A newly observed variant of the BeaverTail malware has been tied to hackers associated with North Korea.
The findings come from Darktrace’s latest The State of Cybersecurity report, which links BeaverTail activity to DPRK threat clusters assessed to be part of the Lazarus Group. Targets have included cryptocurrency traders, developers and retail employees, aligning with motivations spanning financial gain and espionage.
The JavaScript-based malware functions as both an information stealer and a loader, harvesting system details before attempting to retrieve additional payloads from remote servers. Darktrace said its continued evolution highlights how supply chain compromise remains a persistent concern for the finance sector.
What’s new is the level of obfuscation and delivery diversity seen in recent samples. A BeaverTail file analyzed from November 2025, identified as an obfuscated JavaScript package, used layered Base64 and XOR encoding to conceal its behavior.
Once executed, it collected hostnames, usernames and platform data and attempted to contact a command-and-control (C2) server to fetch follow-on malware, a role BeaverTail has historically played in deploying the InvisibleFerret backdoor.
Expanding Delivery Paths
BeaverTail has been distributed through multiple channels designed to exploit trust in common development workflows. According to the research, these methods include:
-
Trojanized npm packages that remained publicly available long enough to be downloaded thousands of times
-
Fake job interview platforms posing as technical assessments or conferencing tools
-
ClickFix lures that prompt users to run operating system commands, which silently download malware
Such techniques are particularly relevant to financial institutions where developers, traders and analysts often rely on open-source tools and collaboration platforms.
Technical Capabilities and Attribution
Darktrace explained that since 2022, the malware has developed into a modular, cross-platform framework capable of running on Windows, macOS and Linux systems. It can be delivered as compiled executables, evade detection through dynamic headers and decoy payloads and enable extensive surveillance.
Features observed include keylogging, screenshot capture and clipboard monitoring aimed at stealing cryptocurrency wallet data and credentials.
Read more on blockchain-based C2 infrastructure: North Korean Hackers Use EtherHiding to Steal Crypto
In 2025, the researchers also observed BeaverTail being merged with another DPRK-linked strain known as OtterCookie. The combined toolset adds browser profile enumeration, enhanced wallet targeting and remote access through legitimate tools like AnyDesk.
“Darktrace’s identification of a hyper-obfuscated BeaverTail variant marks a significant escalation in tradecraft, transforming a lightweight stealer into a signature-evasive framework shielded by over 128 layers of concealment,” commented Jason Soroko, senior fellow at Sectigo.
“This technical maturation culminates in the strategic convergence of BeaverTail with the OtterCookie strain, yielding a unified, cross-platform instrument designed for persistent financial theft and surveillance across Windows, macOS and Linux environments.”
