InvisibleFerret Malware Uses .pyd and .so Files to Evade Script Detection

A Trend Micro-derived report describes Void Dokkaebi (aka Famous Chollima) upgrading its InvisibleFerret toolset by compiling Python payloads into Cython-based .pyd/.so modules to evade script-based detection. The campaign uses a JavaScript loader (BeaverTail) to drop and execute modular, obfuscated payloads that provide backdoor access and steal browser credentials, CI/CD secrets, and cryptocurrency wallets—posing a heightened risk to developers and organizations with exposed developer assets.