ESET ResearchSep 25
#ESETresearch has uncovered the North Korea-aligned threat actor, DeceptiveDevelopment, targeting freelance developers with trojanized coding challenges and fake job interviews.
https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception
Victims are lured with fake job offers and asked to complete trojanized coding challenges hosted on private GitHub/GitLab repos. These projects contain obfuscated malware, often hidden in long comments outside the IDE view. The group also utilizes the ClickFix technique.
DeceptiveDevelopment’s toolset spans multiple platforms and languages: #BeaverTail (infostealer), #InvisibleFerret (modular RAT), #WeaselStore (Go/Python RAT), and #TsunamiKit (.NET spyware).
Some components, like Tropidoor and AkdoorTea, show code similarities with Lazarus-linked malware, suggesting shared tooling across these North Korea-aligned groups.
While DeceptiveDevelopment focuses on malware, OSINT shows ties to North Korean IT workers who use fake identities to secure remote jobs, thus surreptitiously funding North Korean state operations.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/deceptivedevelopment
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

ESET researchers reveal how malware operators collaborate with covert North Korean IT workers, posing a threat to both headhunters and job seekers.

SOC GoulashSep 21, 2025

It's been a bit quiet over the last 24 hours, but we've still got a couple of critical updates to cover, including a significant vulnerability in Microsoft Entra ID and evolving tactics from DPRK threat actors. Let's dive in:

Global Admin Access in Microsoft Entra ID ⚠️

- A critical vulnerability (CVE-2025-55241) in Microsoft Entra ID (formerly Azure AD) could have allowed an attacker to gain Global Administrator privileges in *any* company's tenant.
- The flaw stemmed from a combination of undocumented, unsigned "actor tokens" and a vulnerability in the deprecated Azure AD Graph API, enabling impersonation and bypassing Conditional Access policies.
- Crucially, exploitation left virtually no trace in the victim tenant's logs, making detection extremely difficult. Microsoft has since patched the issue and is working to remove the underlying legacy components.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/microsoft-entra-id-flaw-allowed-hijacking-any-companys-tenant/

DPRK Hackers Evolve Tactics with ClickFix and AI 📰

- North Korean threat actors, a subset of the Lazarus Group, are refining their "Contagious Interview" campaigns, now using "ClickFix" social engineering to deliver BeaverTail info-stealer and InvisibleFerret backdoor.
- A notable shift in targeting sees them focusing on marketing and trader roles in cryptocurrency and retail sectors, moving beyond their traditional software developer targets, and delivering malware as compiled binaries for multiple OS.
- These groups are actively monitoring cyber threat intelligence platforms to improve their operational resilience, with other DPRK groups like Kimsuky also leveraging GitHub for C2 and even ChatGPT to forge deepfake military IDs for spear-phishing.

📰 The Hacker News | https://thehackernews.com/2025/09/dprk-hackers-use-clickfix-to-deliver.html

#CyberSecurity #Vulnerability #Microsoft #EntraID #AzureAD #ThreatIntelligence #DPRK #NorthKorea #LazarusGroup #Malware #BeaverTail #InvisibleFerret #SocialEngineering #ClickFix #APT #InfoSec #CyberAttack

Microsoft Entra ID flaw allowed hijacking any company's tenant

A critical combination of legacy components could have allowed complete access to the Microsoft Entra ID tenant of every company in the world.

BleepingComputer
The Threat CodexSep 17, 2025
Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure
#BeaverTail #InvisibleFerret #FAMOUSCHOLLIMA
https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/
Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure - GitLab Security Tech Notes

lazarusholicApr 24, 2025
"Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware" published by Silentpush. #BeaverTail, #ContagiousInterview, #InvisibleFerret, #OtterCookie, #FamousChollima, #ClickFix, #DPRK, #CTI https://www.silentpush.com/blog/contagious-interview-front-companies/
Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie

Contagious Interview (DPRK) have launched a new campaign involving three front companies that deliver BeaverTail, InvisibleFerret, and OtterCookie malware.

Silent Push
lazarusholicFeb 20, 2025
"DeceptiveDevelopment targets freelance developers" published by ESET. #BeaverTail, #DeceptiveDevelopment, #InvisibleFerret, #DPRK, #CTI https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/
DeceptiveDevelopment targets freelance developers

ESET researchers have observed a cluster of North Korea-aligned activities that they named DeceptiveDevelopment and where its operators pose as headhunters and serve their targets with software projects that conceal infostealing malware.

lazarusholicFeb 19, 2025
"BeaverTail & InvisibleFerret" published by SICERT. #BeaverTail, #InvisibleFerret, #DPRK, #CTI https://www.cert.si/tz016/
SI-CERT TZ016 / BeaverTail & InvisibleFerret - SI CERT

Cilj napadalcev je bil pridobiti shranjene podatke spletnih brskalnikov (shranjena gesla, seje, zgodovina, itd.) in kreditne kartice.

SI CERT
lazarusholicFeb 13, 2025
"Inside the Scam: North Korea’s IT Worker Threat" published by RecordedFuture. #BeaverTail, #ITWorker, #InvisibleFerret, #OtterCookie, #PurpleBravo, #TAG-121, #TAG-120, #DPRK, #CTI https://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat
lazarusholicFeb 6, 2025
"FERRET Malware Targets macOS in Sophisticated North Korean Attacks" published by CybersecSentinel. #BeaverTail, #FRIENDLYFERRET, #FlexibleFerret, #InvisibleFerret, #Lazarus, #OtterCookie, #macOS, #DPRK, #CTI https://cybersecsentinel.com/ferret-malware-targets-macos-in-sophisticated-north-korean-attacks/
FERRET Malware Targets macOS in Sophisticated North Korean Attacks

Threat Group: Lazarus Group (also known as Andariel, APT38, Hidden Cobra) Threat Type: Advanced Persistent Threat (APT) Exploited Vulnerabilities: Social engineering tactics, including spear-phishing and fake job lures Malware Used: FERRET Malware Family (including variants such as FlexibleFerret, InvisibleFerret, BeaverTail) Threat Score: High (8.5/10) – Due to its sophisticated

Cybersec Sentinel
The Threat CodexJan 23, 2025
InvisibleFerret Malware: Technical Analysis
#BeaverTail #InvisibleFerret
https://any.run/cybersecurity-blog/invisibleferret-malware-analysis/
InvisibleFerret Malware: Technical Analysis - ANY.RUN's Cybersecurity Blog

Discover a detailed technical analysis of the InvisibleFerret malware that targets businesses across different industries.

ANY.RUN's Cybersecurity Blog
lazarusholicJan 21, 2025
"InvisibleFerret Malware: Technical Analysis" published by AnyRun. #InvisibleFerret, #DPRK, #CTI https://any.run/cybersecurity-blog/invisibleferret-malware-analysis/
InvisibleFerret Malware: Technical Analysis - ANY.RUN's Cybersecurity Blog

Discover a detailed technical analysis of the InvisibleFerret malware that targets businesses across different industries.

ANY.RUN's Cybersecurity Blog