S1245: InvisibleFerret
InvisibleFerret is a modular python malware that is leveraged for data exfiltration and remote access capabilities.[1][2][3] InvisibleFerret consists of four modules: main, payload, browser, and AnyDesk.[1] InvisibleFerret malware has been leveraged by North Korea-affiliated threat actors identified as DeceptiveDevelopment or Contagious Interview since 2023.[4][2][3][5] InvisibleFerret has historically been introduced to the victim environment through the use of the BeaverTail malware.[6][1][2][3][5]
Analyst context for executives and security teams
InvisibleFerret matters because ATT&CK describes it as modular Python malware with remote access and data exfiltration capabilities across Windows, macOS, and Linux. For leaders, the practical risk is not only malware execution; it is whether the organization can recognize a cross-platform intrusion that performs discovery, collects local/browser/user data, captures input, stages data, and sends it out over command-and-control or other network channels. The supplied ATT&CK context also links it to Contagious Interview and historical introduction through BeaverTail, making software developer and cryptocurrency-related environments especially relevant where those business profiles exist.
Executive priority
Prioritize validation where business operations depend on developer workstations, remote work endpoints, cryptocurrency-related workflows, or sensitive local data. Key executive questions: do we collect enough endpoint and network evidence on macOS, Linux, and Windows; can SOC teams investigate Python-based malware and remote access tool misuse; and can incident responders prove what data was discovered, staged, captured, or exfiltrated? Because no official ATT&CK detection text is provided, this should be treated as a coverage-assessment and readiness item rather than a claim of existing detection capability.
Technical view
SOC and IR teams should map coverage to the related ATT&CK behaviors: Python and PowerShell execution, file and directory discovery, user/account/process/system/software/network discovery, local data collection and staging, clipboard and keylogging-style input capture, encoded or decoded payload artifacts, ingress tool transfer, web-protocol or non-application-layer C2, remote access tool use including the AnyDesk module noted in the description, service stopping, and exfiltration over C2 or unencrypted non-C2 protocols. Validate behavior chains rather than single indicators: a Python process performing host discovery, accessing user/browser/local data, staging files, then making unusual outbound connections is more meaningful than any one event alone.
Likely telemetry
- Endpoint process creation and command-line telemetry for Python, PowerShell, discovery utilities, file enumeration, and service-stop activity
- File system telemetry for new scripts, encoded or decoded files, module drops, local staging directories, and suspicious access to user or browser data locations
- Network telemetry for outbound web traffic, non-application-layer communications, tool transfer, and possible exfiltration over C2 or unencrypted non-C2 protocols
- Remote access tool inventory and session telemetry, especially for AnyDesk or other legitimate remote access software used outside approved support workflows
- Clipboard access, input-capture-related endpoint signals, and security product alerts where available
Detection direction
- Build detections around correlated behavior sequences across Linux, macOS, and Windows rather than relying on malware names, since ATT&CK provides no official detection guidance for this object.
- Tune for Python-based execution followed by discovery techniques such as system, process, network configuration, file/directory, software, local account, and user discovery.
- Look for collection and staging patterns before exfiltration: local data access, browser-related data access where telemetry allows, clipboard collection, keylogging-related signals, and staged files followed by outbound connections.
- Monitor remote access tool use in context: legitimate tools can be normal, so alerting should consider installation source, first-seen use, unusual user/device pairing, unsanctioned external sessions, or activity inconsistent with IT support workflows.
- Assess blind spots on macOS and Linux endpoints, where process, file, clipboard, and network visibility may be less mature than Windows coverage.
Mitigation priorities
- Establish cross-platform endpoint visibility for Windows, macOS, and Linux before relying on detections for this malware family.
- Restrict and monitor scripting runtimes and administrative interpreters according to business need, including Python and PowerShell where applicable.
- Govern legitimate remote access tools through approved inventory, allowlisting, logging, and documented support procedures.
- Reduce exfiltration risk with outbound network monitoring, egress controls, and review of unencrypted protocols where business operations allow.
- Harden developer and high-risk workstations with least privilege, software inventory, and controls over downloaded tools or scripts.
Analyst notes and limits
The supplied ATT&CK object identifies InvisibleFerret as modular Python malware with main, payload, browser, and AnyDesk modules, remote access and data exfiltration capabilities, and usage by Contagious Interview/DeceptiveDevelopment context. The relationship set is valuable because it expands defensive planning across execution, discovery, collection, credential access, command and control, exfiltration, stealth, and impact behaviors. Local validation should focus on whether these behaviors can be observed on the organization’s actual endpoint and network stack.
ATT&CK provides no official detection section and no top-level tactics for this malware object. This take is derived only from the supplied STIX fields, external references, and relationships; it does not assert current activity, customer exposure, specific indicators, or guaranteed detection. Platform scope is limited to the supplied Linux, macOS, and Windows listing, with related techniques including additional platforms that should not be assumed applicable without local evidence.
InvisibleFerret
InvisibleFerret is a modular python malware that is leveraged for data exfiltration and remote access capabilities.[1][2][3] InvisibleFerret consists of four modules: main, payload, browser, and AnyDesk.[1] InvisibleFerret malware has been leveraged by North Korea-affiliated threat actors identified as DeceptiveDevelopment or Contagious Interview since 2023.[4][2][3][5] InvisibleFerret has historically been introduced to the victim environment through the use of the BeaverTail malware.[6][1][2][3][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | InvisibleFerret has collected OS type, hostname and system version through the "pay" module.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 InvisibleFerret has also queried the victim device using Python scripts to obtain the User and Hostname.CitationRecorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1657 | Financial Theft | InvisibleFerret has searched the victim device credentials and files commonly associated with cryptocurrency wallets.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1083 | File and Directory Discovery | InvisibleFerret has identified specific directories and files for exfiltration using the `ssh_upload` command which contains subcommands of `.sdira`, `sdir`, `sfile`, `sfinda`, `sfindr`, `sfind`.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 InvisibleFerret also has the capability to scan and upload files of interest from multiple OS systems through the use of scripts that check file names, file extensions, and avoids certain path names.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 InvisibleFerret has utilized the `findstr` on Windows or the macOS `find` commands to search for files of interest.CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 |
| Enterprise | T1056 | Input Capture | InvisibleFerret has collected mouse and keyboard events using “pyWinhook”.CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | InvisibleFerret has decoded XOR-encrypted and Base-64-encoded payloads prior to execution.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1679 | Selective Exclusion | InvisibleFerret has the capability to scan for file names, file extensions, and avoids pre-designated path names and file types.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | InvisibleFerret has downloaded “AnyDesk.exe” into the user’s home directory from the C2 server when checks for the service fail to identify its presence in the victim environment.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 InvisibleFerret has also been configured to download additional payloads using a command which calls to the /bow URI.CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1518 | Software Discovery | InvisibleFerret has gathered installed programs and running processes.CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1057 | Process Discovery | InvisibleFerret has the capability to query installed programs and running processes.CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 InvisibleFerret has also identified running processes using the Python project “psutil”.CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1056.001 | Keylogging Sub-technique | InvisibleFerret has conducted keylogging using the Python project “pyWinHook” and "Pyhook".CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 InvisibleFerret has also captured keylogging thread checks for changes in an active window and key presses.CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1087.001 | Local Account Sub-technique | InvisibleFerret has queried the victim device using Python scripts to obtain the User and Hostname.CitationRecorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | InvisibleFerret has stolen login data, autofill data, cryptocurrency wallets, and payment information saved in web browsers such as Chrome, Brave, Opera, Yandex and Edge, to include versions affiliated with major operating systems on Windows, Linux, and macOS.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 InvisibleFerret has also leveraged the command `ssh_zcp` to copy browser data to include extensions and cryptocurrency wallet data.CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | InvisibleFerret has collected the local IP address, and external IP.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1489 | Service Stop | InvisibleFerret has terminated Chrome and Brave browsers using the `taskkill` command on Windows and the `killall` command on other systems such as Linux and macOS.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 InvisibleFerret has also utilized it’s `ssh_kill` command to terminate Chrome and Brave browser processes.CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1033 | System Owner/User Discovery | InvisibleFerret has identified the user’s UUID and username through the "pay" module.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | InvisibleFerret has established persistence using LaunchAgents on macOS that run on Startup using a file named “com.avatar.update.wake.plist”.CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1547.013 | XDG Autostart Entries Sub-technique | InvisibleFerret has established persistence within GNOME-based Linux environments by placing entries within `.desktop` that run on Startup.CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1219 | Remote Access Tools | InvisibleFerret has utilized remote access software including AnyDesk client through the “adc” module.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 InvisibleFerret has also downloaded the AnyDesk client should it not already exist on the compromised host by searching for `C:/Program Files(x86)/AnyDesk/AnyDesk.exe`.CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1614 | System Location Discovery | InvisibleFerret has collected the internal IP address, IP geolocation information of the infected host and sends the data to a C2 server.CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 InvisibleFerret has also leveraged the “pay” module to obtain region name, country, city, zip code, ISP, latitude and longitude using “http://ip-api.com/json”.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1059.006 | Python Sub-technique | InvisibleFerret is written in Python and has used Python scripts for execution.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationRecorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | InvisibleFerret has executed Python instances of the browser module “.n2/bow” utilizing the `CREATE_NO_WINDOW` process creation flag.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1571 | Non-Standard Port | InvisibleFerret has been observed utilizing HTTP communications to the C2 server over ports 1224, 2245 and 8637.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | InvisibleFerret has used HTTP communications to the “/Uploads” URI for file exfiltration.CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | InvisibleFerret has staged data in consolidated folders prior to exfiltration.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1555.005 | Password Managers Sub-technique | InvisibleFerret has utilized the command `ssh_zcp` to exfiltrate data from browser extensions and password managers via Telegram and FTP.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | InvisibleFerret has used HTTP for C2 communications.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | InvisibleFerret has used 7zip, RAR and zip files to archive collected data for exfiltration.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | InvisibleFerret has established persistence within Windows devices by creating a .bat file “queue.bat” within the Startup folder to run a Python script.CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1005 | Data from Local System | InvisibleFerret has collected data utilizing a script that contained a list of excluded files and directory names and naming patterns of interest such as environment and configuration files, documents, spreadsheets, and other files that contained the words secret, wallet, private, and password.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1115 | Clipboard Data | InvisibleFerret has stolen data from the clipboard using the Python project “pyperclip”.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 InvisibleFerret has also captured clipboard contents during copy and paste operations.CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | InvisibleFerret has utilized the XOR and Base64 encoding for each of its modules.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 InvisibleFerret has also obfuscated files with a combination of zlib, Base64 and reverse string order.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024 InvisibleFerret has also utilized the XOR and Base64 encoding some of its Python scripts.CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | InvisibleFerret has used FTP to exfiltrate files and directories using the command `ssh_upload` which contains with six subcommands of `.sdira`, `sdir`, `sfile`, `sfinda`, `sfindr` and `sfind` that had varying functions.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 InvisibleFerret has exfiltrated stolen files and data to the C2 servers over ports 1224, 2245 and 8637.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1095 | Non-Application Layer Protocol | InvisibleFerret has established a connection with the C2 server over TCP traffic.CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 InvisibleFerret has also created a TCP reverse shell communicating via a socket connection over ports 1245, 80, 2245, 3001, and 5000.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1567 | Exfiltration Over Web Service | InvisibleFerret has leveraged Telegram chat to upload stolen data using the Telegram API with a bot token.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | InvisibleFerret has utilized a PowerShell script created in the victim’s home directory named “conf.ps1” that is used to modify configuration files for AnyDesk remote services.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
Groups, software, and campaigns
G1052: Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3fed931b84de… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Contagious Interview BeaverTail InvisibleFerret February 2025
Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
Open source URL -
[2]
Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024
Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
Open source URL -
[3]
PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023
Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
Open source URL -
[4]
Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025
Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
Open source URL -
[5]
PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024
Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025.
Open source URL -
[6]
Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024
eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025.
Open source URL -
[7]
mitre-attack S1245Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.