A digital illustration of a hooded figure with no visible face, outlined in neon colors, stands against a blue background with code. The text reads InvisibleFerret Malware with Malware highlighted in yellow.
Cyber Security News

InvisibleFerret Malware Now Ships as .pyd and .so Files to Evade Script Detection

By Published On: May 26, 2026

 

The silent war against cyber threats wages on, and a recent development indicates a significant shift in adversary tactics. North Korea-linked threat actors, specifically the group known as Void Dokkaebi (also tracked as Famous Chollima), have upgraded their formidable information-stealing malware, InvisibleFerret. This sophisticated tool now evades conventional detection methods by
shipping as .pyd and .so files, presenting a new challenge for cybersecurity defenses.

InvisibleFerret: A Stealthier Evolution

InvisibleFerret has earned its reputation as a dangerous information stealer. Previously, its operation involved methods that, while effective, were more susceptible to script-based detection mechanisms. The transformation to .pyd (Python Dynamic Link Library) and .so (Shared Object) file formats represents a strategic move. These compiled formats are designed to be loaded dynamically by Python applications, making them appear as legitimate extensions rather than standalone malicious scripts.

This repackaging allows InvisibleFerret to blend seamlessly into a target system’s environment. Security software often relies on heuristic analysis and signature-based detection for common script types. By presenting itself as a compiled module, InvisibleFerret bypasses these layers, making analysis and identification significantly more challenging. This evolution highlights a growing trend among advanced persistent threat (APT) groups to utilize less scrutinized file types for payload delivery and execution, further emphasizing the need for robust endpoint detection and response (EDR) solutions.

Understanding .pyd and .so Files in Malware Context

To grasp the gravity of this change, understanding .pyd and .so files is crucial for security analysts. These are platform-specific compiled modules:

  • .pyd (Python Dynamic Link Library): On Windows systems, a .pyd file is essentially a DLL (Dynamic Link Library) designed to be imported and used by Python. It allows Python programs to call functions written in other languages like C or C++. This legitimate functionality is now being abused to house malicious code.
  • .so (Shared Object): On Linux and Unix-like systems, a .so file serves a similar purpose to DLLs on Windows. These are compiled libraries that can be dynamically loaded by applications at runtime. Threat actors leverage this to execute native code within a Python environment, masking their malicious intent.

The core issue is that these files, by their nature, are not easily scrutinized by traditional script analysis tools. Their compiled format requires more in-depth reverse engineering and behavioral analysis to uncover their true purpose, giving InvisibleFerret a considerable head start in compromised environments.

Void Dokkaebi’s Persistent Campaigns

The threat actor Void Dokkaebi, also known as Famous Chollima, has a history of sophisticated cyber operations. Their affiliation with North Korea suggests state-sponsored motives, often involving espionage, intelligence gathering, or financial illicit activities. The continuous refinement of tools like InvisibleFerret underscores their commitment to bypassing defenses and maintaining persistent access to high-value targets. This group’s activities warrant vigilant monitoring and proactive defense strategies, as their TTPs (Tactics, Techniques, and Procedures) frequently evolve to counter security measures.

Remediation Actions

Addressing the threat posed by the evolved InvisibleFerret requires a multi-layered approach focusing on enhanced detection and prevention:

  • Enhanced Endpoint Protection: Deploy EDR solutions capable of behavioral analysis and anomaly detection, not just signature-based detection. These tools can identify suspicious process injection, unusual network connections, or modifications to critical system files that indicate compromise, even if the initial payload evades detection.
  • Application Whitelisting: Implement strict application whitelisting policies to prevent the execution of unauthorized executables and dynamic libraries, including unexpected .pyd or .so files, particularly in directories not typically used for legitimate Python modules.
  • Network Segmentation and Monitoring: Segment networks to limit lateral movement if a compromise occurs. Implement continuous network traffic analysis to detect unusual outbound connections or command-and-control (C2) communication patterns indicative of InvisibleFerret’s activity.
  • User Education: Train users to recognize and report suspicious emails and phishing attempts. Many advanced attacks still rely on initial compromise through social engineering.
  • Regular Software Updates: Ensure all operating systems, applications, and security software are kept up-to-date with the latest patches to mitigate known vulnerabilities.
  • Threat Intelligence Integration: Integrate current threat intelligence feeds into security operations to stay informed about Void Dokkaebi’s latest TTPs and indicators of compromise (IoCs).

Detection and Analysis Tools

Tool Name Purpose Link
YARA Rules Signature-based detection for compiled malware patterns. Custom rules can be developed for InvisibleFerret. https://virustotal.github.io/yara/
IDA Pro / Ghidra Reverse engineering tools for analyzing compiled .pyd and .so files to understand their functionality. https://hex-rays.com/ida-pro/
https://ghidra-sre.org/
Sysmon Windows system monitoring service that logs process creations, network connections, and file modifications. Useful for behavioral analysis. https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Elastic Security (SIEM/EDR) Provides EDR capabilities for detecting anomalous behavior, process injections, and C2 communications. https://www.elastic.co/security/
Osquery SQL-powered operating system instrumentation, allowing SQL queries to explore OS data. Can be used for forensic analysis on endpoints. https://osquery.io/

Conclusion

The evolution of InvisibleFerret to utilize .pyd and .so files marks a significant step in adversarial evasion tactics. This development underscores the continuous arms race in cybersecurity, where threat actors like Void Dokkaebi constantly innovate to bypass established defenses. Organizations must prioritize advanced endpoint protection, behavioral analysis, and robust security practices to detect and mitigate these increasingly sophisticated threats. Diligence in monitoring systems and staying informed on a continually evolving threat landscape remains paramount.

 

Share this article

Leave A Comment

Related Posts

Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation

Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation

May 26, 2026|0 Comments
New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems

New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems

May 26, 2026|0 Comments
Cloud Atlas APT Group Modifies termsrv.dll to Enable Multiple RDP Sessions on Victim Hosts

Cloud Atlas APT Group Modifies termsrv.dll to Enable Multiple RDP Sessions on Victim Hosts

May 26, 2026|0 Comments
Total Views: 14|Daily Views: 14
Follow us :

Categories

Archives

Join our team

Join us today latest article updates!