North Korean Beavertail malware sparks attacks across financial sector

A series of campaigns were observed targeting the financial sector across multiple continents worldwide — attacks that exhibited the tradecraft of North Korean-affiliated threat actors.

In a Dec. 18 white paper, Darktrace researchers said the attacks leveraged advanced social engineering focused on job hunters, spear-phishing, React2Shell exploitation, and a new Beavertail malware variant.

While the initial access vector remains unknown, Darktrace said evidence suggests it originated from a malicious npm package hosted on GitHub or GitLab — behavior that aligns with the Lazarus Group’s history of exploiting supply-chain vulnerabilities.

According to Darktrace, the attackers used Beavertail for initial credential theft, followed by heavily obfuscated Python scripts and Tsunami modules, hallmarks of a “well-resourced adversary.”

Jason Soroko, a senior fellow at Sectigo, said Darktrace’s identification of a new hyper-obfuscated Beavertail variant marks a significant escalation in tradecraft, transforming a lightweight stealer into a signature-evasive framework shielded by over 128 layers of concealment.

Soroko said that by weaponizing the software supply chain through trojanized npm packages and VS Code extensions, Lazarus Group has exploited developer trust while ensuring infrastructure resilience via "EtherHiding" — storing command-and-control payloads on blockchain smart contracts to effectively immunize operations against takedowns.

“This technical maturation culminates in the strategic convergence of Beavertail with the OtterCookie strain, yielding a unified, cross-platform instrument designed for persistent financial theft and surveillance across Windows, macOS, and Linux environments,” said Soroko.

Louis Eichenbaum, Federal CTO at ColorTokens, said BeaverTail represents just the latest example of how our adversaries continue to evolve their tools to deliver more sophisticated attacks. What’s striking here is that their tactics haven’t really changed, noted Eichenbaum.

“These attacks still begin by targeting the soft underbelly of every IT and OT environment: the end user,” said Eichenbaum. “Once an endpoint is compromised, the adversary establishes a foothold, scans the network for high-value targets — often financial or mission-critical systems — and then waits patiently. When a vulnerability eventually presents itself, they exploit it. The tools change. The methods remain the same.”

Eichenbaum said this ongoing reality reinforces the need for teams to apply “assume breach” zero-trust principles. That doesn’t mean accepting breach: It means applying the same rigor to resilience inside the network as we do to preventing intrusions at the perimeter.

Teams need to implement a strong micro-segmentation strategy, said Eichenbaum, in which security controls are placed as close as possible to the most critical IT assets — it’s still one of the few proven ways to mitigate lateral movement risks.

“By containing an attacker after the initial compromise, organizations can thwart even the most sophisticated tools used in these same, decades-old attack patterns,” said Eichenbaum.