP traffic.[3]InvisibleFerret has also created a TCP reverse shell communicating via a socket connection over ports 1245, 80, 2245, 3001, and 5000.[1] | |
| Enterprise | T1571 | Non-Standard Port | InvisibleFerret has been observed utilizing HTTP communications to the C2 server over ports 1224, 2245 and 8637.[6] | |
| Enterprise | T1027 | .013 | Obfuscated Files or Information:Encrypted/Encoded File | InvisibleFerret has utilized the XOR and Base64 encoding for each of its modules.[1]InvisibleFerret has also obfuscated files with a combination of zlib, Base64 and reverse string order.[6]InvisibleFerret has also utilized the XOR and Base64 encoding some of its Python scripts.[3] |
| Enterprise | T1057 | Process Discovery | InvisibleFerret has the capability to query installed programs and running processes.[2]InvisibleFerret has also identified running processes using the Python project "psutil".[3] | |
| Enterprise | T1219 | Remote Access Tools | InvisibleFerret has utilized remote access software including AnyDesk client through the "adc" module.[6][1][3]InvisibleFerret has also downloaded the AnyDesk client should it not already exist on the compromised host by searching for | |
| Enterprise | T1679 | Selective Exclusion | InvisibleFerret has the capability to scan for file names, file extensions, and avoids pre-designated path names and file types.[6][3] | |
| Enterprise | T1489 | Service Stop | InvisibleFerret has terminated Chrome and Brave browsers using the | |
| Enterprise | T1518 | Software Discovery | InvisibleFerret has gathered installed programs and running processes.[2] | |
| Enterprise | T1082 | System Information Discovery | InvisibleFerret has collected OS type, hostname and system version through the "pay" module.[6][1]InvisibleFerret has also queried the victim device using Python scripts to obtain the User and Hostname.[4][3] | |
| Enterprise | T1614 | System Location Discovery | InvisibleFerret has collected the internal IP address, IP geolocation information of the infected host and sends the data to a C2 server.[3]InvisibleFerret has also leveraged the "pay" module to obtain region name, country, city, zip code, ISP, latitude and longitude using "http://ip-api.com/json".[1] | |
| Enterprise | T1016 | System Network Configuration Discovery | InvisibleFerret has collected the local IP address, and external IP.[1][3] | |
| Enterprise | T1033 | System Owner/User Discovery | InvisibleFerret has identified the user’s UUID and username through the "pay" module.[6][1][3] | |
Groups That Use This Software
References
- Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
- Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
- Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
- Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
- Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025.
- eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025.