216.73.217.47

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

· Published 03/04/2025 22:07 · Modified 04/04/2025 09:07

Export JSON

Essential information

Published
03/04/2025 22:07
Modified
04/04/2025 09:07
Tags
2025-04-03 backdoor beavertail cryptocurrency downloader infostealer invisibleferret lightlesscan north korea phishing recruitment tropidoor
Related entities
6 observables, 1 intrusion sets (apt), 19 techniques (mitre), 4 malware

Description

A sophisticated malware campaign has been uncovered, involving the distribution of and malware through fake emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaign utilizes a disguised as 'car.dll' and malware masquerading as 'tailwind.config.js'. functions as an and , targeting web browsers and wallets. , a malware, establishes communication with command and control servers, allowing remote execution of various commands. The attack methodology shares similarities with previous North Korean campaigns, including the use of techniques reminiscent of the Lazarus group's malware.

External references