Since early 2025, Fox-IT has been tracking a cluster of activity linked to the Contagious Interview campaign, involving the malware families known as BeaverTail, InvisibleFerret, and OtterCookie. This talk provides a behind-the-scenes look at our threat intelligence methodology for tracking this campaign and actor.
We’ll demonstrate our investigation approach, showing how we first manually investigate infrastructure and malware linked to this North Korean activity cluster, then how we’ve automated critical parts of our workflow – including infrastructure scanning, result parsing, and sample analysis.
You’ll gain insights into our findings regarding the group’s server infrastructure, as well as the functionality and evolution of the InvisibleFerret malware family and various detection opportunities. Despite using relatively simple techniques, this threat actor continues to successfully compromise victims globally, making this intelligence valuable for defensive planning.
