AhnLab links a recruitment-themed phishing case to BeaverTail malware and a car.dll downloader shared through a Bitbucket project. The files included tailwind.config.js as BeaverTail and downloader DLLs such as car.dll and img_layer_generate.dll, with Korean execution logs matching activity first described in a Dev.to community post. BeaverTail targets browser credentials and cryptocurrency wallet data and downloads additional payloads such as InvisibleFerret, while the in-memory backdoor decrypts four C2 addresses, exchanges system information and an RSA-encrypted session key, and receives commands through tropi2p, gumi, letter, and s_width parameters. AhnLab notes that the downloader's internally implemented Windows commands resemble Lazarus LightlessCan tradecraft.