Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware

AndyC 23 May 2026

Based on technical artifacts and TTPs as well as code and infrastructure overlaps with BeaverTail and InvisibleFerret, TrendAI™ Research attributes this campaign to Void Dokkaebi with high confidence.

Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware

Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware

Based on technical artifacts and TTPs as well as code and infrastructure overlaps with BeaverTail and InvisibleFerret, TrendAI™ Research attributes this campaign to Void Dokkaebi with high confidence.

Void Dokkaebi’s adoption of Cython-compiled malware represents an evolution in the group’s capabilities. The Cython-based obfuscation converts readable Python scripts into native binaries, and thus bypasses previous Python script-based detections. InvisibleFerret is now distributed as .pyd files on Windows and .so files on macOS.

While the original source code is no longer directly readable, our analysis shows that the underlying obfuscation techniques remain unchanged from previous versions. Programming artifacts, build environment paths, and string tables are still recoverable from the binaries, which can enable defenders to identify variants and extract C&C infrastructure through binary analysis. The mc module’s wallet trojanization capabilities (particularly the Chrome downgrade attack on macOS) also show the adversary’s attempts to bypass modern browser security controls.

Despite these advancements, the campaign exhibits telltale signs of ongoing development. Incomplete variable definitions and missing functionality in the any.py component suggest that threat actors face challenges in fully finishing their Cython migration.

A BeaverTail variant with a functionality equivalent to InvisibleFerret also exists within the infection chain. Even so, it continues to download and execute InvisibleFerret. Although the two malware families are developed in different programming languages, their functionality overlaps significantly. This raises questions about why attackers maintain both BeaverTail and InvisibleFerret within the infection chain. While this remains speculative, the use of a shared C&C server suggests the presence of a malware developer cluster organized around specific programming languages.

Given the incomplete Cython migration and active development patterns observed, Void Dokkaebi will likely continue refining both BeaverTail and InvisibleFerret. Defenders should also anticipate an expanded set of trojanized cryptocurrency wallet extensions targeting additional platforms.

TrendAI™ Research continues to monitor Void Dokkaebi and related campaigns, delivering actionable intelligence that keeps your organization ahead of evolving threats. Our comprehensive threat intelligence, combined with advanced detection capabilities, ensures organizations remain protected against sophisticated attacks targeting cryptocurrency assets and sensitive enterprise data.

TrendAI Vision One™ Threat Intelligence Hub

TrendAI Vision One™ Threat Intelligence Hub provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in the TrendAI Vision One™ platform.

Emerging Threats: Void Dokkaebi Adopts Cython-Compiled InvisibleFerret

Threat Actor: https://portal.xdr.trendmicro.com/index.htmlVoid Dokkaebi

Void Dokkaebi Adopts Cython-Compiled InvisibleFerret

Hunting Queries

TrendAI Vision One™ customers can use the  XDR Data Explorer App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.    

eventSubId:(101 or 109) AND objectFilePath:( “.vscodemod.pyd” OR “/.vscode/mod.so” OR “.vscodepad.pyd” OR “.vscodebrw.pyd” OR “/.vscode/pad.so” OR “/.vscode/brw.so” OR “/.vscode/mc.so” OR “.vscode.mod” OR “.vscodepad0” OR “.vscodebrw0” OR “/.vscode/.mod” OR “/.vscode/pad0” OR “/.vscode/brw0” OR “/.vscode/mc0”)

eventSubId:2 AND processCmd:( “.vscodemod.pyd” OR “/.vscode/mod.so” OR “.vscodepad.pyd” OR “.vscodebrw.pyd” OR “/.vscode/pad.so” OR “/.vscode/brw.so” OR “/.vscode/mc.so” OR “.vscode.mod” OR “.vscodepad0” OR “.vscodebrw0” OR “/.vscode/.mod” OR “/.vscode/pad0” OR “/.vscode/brw0” OR “/.vscode/mc0”)

More hunting queries are available for TrendAI Vision One™ with Threat Intelligence Hub entitlement enabled. 

Indicators of Compromise

The indicators of compromise for this entry can be found here.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , ,

What do you feel about this?

More Stories

New Verizon Report Reveals the Security Gap Attackers Are Exploiting Most

New Verizon Report Reveals the Security Gap Attackers Are Exploiting Most

AndyC 22 May 2026
Proofpoint Integrates with the Claude Compliance API to Extend Data Security and Governance to Claude

Proofpoint Integrates with the Claude Compliance API to Extend Data Security and Governance to Claude

AndyC 22 May 2026
One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud ‘Patriot Bait’ Campaign

One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud ‘Patriot Bait’ Campaign

AndyC 22 May 2026
Microsoft Disrupts Malware-Signing Service Used by Ransomware Gangs

Microsoft Disrupts Malware-Signing Service Used by Ransomware Gangs

AndyC 22 May 2026
CISA Contractor Exposed Sensitive Credentials in Public GitHub Repository

CISA Contractor Exposed Sensitive Credentials in Public GitHub Repository

AndyC 21 May 2026
Microsoft Launches New Surface AI PCs for Business Buyers

Microsoft Launches New Surface AI PCs for Business Buyers

AndyC 21 May 2026

You may have missed

Smashing Security podcast #468: High-speed train hacks and homicidal lawnmowers

Smashing Security podcast #468: High-speed train hacks and homicidal lawnmowers

AndyC 23 May 2026
Police take down VPN service (this time with a good reason)

Meta says goodbye to those who won’t use AI

AndyC 23 May 2026
First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups

First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups

AndyC 23 May 2026
Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware

Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware

AndyC 23 May 2026
Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware

Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware

AndyC 23 May 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.