Introduction

Darkstream Dispatch is a monthly intelligence report dedicated to tracking and analyzing malware families, threat actors, and cyber campaigns targeting Civil Society Organizations (CSOs), human rights defenders, and advocacy groups. As digital threats become more sophisticated, CSOs face increasing risks from state-sponsored actors, cybercriminals, and surveillance campaigns designed to compromise their operations, communications, and safety. This volume focuses on BEAVERTAIL, a Javascript malware.

Description

BeaverTail is a JavaScript-based malware that spreads primarily through malicious NPM packages. Its main functions include stealing information and deploying additional malware stages—most notably, a multi-stage Python-based backdoor called InvisibleFerret. BeaverTail specifically targets data stored in victims’ web browsers and uses heavy code obfuscation to avoid detection. Threat actors can distribute it by uploading compromised NPM packages to platforms like GitHub or by injecting malicious code into legitimate NPM projects. 

Overview

Malware Type: 

Downloader

Operating System: 

Windows

Aliases:  

Beavertail, Tropidoor..

Confirmed Targeted Industries: 

Government, Financial Services, Media & Entertainment, Technology.

Associated Threat Actors: 

TEMP.Hex, UNC5342

Associated Malware: 

INVISIBLEFERRET, LIGHTPULL

Associated Vulnerabilities: 

N/A

Associated Tools

ANYDESK, BYOB, GOPHISH, IMPACKET

Find the full list of IOCs here

Security Recommendations

To combat the ever-growing threats posed by malware that fall under the downloader class, attacks CcHUB recommends that organizations;

• Have functional antivirus software with up to date databasees
• Conduct regular audits of their information systems
• Conduct regular employee awareness training

To read more about how you or your organization can detect BEAVERTAIL, kindly read the ASEC Ahn Lab article here.
If you also suspect a security breach of some sort, reach out to us on our helpdesk (help@cchub.africa)