Trend Micro reports that Void Dokkaebi, also known as Famous Chollima, has migrated InvisibleFerret from readable Python scripts into Cython-compiled `.pyd` modules on Windows and `.so` modules on macOS. The campaign remains focused on software developers and cryptocurrency-related environments, with capabilities including backdoor access, browser credential theft, clipboard monitoring, keylogging, cryptocurrency wallet targeting, and trojanized wallet-extension installation. BeaverTail now functions as a broader multistage component, using obfuscation, downloader and backdoor modules, wallet and browser stealers, and Chrome/Brave extension trojanization for MetaMask, Coinbase Wallet, Phantom, and related targets. The shift to Cython complicates script-only detection and can hide or defer infrastructure details because runtime loader scripts may provide IP addresses and ports to the compiled modules.