caption - Attack Overview Diagram

The attack flow for this Contagious Interview campaign diverges into two paths. Depending on the target environment or attack stage, threat actors deployed either a combination of BeaverTail and InvisibleFerret, or OtterCookie independently.

3.1. BeaverTail and InvisibleFerret

3.1.1. task.json - Downloader

This downloader is executed via VS Code. The runOn option within runOptions is set to folderOpen, ensuring the embedded command executes automatically when the repository is opened in the editor.

caption - Command hidden via long whitespace in .vscode/tasks.json

The configuration contains OS-specific commands for Linux, macOS, and Windows. The appropriate command downloads and executes a script from the command-and-control (C&C) server.

caption - Embedded commands

While the download URLs vary by operating system, the downloaded scripts for Linux and macOS are identical. All scripts download and execute a subsequent payload.

On Linux and macOS, the malware downloads a shell script to $HOME/Documents/tokenlinux.npl. It then renames the file to tokenlinux.sh and executes it.

caption - Linux and macOS download script

On Windows, the malware downloads a CMD script to %USERPROFILE%/parse. It then renames the file to token.cmd and executes it.

caption - Windows download script

During our analysis, we could not obtain the Windows CMD script because the server returned an "Access permanently suspended." error.

3.1.2. tokenlinux.sh - Downloader

The tokenlinux.sh file, executed on Linux and macOS, is a downloader that we assess was generated using a Large Language Model (LLM).

Unlike scripts previously observed in Contagious Interview campaigns, this script features highly detailed comments and incorporates emojis, patterns strongly indicative of LLM-assisted generation.

caption - Detailed comments including emojis

tokenlinux.sh checks for the presence of a nodejs directory in the current directory. If absent, it downloads and extracts Node.js, then adds it to the system PATH. It then proceeds to download parser.js and package.json from the C&C server, saving them to the $HOME/Documents directory.

Finally, the script executes parser.js using the downloaded Node.js environment. The accompanying package.json contains the package dependencies required to run parser.js.

3.1.3. - parser.js - Downloader

parser.js is a JavaScript-based downloader obfuscated using obfuscator.io. The primary obfuscation techniques applied include:

• String Extraction and Arraying: Key strings used in the code are extracted and stored in a separate array.

• Runtime Array Shuffling: The string array is reordered at the beginning of execution.

• Offset-based String Access: Strings are not referenced directly; instead, they are retrieved from the array using a dedicated function that takes an offset value as an argument.

• Identifier Renaming: Meaningful variable and function names are replaced with short, meaningless identifiers such as a1.

caption - Obfuscated script

In addition to obfuscation, the script employs integrity checks. If the code is modified or formatted (e.g., pretty-printed), the script executes dummy code and errors.

caption - Integrity check function

The malware communicates with two distinct C&C servers:

• Configuration Server: Hosts configuration data required to download BeaverTail (the payload server address and a campaign ID).

• Payload Server: Hosts the BeaverTail payload.

The script contains two Base64-encoded Configuration Server addresses. If communication with the primary Configuration Server fails, it falls back to the secondary address.

caption - Configuration Server address decoding routine

If the response from hxxp://[Configuration Server]:1244/s/6df937fe9011 begins with ZT3, the script Base64-decodes the remainder of the string. The decoded value is split by a comma (,); the first part is the Payload C&C address, and the second part is the campaign ID. As of 2026-01-26, the Payload C&C address was 66.235.175[.]117 and the campaign ID was knHbMe8.

caption - Payload Server address decoding routine

Strings are decrypted using XOR with the key 0x70a07948.

caption - String decryption routine

The malware download and execution process is as follows:

1. Creates a .vscode directory in the home directory

2. Transmits the hostname, username, and current timestamp to hxxp://[Payload Server]:1244/key

3. Downloads BeaverTail from hxxp://[Payload Server]:1244/j/[Campaign ID] to .vscode/test.js

4. Downloads the package metadata from hxxp://[Payload Server]:1244/p to .vscode/package.json

5. Executes .vscode/test.js.

This download routine repeats three times at approximately 10-minute intervals.

3.1.4. Beavertail

BeaverTail consists of three JavaScript files. The initial script, test.js, downloads and executes the remaining two files. All BeaverTail scripts employ the same obfuscation and anti-tampering techniques observed in parser.js.

test.js

This script collects browser information and downloads and executes n.js and p.js. It targets the following browsers:

• Chrome

• Chromium

• Brave

• Opera

It extracts stored credentials and browser extension data, uploading the information to hxxp://66.235.175[.]117:1244/uploads. The script specifically targets the following browser extension IDs:

| list | list |
| --- | --- |
| nkbihfbeogaeaoehlefnkodbefgpgknn | ejbalbakoplchlghecdalmeeeajnimhm |
| ibnejdfjmmkpcnlpebklmnkoeoihofec | fhbohimaelbohpjbbldcngcnapndodjp |
| hnfanknocfeofbddgcijnmhnfnkdnaad | bfnaelmomeimhlpmgjnjophhpkkoljpa |
| aeachknmefphepccionboohckonoeemg | egjidjbpglichdcondbcbdnbeeppgdph |
| hifafgmccdpekplomjjkcfgodnhcellj | aholpfdialjgjfhomihkjbmgjidlcdno |
| mcohilncbfahbmgdjkbpemcciiolgcge | pdliaogehgdbhbnmkklieghmmjkpigpa |
| nphplpgoakhhjchkkhmiggakijnkhfnd | fdjamakpfbbddfjaooikfcpapjohcfmg |
| acmacodkjbdgmoleebolmdjonilkdbch | dmkamcknogkgcdfhhbddcghachkejeap |
| mkpegjkblkkefacfnmkajcjmabijhclg | X

caption - Target browser extensions for information collection

Upon successful upload, it downloads a file from hxxp://66.235.175[.]117:1244/client/knHbMe8 and saves it as .npl. This file is InvisibleFerret, which is executed via Python. If the operating system is Windows, it downloads Python from hxxp://66.235.11[.]117:1244/pdo to execute the .npl file.

caption - .npl file download routine

After executing InvisibleFerret, it downloads the remaining BeaverTail components from hxxp://66.235.11[.]117:1244/n/knHbMe8 and hxxp://66.235.11[.]117:1244/z/knHbMe8 to .vscode/n.js and .vscode/p.js respectively, and executes them.

caption - Additional BeaverTail download routine

n.js

This is a backdoor component. It first collects system information and uploads it to hxxp://66.235.175[.]117:1244/keys. The collected data includes:

• IP-based geolocation data

• ISP information

• A UUID generated by HMAC-hashing the username

• Hostname

• Username

• OS type

• OS release

• OS version

Following the upload, it establishes a socket connection with the C&C server at 216.250.251[.]87:1247.

caption - Socket connection routine

Once connected, it receives a code value from the C&C server and performs actions based on the code:

| Code | Command Name | Action |
| --- | --- | --- |
| 1    | ssh_obj      | Execute given command (Remote Shell)                                    |
| 2    | ssh_cmd      | Terminate the current process                                           |
| 5    | ssh_upload   | Upload specified file or directory via FTP                              |
| 6    | ssh_kill     | Terminate Chrome and Brave processes                                    |
| 8    | ssh_env      | Searches for and uploads all files matching specific conditions via FTP |
| 10   | ssh_mmc      | Saves the provided JavaScript file to ~/.vscode/c.js and executes it

caption - Backdoor Actions

For FTP uploads, the C&C server provides the domain, username, and password. The upload path format is /DAknHbMe8/[Hostname]+[Username]/[Filename].

caption - FTP upload routine

The ssh_env command searches for and uploads files containing specific strings in their paths:

| list | list |
| -- | -- |
| .env | .xls |
| config.js | .xlsx |
| secret | .doc |
| metamask | .docx |
| wallet | .rtf |
| private | .kbdx |
| mnemonic | .one |
| password | .onenote |
| account | solana |
| seed | X

caption - Search String List

It avoids uploading files with specific names or extensions (e.g., tsconfig.json) and skips certain directories (e.g., node_modules). A comprehensive list is included in "Appendix C. Search Conditions".

p.js

This component performs file collection and exfiltration. It searches for and exfiltrates files matching the following patterns:

| list | list |
| --- | --- |
| *.env | seed* |
| config.js | keys* |
| secret* | keypair.json |
| metamask* | 1pass*.sqlite |
| wallet* | notes.txt |
| private* | hardhat.config.ts |
| mnemonic* | solana* |
| password* | .kdbx |
| account* | X

caption - Search Pattern List

Similar to n.js, it skips specific directories and file extensions. A comprehensive list is included in "Appendix C. Search Conditions".

caption - Upload file search routine

Files are exfiltrated to hxxp://66.235.175[.]117:1244/uploads using a POST request structured as follows:

{
  "timestamp": "jzt",
  "type": "knHbMe8",
  "hid": "[Hostname]",
  "multi_file": {
    "value": "[File Stream]",
    "options": {
      "filename": "env_[Current Time]_[Random Number 0-40]_[File Index]"

The [File Index] represents the file's position within the list generated during the search. Upon successful upload, the file path and hostname are sent to hxxp://66.235.175[.]117:1244/keys in the following format:

{
  "ts": "jzt",
  "type": "knHbMe8",
  "hid": "[Hostname]",
  "ss": "jzt_[Search Pattern]_[Current Time]",
  "cc": "env_[Current Time]_[Random Number 0-40]_[File Index] : [File Path]"

3.1.5. InvisibleFerret

InvisibleFerret is a Python-based malware consisting of five scripts. All scripts are obfuscated using the following multi-layered routine:

1. Decodes a Base85 string located after the first 8 characters of the obfuscated payload

2. XORs the decoded result with the first 8 characters and executes it via exec

3. The executed code reverses a new string, Base64-decodes it, decompresses it via zlib, and executes it via exec.

4. Step 3 is repeated approximately 64 times before the actual malicious script is executed.

.npl

This is the initial InvisibleFerret script executed by BeaverTail. It downloads and executes two additional scripts.

caption - Script download and execution routine

It downloads a payload from hxxp://66.235[.]175.117:1244/payl/knHbMe8, saves it as .vscode/pay, and executes it. It then downloads an additional payload from hxxp://66.235[.]175.117:1244/bro/knHbMe8 to .vscode/bow, and executes it. If the operating system is Darwin(macOS), the bow file is not downloaded.

pay

This is a backdoor that performs malicious actions based on code values received via a socket connection to the C&C server (216.250.251[.]87:1245).

caption - Socket connection routine

The supported commands are:

| Code | Name | Action |
| --- | --- | --- |
| 1    | ssh_obj    | Execute provided command                                                         |
| 2    | ssh_cmd    | Self-destruct                                                                    |
| 3    | ssh_clip   | Transmit keylogging and clipboard data.                                          |
| 4    | ssh_run    | Download hxxp://66.235.175[.]117:1244/bro/knHbMe8 to ~/.n2/bow and execute   |
| 5    | ssh_upload | Uploads file from provided path                                                  |
| 6    | ssh_kill   | Terminate Chrome and Brave browser processes                                     |
| 7    | ssh_any    | Download hxxp://66.235.175[.]117:1244/adc/knHbMe8 to ~/.n2/adc and execute   |
| 8    | ssh_env    | Search for and upload all files matching conditions via FTP                      |
| 9    | ssh_zcp    | Compress provided file into an encrypted archive and upload via Telegram and FTP |
| 10   | ssh_mmc    | Download hxxp://66.235.175[.]117:1244/dd/knHbMe8 to ~/.n2/mc and executes    |

caption - Backdoor Actions

The ssh_env command targets files containing the following strings in their paths:

| list | list |
| --- | --- |
| env | .xls |
| config.js | .xlsx |
| secret | .doc |
| metamask | .docx |
| wallet | .rtf |
| private | .kbdx |
| mnemonic | .one |
| password | .onenote |
| account | X

A comprehensive list is included in "Appendix C. Search Conditions".

bow

This script drops an obfuscated TsunamiInjector payload into the Windows Startup folder to establish persistence.

caption - Script save routine

The TsunamiInjector script decrypts and visits approximately 1,000 encrypted URLs to identify those that are available. The decryption process is as follows:

• Hex-decode the string

• XOR the decoded string with the key !!!HappyPenguin1950!!!

• Base64-decode the result and reverse the string

caption - URL decryption routine

All decrypted URLs point to Pastebin, a popular text-sharing platform. Once an available Pastebin URL is found, it decrypts the page's contents using the same method. The decrypted content yields another URL which is downloaded and extracted to %APPDATA%\Microsoft\Windows\Applications\Runtime Broker.exe.

caption - File download routine

After downloading, it adds the file path to Windows Defender exclusions and establishes persistence by creating a scheduled task to execute the payload on user login.

caption - Task creation routine

adc

This script downloads AnyDesk, a remote desktop application, from hxxp://66.235.175[.]117:1244/and. It then configures the password, allowing the threat actor to connect remotely at any time.

caption - AnyDesk configuration routine

mc

This script manipulates the browser environment to install a malicious cryptocurrency wallet extension. It performs self-deletion upon execution.

caption - Self-deletion routine

It enumerates the extension directories of Chrome and Brave, deleting all files associated with specific extensions. The targeted extension IDs are:

• nkbihfbeogaeaoehlefnkodbefgpgknn

• acmacodkjbdgmoleebolmdjonilkdbch

After deletion, it downloads a payload from hxxp://45.59.163[.]55:1244/mmz/[Extension ID]_knHbMe8 and extracts it into the now-empty extension directories. This effectively replaces the legitimate Rabby Wallet and MetaMask cryptocurrency wallet extensions with malicious versions.

caption - Browser extension file modification routine

The malware then collects the Chrome profile file and exfiltrates it to hxxp://45.59.163[.]55:1244/h. If the server returns a valid response, the script uses the response data to modify Chrome's Secure Preferences.

Additionally, on macOS with Chrome 140 or higher, it attempts to downgrade the browser by downloading and extracting hxxp://45.59.163[.]55:1244/ddo to /Applications/Google Chrome.app, overwriting it.

caption - Chrome downgrade routine

Once the configuration changes are complete, it clears the browser's cookies, cache, and session data to apply the changes immediately. It then reports the success status to hxxp://66.235.175[.]117:1244/t.

3.2. OtterCookie

3.2.1. task.json - Downloader

Similar to the BeaverTail and InvisibleFerret instance, this downloader is executed via VS Code. The runOn option is set to folderOpen, triggering execution when the repository is opened. However, unlike the previous cluster, the commands in this tasks.json file are not hidden with long whitespace.

caption - Command embedded in .vscode/tasks.json

Although the download URLs vary by operating system, the Linux and macOS scripts are identical. All scripts download and execute a subsequent payload.

On Linux and macOS, it downloads a shell script to $HOME/.vscode/vscode-bootstrap.sh and executes it.

caption - Shell script executed on Linux and macOS

On Windows, it downloads a CMD script to %USERPROFILE%\.vscode\vscode-bootstrap.cmd and executes it.

caption - CMD script executed on Windows

During our analysis, we could not obtain the Windows CMD script because the server returned an "Access permanently suspended." error.

3.2.2. vscode-bootstrap.sh - Downloader

The vscode-bootstrap.sh script executed on Linux and macOS is a downloader. Like tokenlinux.sh, we assess it was generated using an LLM, though it lacks the emoji usage seen previously.

caption - Shell script with detailed comments

It checks for a nodejs directory in the current path. If absent, it downloads and extracts Node.js. It then downloads env-setup.js and package.json from the C&C server to $HOME/.vscode. Finally, it executes env-setup.js using the downloaded Node.js.

3.2.3. env-setup.js - Downloader

env-setup.js is a downloader that connects to hxxps://y-lilac-sigma.vercel[.]app/api/ipcheck-encrypted/608 and executes the response via eval. Notably, it executes the payload only when an error occurs, rather than upon receiving a HTTP 200 OK response.

caption - env-setup.js code

3.2.4. OtterCookie

OtterCookie is downloaded and executed via env-setup.js. It employs the same obfuscation and integrity checking techniques observed in BeaverTail.

OtterCookie executes three distinct scripts stored as strings in separate processes. To prevent duplicate execution, it creates lock files containing the process PID and start time ({ pid: [Process PID], startedAt: [Process Start Time] }). The lock files and their corresponding scripts are detailed below:

| Lock File Name | Script Name      | Action                                            |
| -------------- | ---------------- | ------------------------------------------------- |
| pid.6.1.lock   | ldbScript        | Exfiltrates information stored in browsers.       |
| pid.6.2.lock   | autoUploadScript | Searches for and uploads specific files.          |
| pid.6.3.lock   | socketScript     | Connects to the C&C server and executes commands

caption - Lock and script information

ldbScript

This script collects credentials and extension data from browsers. Targeted browsers include:

| list | list |
| --- | --- |
| Chrome | Kiwi |
| Brave | Yandex |
| AVG Browser | Iridium |
| Edge | Comodo |
| Opera | SRWare |
| Opera GX | Chromium |
| Vivaldi | X

caption - Targeted browsers for information collection

Targeted browser extensions include:

| list | list |
| --- | --- |
| 1nkbihfbeogaeaoehlefnkodbefgpgknn | fhkbkphfeanlhnlffkpologfoccekhic |
| ejbalbakoplchlghecdalmeeeajnimhm | fhmfendgdocmcbmfikdcogofphimnkno |
| acmacodkjbdgmoleebolmdjonilkdbch | fldfpgipfncgndfolcbkdeeknbbbnhcc |
| bfnaelmomeimhlpmgjnjophhpkkoljpa | gjnckgkfmgmibbkoficdidcljeaaaheg |
| ibnejdfjmmkpcnlpebklmnkoeoihofec | hifafgmccdpekplomjjkcfgodnhcellj |
| egjidjbpglichdcondbcbdnbeeppgdph | hmeobnfnfcmdkdcmlblgagmfpfboieaf |
| nphplpgoakhhjchkkhmiggakijnkhfnd | hnfanknocfeofbddgcijnmhnfnkdnaad |
| omaabbefbmiijedngplfjmnooppbclkk | jiidiaalihmmhddjgbnbgdfflelocpak |
| bhhhlbepdkbapadjdnnojkbgioiodbic | jblndlipeogpafnldhgmapagcccfchpi |
| aeachknmefphepccionboohckonoeemg | jmbkjchcobfffnmjboflnchcbljiljdk |
| aflkmhkiijdbfcmhplgifokgdeclgpoi | jnjpmcgfcfeffkfgcnjefkbkgcpnkpab |
| agoakfejjabomempkjlepdflaleeobhb | kpkmkbkoifcfpapmleipncofdbjdpice |
| aholpfdialjgjfhomihkjbmgjidlcdno | khpkpbbcccdmmclmpigdgddabeilkdpd |
| afbcbjpbpfadlkmhmclhkeeodmamcflc | ldinpeekobnhjjdofggfgjlcehhmanaj |
| cgbogdmdefihhljhfeffkljbghamglni | lgmpcpglpngdoalbgeoldeajfclnhafa |
| dmkamcknogkgcdfhhbddcghachkejeap | mcohilncbfahbmgdjkbpemcciiolgcge |
| dlcobpjiigpikoobohmabehhmhfoodbb | mopnmbcafieddcagagdcbnhejhlodfdd |
| efbglgofoippbgcjepnhiblaibcnclgk | nkklfkfpelhghbidbnpdfhblphpfjmbo |
| ejjladinnckdgjemekebdpeokbikhfci | penjlddjkjgpnkllboccdgccekpkcbin |
| fhbohimaelbohpjbbldcngcnapndodjp | ppbibelpcjmhbdihakflkdcoccbgbkpo

caption - Target browser extensions for information collection

autoUploadScript

This script scans all drives for files containing specific strings and uploads them to hxxp://172.86.73[.]198:8086/upload. A comprehensive list is included in "Appendix C. Search Conditions".

caption - File upload routine

Unlike ldbScript, this upload method does not include file metadata and uses the file path to generate an HMAC token.

autoUploadScript also features detailed comments and verbose console outputs that are hidden from the user, further suggesting it was generated using an LLM.

socketScript

This script collects system information and exfiltrates it to hxxp://172.86.73[.]198:8087/api/notify. The collected data format is as follows:

{
  "ukey": 608,
  "t": 6,
  "host": "608_[Hostname]",
  "os": "[OS Type]",
  "username": "[Username]",
  "timestamp": "[Current Time]"

It then establishes a socket connection with the C&C server at 172.86.73[.]198:8087. It performs actions based on messages received from the C&C server:

| Message        | Action                                                  |
| -------------- | ------------------------------------------------------- |
| whour          | Send the previously collected system information        |
| command        | Execute provided command                                |
| disconnect     | Terminate the socket connection and enter standby state |
| reconnect      | Re-establish the socket connection                      |
| processControl | Manipulate other OtterCookie processes

caption - Actions for messages

The processControl command is designed to pause or restart ldbScript, autoUploadScript, and socketScript; however, only the stop functionality is currently implemented.

caption - Incomplete processControl function

Similar to the other components, socketScript contains detailed comments and verbose console outputs, indicating LLM-assisted generation.