S1246: BeaverTail
BeaverTail is a malware that has both a JavaScript and C++ variant. Active since 2022, BeaverTail is capable of stealing logins from browsers and serves as a downloader for second stage payloads. BeaverTail has previously been leveraged by North Korea-affiliated actors identified as DeceptiveDevelopment or Contagious Interview. BeaverTail has been delivered to victims through code repository sites and has been embedded within malicious attachments.[1][2][3][4]
Analyst context for executives and security teams
BeaverTail matters because it combines credential theft with downloader behavior across Windows, macOS, and Linux. For leaders, the business issue is not just malware cleanup: stolen browser logins can create follow-on identity risk, and second-stage payload delivery can turn an endpoint event into a broader incident. Its reported delivery through code repository sites and malicious attachments makes developer and engineering workflows especially important to validate.
Executive priority
Prioritize BeaverTail-related readiness where users handle source code, credentials, cryptocurrency activity, or cross-platform development systems. Executives should ask whether the organization can prove coverage for browser credential theft, suspicious software dependency or development-tool intake, malicious file execution, outbound web-based command-and-control, and rapid credential revocation during incident response. This object is also useful for audit and risk discussions because it connects endpoint security, IAM, software supply chain controls, SOC monitoring, and IR playbooks.
Technical view
MITRE provides no official detection text for BeaverTail, so defenders should build validation around the related behaviors: JavaScript execution, malicious file execution, compromised dependencies or development tools, browser and password-store access, macOS Keychain access, local file and log enumeration, local data staging, archive utility use, file deletion, ingress tool transfer, and web-protocol C2 including non-standard ports and junk data. Because BeaverTail is described as having JavaScript and C++ variants and supporting Linux, macOS, and Windows, detection engineering should avoid Windows-only assumptions and test developer workstation telemetry across all three operating systems.
Likely telemetry
- Endpoint process execution telemetry for JavaScript runtimes, shell activity, archive utilities, downloaded tools, and unusual child processes on Linux, macOS, and Windows
- File creation, modification, staging, archive, encoded/encrypted file, and deletion events
- Browser profile, browser credential store, password store, and macOS Keychain access indicators
- File and directory discovery, system information discovery, system time discovery, and log enumeration activity
- Network proxy, DNS, firewall, and endpoint network telemetry for HTTP/S or other web-protocol traffic, including unusual protocol/port pairings
Detection direction
- Treat BeaverTail as a behavior cluster rather than a single signature because ATT&CK does not provide official detection guidance for this object.
- Validate cross-platform collection first: Linux, macOS, and Windows endpoint telemetry must capture process, file, credential-store access, and outbound network activity.
- Focus on high-signal combinations: browser credential or Keychain access followed by local staging, archive creation, outbound web traffic, file deletion, or second-stage download activity.
- Review developer workflow blind spots, including code repository downloads, dependency installation, development tools, and attachments opened during recruiting or collaboration scenarios, as supported by the object description and T1195.001/T1204.002 relationships.
- Tune network analytics for web-protocol C2 and non-standard ports, but account for false positives from legitimate developer tools, package managers, proxies, and collaboration platforms.
Mitigation priorities
- Reduce exposure from browser-stored credentials and password stores through credential management policy, least privilege, and rapid credential rotation procedures after suspected compromise.
- Harden software dependency and development-tool intake processes, especially for users who pull code or packages from external repositories.
- Strengthen controls for malicious files and attachments, including user training, attachment handling, and endpoint prevention across Linux, macOS, and Windows.
- Restrict and monitor outbound traffic, including web protocols on non-standard ports, and ensure egress visibility is available to the SOC.
- Prepare incident response playbooks that combine malware containment with identity response, because BeaverTail is described as stealing logins and downloading second-stage payloads.
Analyst notes and limits
The strongest defensive value is in validating coverage for the full chain: delivery through code repositories or malicious attachments, execution via JavaScript or compiled payloads, credential access from browsers/password stores, local collection and staging, downloader behavior, and web-based exfiltration or C2. The related group context notes prior use by Contagious Interview, a North Korea-aligned group, but local telemetry is required before making any attribution assessment.
ATT&CK provides no official detection field for BeaverTail and lists no tactics directly on the malware object. This take relies on the supplied description, external references, and relationship context only. Specific indicators, filenames, hashes, infrastructure, payload names, and confirmed detection logic are not included in the supplied fields and should not be assumed.
BeaverTail
BeaverTail is a malware that has both a JavaScript and C++ variant. Active since 2022, BeaverTail is capable of stealing logins from browsers and serves as a downloader for second stage payloads. BeaverTail has previously been leveraged by North Korea-affiliated actors identified as DeceptiveDevelopment or Contagious Interview. BeaverTail has been delivered to victims through code repository sites and has been embedded within malicious attachments.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | BeaverTail has used HTTP GET request to download malicious payloads to include InvisibleFerret and HTTP POST to exfiltrate data to C2 infrastructure.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 |
| Enterprise | T1059.007 | JavaScript Sub-technique | BeaverTail has executed malicious JavaScript code.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationRecorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 BeaverTail has also been compiled with the Qt framework to execute in both Windows and macOS.CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | BeaverTail has stolen passwords saved in web browsers.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 BeaverTail has also been known to collect login data from Firefox within key3.db, key4.db and logins.json from `/.mozilla/firefox/` for exfiltration.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | BeaverTail has exfiltrated data collected from victim devices to C2 servers.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 |
| Enterprise | T1654 | Log Enumeration | BeaverTail has identified .ldb and .log files stored in browser extension directories for collection and exfiltration.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1195.001 | Compromise Software Dependencies and Development Tools Sub-technique | BeaverTail has been hosted on code repositories and disseminated to victims through NPM packages.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationRecorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 |
| Enterprise | T1217 | Browser Information Discovery | BeaverTail has searched the victim device for browser extensions including those commonly associated with cryptocurrency wallets.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationRecorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 |
| Enterprise | T1082 | System Information Discovery | BeaverTail has been known to collect basic system information.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023 BeaverTail has also collected data to include hostname and current timestamp prior to uploading data to the API endpoint `/uploads` on the C2 server.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | BeaverTail has staged collected data to the system’s temporary directory.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | BeaverTail has collected and archived sensitive data in a zip file.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1005 | Data from Local System | BeaverTail has exfiltrated data collected from local systems.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | BeaverTail has obfuscated strings of code with Base64 encoding within the JavaScript version of the malware.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 BeaverTail has also utilized the open-source tool JavaScript-Obfuscator to obfuscate strings and functions.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1124 | System Time Discovery | BeaverTail has obtained and sent the current timestamp associated with the victim device to C2.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1571 | Non-Standard Port | BeaverTail has communicated with C2 IP addresses over ports 1224 or 1244.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 |
| Enterprise | T1555 | Credentials from Password Stores | BeaverTail has collected keys stored for Solana stored in `.config/solana/id.json` and other login details associated with macOS within `/Library/Keychains/login.keychain` or for Linux within `/.local/share/keyrings`.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | BeaverTail has been executed through lures involving malicious JavaScript projects or trojanized remote conferencing software such as MicroTalk or FreeConference.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 BeaverTail has also been executed through macOS and Windows installers disguised as chat applications.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationZscaler ContagiousInterview BeaverTail InvisibleFerret November 2024 |
| Enterprise | T1001.001 | Junk Data Sub-technique | BeaverTail has added junk data or a dummy character prepended to a string to hamper decoding attempts.CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | BeaverTail has been used to download a malicious payload to include Python based malware InvisibleFerret.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 |
| Enterprise | T1083 | File and Directory Discovery | BeaverTail has searched for .ldb and .log files stored in browser extension directories for collection and exfiltration.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
| Enterprise | T1036 | Masquerading | BeaverTail has masqueraded as MiroTalk installation packages: “MiroTalk.dmg” for macOS and “MiroTalk.msi” for Windows, and has included login GUIs with MiroTalk themes.CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | BeaverTail has deleted files from a compromised host after they were exfiltrated.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1657 | Financial Theft | BeaverTail has searched the victim device for browser extensions commonly associated with cryptocurrency wallets.CitationEsentire ContagiousInterview BeaverTail InvisibleFerret November 2024CitationRecorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025CitationPaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023CitationPaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024 |
| Enterprise | T1555.001 | Keychain Sub-technique | BeaverTail has collected keys associated with macOS within `/Library/Keychains/login.keychain`.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025CitationESET Contagious Interview BeaverTail InvisibleFerret February 2025 |
Groups, software, and campaigns
G1052: Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | dc859a8627ca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023
Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
Open source URL -
[2]
Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024
eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025.
Open source URL -
[3]
ESET Contagious Interview BeaverTail InvisibleFerret February 2025
Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
Open source URL -
[4]
Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024
Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
Open source URL -
[5]
mitre-attack S1246Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.