Detecting and responding to InvisibleFerret with Wazuh

2025-05-09 • Wazuh •

https://wazuh.com/blog/detecting-and-responding-to-invisibleferret-with-wazuh/

#InvisibleFerret #T1204.002 #T1485 #T1107 #T1044 #T1043

Thumbnail for Detecting and responding to InvisibleFerret with Wazuh

Wazuh describes InvisibleFerret as a Python-based backdoor used in North Korea-linked campaigns, especially Lazarus recruitment-themed operations against technology, finance, and cryptocurrency professionals. The malware is delivered as a second-stage payload by the BeaverTail JavaScript loader and stealer, then collects host identity, geolocation, network, file, keylogging, and clipboard data from Windows or Linux endpoints. The Linux-focused detection guide notes temporary obfuscated files, prioritized file and directory lists for theft, FTP and Telegram Bot exfiltration, and AnyDesk download for remote access. It provides Wazuh and SysmonForLinux rules for detecting those behaviors and active-response steps to remove the malware.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	2012f6f7d8add86ebbc662981583255…	2025-05-09	2025-07-26
HASH	a2de54fbfbca6e1715b2621ab382e9c…	2025-05-09	2025-05-09
HASH	11dde438e1a636073e79c81d4c25437…	2025-05-09	2025-05-09
HASH	30ee0cc21753e27dd45a7cedc1271cda	2025-05-09	2025-05-09
HASH	989252de0be3253c5cfd4b68bc84aae…	2025-05-09	2025-05-09

Related Reports

2025-07-26 • 31% Match

InvisibleFerret Threat Intelligence Report

Bloo

#ContagiousInterview #InvisibleFerret #T1082 #T1059.003 #T1567.002 #T1041 #T1071.001 #T1195.002 #T1115 #T1083 #T1056.001 #T1027 #T1204.002 #T1566.003 #T1555.003 #T1219 #T1562.001 #T1571 #T1016 #T1560.001 #T1543.003 #T1578

Shares tags: InvisibleFerret, T1204.002 • Shares 1 IOC

2025-05-27 • 26% Match

Lazarus Group Targets Crypto-Wallets and Financial Data while employing new Tradecrafts

Alessio Di Santo

#BeaverTail #InvisibleFerret #Lazarus

Shares tag: InvisibleFerret • Published within a month

2025-05-14 • 26% Match

APT GROUP123

Cyfirma

#Group123 #T1102.002 #T1082 #T1059.003 #T1005 #T1071.001 #T1059.006 #T1027 #T1204.002 #T1555.003 #T1057 #T1059.005 #T1566.001 #T1547.001 #T1053.005 #T1059 #T1105 #T1055 #T1203 #T1189 #T1123 #T1548.002 #T1106 #T1529 #T1033 #T1561.002 #T1559.002 #T1120 #T1036.001 #T1094 #T1027.003

Shares tag: T1204.002 • Published within a week

2025-04-24 • 26% Match

Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware

Silentpush

#ContagiousInterview #BeaverTail #InvisibleFerret #FamousChollima #OtterCookie #ClickFix

Shares tag: InvisibleFerret • Published within a month

2025-02-20 • 23% Match

DeceptiveDevelopment targets freelance developers

ESET

#BeaverTail #InvisibleFerret #DeceptiveDevelopment #T1027.013 #T1082 #T1119 #T1059.003 #T1140 #T1005 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1115 #T1083 #T1056.001 #T1059.006 #T1059.007 #T1204.002 #T1566.003 #T1555.003 #T1124 #T1583.003 #T1552.001 #T1585.001 #T1219 #T1133 #T1571 #T1564.001 #T1016 #T1074.001 #T1657 #T1071.002 #T1021.001 #T1614 #T1555.001 #T1217 #T1095 #T1025 #T1010 #T1560.002 #T1030 #T1567.004 #T1564.003

Shares tags: InvisibleFerret, T1204.002

2025-09-25 • 18% Match

DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

ESET

#BeaverTail #InvisibleFerret #ClickFix #DeceptiveDevelopment #Tropidoor #Tsunami #T1071.001 #T1497 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.001 #T1059 #T1585.001 #T1105 #T1055 #T1078 #T1589 #T1586

Shares tags: InvisibleFerret, T1204.002

« Back