BeaverTail malware variant with multi-path delivery and follow-on payloads
Malware Activity
Summary
Hide ▲
Show ▼
A newly observed BeaverTail malware variant is stealing wallet data and credentials while loading follow-on payloads, increasing risk for cryptocurrency traders, developers and retail employees across Windows, macOS and Linux. The sample was seen in November 2025 and shows heavier obfuscation than earlier versions. Its delivery paths include trojanized npm packages, fake job interview platforms and ClickFix lures. The activity matters because it combines credential theft, cross-platform reach and payload staging in a single tool.
Related Happenings
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
H score33
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityAbout this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations
Malware Activity
H score28
First: 25.05.2026 12:32
Last: 25.05.2026 12:32
Sources 1
About this happening:
The **RemotePE** malware has been tied to **Lazarus Group** activity against **financial and cryptocurrency organizations**, raising the risk of stealthy long-term access and late...
RemotePE memory-only RAT activity by Lazarus Group targeting financial and cryptocurrency organizations
Malware ActivityAbout this happening: The **RemotePE** malware has been tied to **Lazarus Group** activity against **financial and cryptocurrency organizations**, raising the risk of stealthy long-term access and late...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Graphalgo malicious npm and PyPI RAT downloader packages
Malware Activity
H score31
First: 14.02.2026 00:35
Last: 14.02.2026 00:35
Sources 1
About this happening:
**Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware ActivityAbout this happening: **Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Latest development: 29.04.2026 17:43
North Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.
BeaverTail and InvisibleFerret backdoor delivery via malicious VS Code task abuse
Malware Activity
H score39
First: 20.01.2026 20:41
Last: 20.01.2026 20:41
Sources 1
About this happening:
**North Korean** threat actors tied to **Contagious Interview** are running the **PolinRider** malware activity across **108 unique packages and browser extensions** on **npm, Pac...
BeaverTail and InvisibleFerret backdoor delivery via malicious VS Code task abuse
Malware ActivityAbout this happening: **North Korean** threat actors tied to **Contagious Interview** are running the **PolinRider** malware activity across **108 unique packages and browser extensions** on **npm, Pac...
Latest development: 22.04.2026 17:48
North Korean actor Void Dokkaebi, aka Famous Chollima, is turning the Contagious Interview fake-job lure into a self-propagating software supply-chain infection that abuses compromised developer repositories, malicious VS Code tasks, and injected code to spread malware and steal credentials. The campaign targets developers seeking work, can hide a poisoned .vscode folder in committed code, and Trend Micro said it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 commit-tampering instances in March.
Timeline
-
18.12.2025 14:00 2 articles · 6mo ago
Darktrace discloses BeaverTail variant linked to Lazarus Group
Initial DisclosureDarktrace reported a newly observed BeaverTail malware variant linked to North Korean activity and assessed as part of the Lazarus Group, describing a JavaScript-based stealer-loader used against cryptocurrency traders, developers and retail employees that harvests host data, contacts C2 infrastructure for follow-on payloads, and has been delivered through trojanized npm packages, fake job interview platforms and ClickFix lures; researchers also noted November 2025 obfuscated samples and a 2025 merge with OtterCookie that added browser profile enumeration, enhanced wallet targeting and AnyDesk-based remote access.
Show sources
- New BeaverTail Malware Variant Linked to Lazarus Group — www.infosecurity-magazine.com — 18.12.2025 14:00
- New BeaverTail Malware Variant Linked to Lazarus Group — www.infosecurity-magazine.com — 18.12.2025 14:00