Obfuscated BeaverTail sample uses layered Base64 and XOR encoding
Technical Analysis
Summary
Hide ▲
Show ▼
BeaverTail analysis from November 2025 shows a heavily obfuscated JavaScript package using layered Base64 and XOR concealment, making detection and reverse engineering harder. The sample’s dynamic headers and decoy payloads add extra evasion against static analysis. It also harvested host data and attempted to fetch follow-on malware from a C2 server, reinforcing its role as a loader across Windows, macOS and Linux.
Related Happenings
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
BeaverTail malware variant with multi-path delivery and follow-on payloads
Malware Activity
First: 18.12.2025 14:00
Last: 18.12.2025 14:00
Sources 1
How related:
The JavaScript-based malware functions as both an information stealer and a loader, harvesting system details before attempting to retrieve additional payloads from remote servers.
About this happening:
A newly observed **BeaverTail** malware variant is stealing wallet data and credentials while loading follow-on payloads, increasing risk for **cryptocurrency traders, developers...
BeaverTail malware variant with multi-path delivery and follow-on payloads
Malware ActivityHow related: The JavaScript-based malware functions as both an information stealer and a loader, harvesting system details before attempting to retrieve additional payloads from remote servers.
About this happening: A newly observed **BeaverTail** malware variant is stealing wallet data and credentials while loading follow-on payloads, increasing risk for **cryptocurrency traders, developers...
Contagious Interview JSON storage delivery campaign targeting software developers
Campaign
First: 14.11.2025 20:25
Last: 14.11.2025 20:25
Sources 1
How related:
Fake job interview platforms posing as technical assessments or conferencing tools
About this happening:
The **Contagious Interview** campaign has shifted to using **JSON storage services** to stage malware, making delivery harder to spot and increasing risk to developer systems. The...
Contagious Interview JSON storage delivery campaign targeting software developers
CampaignHow related: Fake job interview platforms posing as technical assessments or conferencing tools
About this happening: The **Contagious Interview** campaign has shifted to using **JSON storage services** to stage malware, making delivery harder to spot and increasing risk to developer systems. The...
BeaverTail and OtterCookie malware evolution in Contagious Interview
Malware Activity
First: 17.10.2025 16:33
Last: 17.10.2025 16:33
Sources 1
About this happening:
**Contagious Interview** malware activity tied to **North Korean threat actors** continues to evolve its npm-based delivery chain. A recent wave added **197 malicious npm packages...
BeaverTail and OtterCookie malware evolution in Contagious Interview
Malware ActivityAbout this happening: **Contagious Interview** malware activity tied to **North Korean threat actors** continues to evolve its npm-based delivery chain. A recent wave added **197 malicious npm packages...
Timeline
-
18.12.2025 14:00 2 articles · 5mo ago
Obfuscated BeaverTail sample uses layered Base64 and XOR encoding
Initial DisclosureThe **November 2025** BeaverTail sample began as an obfuscated JavaScript package using layered **Base64** and **XOR** concealment. It then moved into host profiling and C2 retrieval behavior that supports follow-on payload delivery.
Show sources
- New BeaverTail Malware Variant Linked to Lazarus Group — www.infosecurity-magazine.com — 18.12.2025 14:00
- New BeaverTail Malware Variant Linked to Lazarus Group — www.infosecurity-magazine.com — 18.12.2025 14:00