The victim in the incident eSentire responded to appears to be a software developer, which aligns with the TTPs of previously reported on campaigns by North Korean threat actors where software developers were targeted. It’s also worth noting that a total of 21 crypto extensions were targeted by the BeaverTail in our observed sample; the full list can be found in the Appendix at the end of the blog (Figure 7). It also initiates a backdoor session with the C2 server and scans and uploads sensitive files from the infected host. After the JavaScript file is loaded, it uses a cURL command to download InvisibleFerret malware components from a command and control (C2) server; in this case the C2 was located at 185[.]235[.]241[.]208[:]1224.