Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware

    Monday, May 25, 2026 In: Threat Research Print

    Date: 05/25/2026

    Severity: High

    Summary

    Void Dokkaebi (also known as Famous Chollima) has evolved its InvisibleFerret malware by shifting from readable Python scripts to Cython-compiled binaries, improving evasion and making detection more difficult. Targeting software developers and cryptocurrency users, the malware retains capabilities such as credential theft, keylogging, clipboard monitoring, and cryptocurrency wallet targeting, while associated malware like BeaverTail has expanded its functionality. This evolution reflects a move toward more stealthy, binary-based malware delivery aimed at compromising high-value development and cryptocurrency environments. 

    Indicators of Compromise (IOC) List 

    Urls/Domains

    http://45.59.160.199:1244/uploads

    http://45.59.160.199:1244/keys

    http://66.235.168.20:1249/t

    http://66.235.168.20:1249/hm

    http://66.235.168.20:1244/t

    http://66.235.168.20:1244/h

    http://45.59.160.199:1244/du

    http://45.59.160.210:1244/uploads

    http://45.59.160.210:1244/keys

    http://66.235.168.20:1249/t

    http://66.235.168.20:1249/hm

    http://45.59.160.211:1244/uploads

    http://45.59.160.211:1244/keys

    http://45.59.160.199:1244/clw/gbNsMq7

    http://45.59.160.199:1244/clw1/gbNsMq7

    http://45.59.160.199:1244/o/gbNsMq7

    http://45.59.160.199:1244/z/gbNsMq7

    http://45.59.163.50:1244/pd2

    http://45.59.160.199:1244/c/gbNsMq7

    http://45.59.163.50:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_gbNsMq7

    http://45.59.163.50:1244/mmz/acmacodkjbdgmoleebolmdjonilkdbch_gbNsMq7

    http://45.59.163.50:1244/mmz/bfnaelmomeimhlpmgjnjophhpkkoljpa_gbNsMq7

    http://45.59.163.50:1244/ddo

    http://45.59.160.199:1244/pad

    http://45.59.160.199:1244/pad1

    http://45.59.160.199:1244/brw

    http://45.59.160.199:1244/brw1

    http://45.59.160.199:1244/brw

    http://45.59.160.199:1244/brw1

    http://45.59.160.199:1244/mc1

    http://45.59.160.210:1244/clw/trJnMn9

    http://45.59.160.210:1244/clw1/trJnMn9

    http://45.59.160.210:1244/o/trJnMn9

    http://45.59.160.210:1244/z/trJnMn9

    http://45.59.160.210:1244/c/trJnMn9

    http://45.59.163.50:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_trJnMn9

    http://45.59.163.50:1244/mmz/acmacodkjbdgmoleebolmdjonilkdbch_trJnMn9

    http://45.59.163.50:1244/mmz/bfnaelmomeimhlpmgjnjophhpkkoljpa_trJnMn9

    http://45.59.160.210:1244/pad

    http://45.59.160.210:1244/pad1

    http://45.59.160.210:1244/brw

    http://45.59.160.210:1244/brw1

    http://45.59.160.210:1244/mc1

    http://45.59.160.211:1244/clw1/reCgNg6

    http://45.59.160.211:1244/z/reCgNg6

    http://45.59.160.211:1244/pad

    http://45.59.160.211:1244/pad1

    http://45.59.160.211:1244/brw1

    http://45.59.160.211:1244/mc1

    45.43.11.245:1247

    45.43.11.245:1245

    45.43.11.245:1248

    45.43.11.245:1243

    147.124.202.1242

    IP Address

    45.43.11.245

    45.59.160.199

    66.235.168.20

    45.59.160.210

    45.59.160.211

    45.59.163.50

    Hash

    f2df45291e4c0083f13d69e8ebb29b2558b2c92daf89980a31ae5f77b5fc1c12

    e884fe5353849eda5d94d4479118283a06d49a85ec83f0dbc39a10aa1d1b7397

    6a81d8041de41d796be6bdb1dd75c4d0e1624fc6074ab667097c6b0a3f9a462e

    f298b8e7f7c4c0c394f29f848c1483679d15eb095e8cc7c67e5a3599ad4bcca2

    b8a9804ffd137fddc1d187b4747dc0535c32927ee5e61465f12448b08f2ce07f

    df515c24bd0d3500316d24f8357afd8b60ea69e92755fd40e53097d5ad01df38

    968db31fc33a6c42fa82f7459c2ad7d0ca2ad92b61dfcd53e1b946dd7e9d6fcb

    c53f3591142b4742b14ad43733a800fc2c1f17d64c7625965d685e74bdaf33c6

    bf2ca7da5c2285cdeeabe296e99ad2d774151856f788ea32d811046891a9f027

    14749e579e0b6e1429bc75e0816dccd8f8007da8e80fbbf046bfd198dde80835

    0397d0678bef6721bb123eb9f957022abc4538835b4c9be62ca6604e0a2ac039

    ffb7cf05927dbf664acf597902d2c4ff8a39cf77ed82438587eb804051eed8d7

    9f0235c6698219e7c414720384a48c8399da232344e2a9d5f4a129a8e875464e

    7fe6daaedbcacf14f1168d4652ae0d987e9ec83db1c01eb0a87a822012a9360a

    429dec1abbef575c8540201c61c03096f25df4d548c5a22b73d824e7659d6e32

    1f43c3940b1c05b5de5f56a7dba16276b1843993970c09d803d487e7a8f4cdee

    6aa985715d4fbeb6b19022c10f7a3cb8e100ae164dfa417cc52775d1b4434d15

    b4cc5337882da500899770fdb2314223afba4399bf283a92924590a270d1ce9b

    d65911de9ba5e52e174627f755590df0fe4f051b63a117cfce8a77fcc03893bf

    8a2c2194bf9e71847ca2c97c898803417b0c99b3824a4707c647fbfb7413d921

    a3f03e23059bc2f58f6d990e737aa1e7a2fe0ce966b3c95f73cb774c50d4d4e1

    5673a8d36aaae43799831e81736022c16d84342a3699b3ea7e9f8f4c8414e91c

    d6babcdca4e5bff5417b8030b73c04923e7a6decf53ae1f6bcb29950290e3b6e

    947521bf9fea9b75656400ee5e0602083c471951853d967dc55b132234d46e31

    4fcdeb290cb7b0d9dbb0f1018eecceebd37a479fa16fb9308b456bfcfa59ceb8

    634c4200baaa999e479c618af42bb3bed11e6795486476c81b048c224d4b5c08

    812299610b383b54b3645afcc7ad014276ec98a4c0255182ce917a3817d8c841

    b23ebdd465525d3f943eefbba8818c5d9025ef4b402f96d4806c6310899c37d2

    8c159dc15cba44ca6e0c42b9d6d1cc301316833d613369e9a71b3015758264c5

    6055212de884b78d0730d520f01d3961136b171554afe8acb71e83413f444716

    1b911d1ed5c6624a160f8601f6b6cff678707eaff8bfa4a7b12472e5e7b8c82f

    f96cb2c582ec43aa230df086acc1824ec577f342ec7c0c6c88be17383ec52303

    ddb1d1b587f0be504f8c58f1f90e78b13b4d56b3e11312eab631773d584b2882

    728486086331ee4d63050d9c81fbbc5b2a14eadecbb27a978ce71cafbb97e891

    84a8e051a7687d3dfbe88648726e85b79d7bf7f031f9d2f6615e3d45b8700af9

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://45.59.160.210:1244/c/trJnMn9" or url like "http://45.59.160.210:1244/c/trJnMn9" or siteurl like "http://45.59.160.210:1244/c/trJnMn9" or domainname like "http://45.59.160.211:1244/clw1/reCgNg6" or url like "http://45.59.160.211:1244/clw1/reCgNg6" or siteurl like "http://45.59.160.211:1244/clw1/reCgNg6" or domainname like "http://45.59.160.210:1244/pad1" or url like "http://45.59.160.210:1244/pad1" or siteurl like "http://45.59.160.210:1244/pad1" or domainname like "http://45.59.160.199:1244/mc1" or url like "http://45.59.160.199:1244/mc1" or siteurl like "http://45.59.160.199:1244/mc1" or domainname like "http://45.59.163.50:1244/mmz/acmacodkjbdgmoleebolmdjonilkdbch_gbNsMq7" or url like "http://45.59.163.50:1244/mmz/acmacodkjbdgmoleebolmdjonilkdbch_gbNsMq7" or siteurl like "http://45.59.163.50:1244/mmz/acmacodkjbdgmoleebolmdjonilkdbch_gbNsMq7" or domainname like "http://45.59.160.199:1244/uploads" or url like "http://45.59.160.199:1244/uploads" or siteurl like "http://45.59.160.199:1244/uploads" or domainname like "http://45.59.160.199:1244/c/gbNsMq7" or url like "http://45.59.160.199:1244/c/gbNsMq7" or siteurl like "http://45.59.160.199:1244/c/gbNsMq7" or domainname like "http://45.59.163.50:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_trJnMn9" or url like "http://45.59.163.50:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_trJnMn9" or siteurl like "http://45.59.163.50:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_trJnMn9" or domainname like "http://45.59.160.199:1244/keys" or url like "http://45.59.160.199:1244/keys" or siteurl like "http://45.59.160.199:1244/keys" or domainname like "http://45.59.160.199:1244/pad1" or url like "http://45.59.160.199:1244/pad1" or siteurl like "http://45.59.160.199:1244/pad1" or domainname like "http://45.59.160.211:1244/pad" or url like "http://45.59.160.211:1244/pad" or siteurl like "http://45.59.160.211:1244/pad" or domainname like "http://45.59.160.210:1244/pad" or url like "http://45.59.160.210:1244/pad" or siteurl like "http://45.59.160.210:1244/pad" or domainname like "http://45.59.163.50:1244/pd2" or url like "http://45.59.163.50:1244/pd2" or siteurl like "http://45.59.163.50:1244/pd2" or domainname like "http://45.59.160.199:1244/du" or url like "http://45.59.160.199:1244/du" or siteurl like "http://45.59.160.199:1244/du" or domainname like "http://45.59.160.211:1244/mc1" or url like "http://45.59.160.211:1244/mc1" or siteurl like "http://45.59.160.211:1244/mc1" or domainname like "http://45.59.160.199:1244/brw1" or url like "http://45.59.160.199:1244/brw1" or siteurl like "http://45.59.160.199:1244/brw1" or domainname like "http://45.59.160.211:1244/uploads" or url like "http://45.59.160.211:1244/uploads" or siteurl like "http://45.59.160.211:1244/uploads" or domainname like "http://45.59.160.210:1244/z/trJnMn9" or url like "http://45.59.160.210:1244/z/trJnMn9" or siteurl like "http://45.59.160.210:1244/z/trJnMn9" or domainname like "http://45.59.160.210:1244/brw1" or url like "http://45.59.160.210:1244/brw1" or siteurl like "http://45.59.160.210:1244/brw1" or domainname like "http://45.59.163.50:1244/mmz/acmacodkjbdgmoleebolmdjonilkdbch_trJnMn9" or url like "http://45.59.163.50:1244/mmz/acmacodkjbdgmoleebolmdjonilkdbch_trJnMn9" or siteurl like "http://45.59.163.50:1244/mmz/acmacodkjbdgmoleebolmdjonilkdbch_trJnMn9" or domainname like "http://45.59.160.199:1244/pad" or url like "http://45.59.160.199:1244/pad" or siteurl like "http://45.59.160.199:1244/pad" or domainname like "http://45.59.163.50:1244/mmz/bfnaelmomeimhlpmgjnjophhpkkoljpa_trJnMn9" or url like "http://45.59.163.50:1244/mmz/bfnaelmomeimhlpmgjnjophhpkkoljpa_trJnMn9" or siteurl like "http://45.59.163.50:1244/mmz/bfnaelmomeimhlpmgjnjophhpkkoljpa_trJnMn9"

    Detection Query 2 :

    domainname like "http://45.59.160.210:1244/clw/trJnMn9" or url like "http://45.59.160.210:1244/clw/trJnMn9" or siteurl like "http://45.59.160.210:1244/clw/trJnMn9" or domainname like "http://45.59.160.199:1244/z/gbNsMq7" or url like "http://45.59.160.199:1244/z/gbNsMq7" or siteurl like "http://45.59.160.199:1244/z/gbNsMq7" or domainname like "http://45.59.163.50:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_gbNsMq7" or url like "http://45.59.163.50:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_gbNsMq7" or siteurl like "http://45.59.163.50:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_gbNsMq7" or domainname like "http://45.59.160.211:1244/keys" or url like "http://45.59.160.211:1244/keys" or siteurl like "http://45.59.160.211:1244/keys" or domainname like "http://45.59.163.50:1244/ddo" or url like "http://45.59.163.50:1244/ddo" or siteurl like "http://45.59.163.50:1244/ddo" or domainname like "http://45.59.160.210:1244/clw1/trJnMn9" or url like "http://45.59.160.210:1244/clw1/trJnMn9" or siteurl like "http://45.59.160.210:1244/clw1/trJnMn9" or domainname like "http://45.59.160.211:1244/brw1" or url like "http://45.59.160.211:1244/brw1" or siteurl like "http://45.59.160.211:1244/brw1" or domainname like "http://45.59.160.199:1244/o/gbNsMq7" or url like "http://45.59.160.199:1244/o/gbNsMq7" or siteurl like "http://45.59.160.199:1244/o/gbNsMq7" or domainname like "http://45.59.160.199:1244/clw1/gbNsMq7" or url like "http://45.59.160.199:1244/clw1/gbNsMq7" or siteurl like "http://45.59.160.199:1244/clw1/gbNsMq7" or domainname like "http://45.59.160.210:1244/o/trJnMn9" or url like "http://45.59.160.210:1244/o/trJnMn9" or siteurl like "http://45.59.160.210:1244/o/trJnMn9" or domainname like "http://45.59.160.211:1244/z/reCgNg6" or url like "http://45.59.160.211:1244/z/reCgNg6" or siteurl like "http://45.59.160.211:1244/z/reCgNg6" or domainname like "http://45.59.160.210:1244/uploads" or url like "http://45.59.160.210:1244/uploads" or siteurl like "http://45.59.160.210:1244/uploads" or domainname like "http://45.59.160.210:1244/keys" or url like "http://45.59.160.210:1244/keys" or siteurl like "http://45.59.160.210:1244/keys" or domainname like "http://45.59.160.211:1244/pad1" or url like "http://45.59.160.211:1244/pad1" or siteurl like "http://45.59.160.211:1244/pad1" or domainname like "http://45.59.160.210:1244/mc1" or url like "http://45.59.160.210:1244/mc1" or siteurl like "http://45.59.160.210:1244/mc1" or domainname like "http://45.59.163.50:1244/mmz/bfnaelmomeimhlpmgjnjophhpkkoljpa_gbNsMq7" or url like "http://45.59.163.50:1244/mmz/bfnaelmomeimhlpmgjnjophhpkkoljpa_gbNsMq7" or siteurl like "http://45.59.163.50:1244/mmz/bfnaelmomeimhlpmgjnjophhpkkoljpa_gbNsMq7" or domainname like "http://45.59.160.199:1244/brw" or url like "http://45.59.160.199:1244/brw" or siteurl like "http://45.59.160.199:1244/brw" or domainname like "http://45.59.160.199:1244/clw/gbNsMq7" or url like "http://45.59.160.199:1244/clw/gbNsMq7" or siteurl like "http://45.59.160.199:1244/clw/gbNsMq7" or domainname like "http://45.59.160.210:1244/brw" or url like "http://45.59.160.210:1244/brw" or siteurl like "http://45.59.160.210:1244/brw" or domainname like "http://66.235.168.20:1249/t" or siteurl like "http://66.235.168.20:1249/t" or url like "http://66.235.168.20:1249/t" or domainname like "http://66.235.168.20:1249/hm" or siteurl like "http://66.235.168.20:1249/hm" or url like "http://66.235.168.20:1249/hm" or domainname like "http://66.235.168.20:1244/t" or siteurl like "http://66.235.168.20:1244/t" or url like "http://66.235.168.20:1244/t" or domainname like "http://66.235.168.20:1244/h" or siteurl like "http://66.235.168.20:1244/h" or url like "http://66.235.168.20:1244/h" or domainname like "http://66.235.168.20:1249/t" or siteurl like "http://66.235.168.20:1249/t" or url like "http://66.235.168.20:1249/t" or domainname like "http://66.235.168.20:1249/hm" or siteurl like "http://66.235.168.20:1249/hm" or url like "http://66.235.168.20:1249/hm" or domainname like "45.43.11.245:1247" or siteurl like "45.43.11.245:1247" or url like "45.43.11.245:1247" or domainname like "45.43.11.245:1245" or siteurl like "45.43.11.245:1245" or url like "45.43.11.245:1245" or domainname like "45.43.11.245:1248" or siteurl like "45.43.11.245:1248" or url like "45.43.11.245:1248" or domainname like "45.43.11.245:1243" or siteurl like "45.43.11.245:1243" or url like "45.43.11.245:1243" or domainname like "147.124.202.1242" or siteurl like "147.124.202.1242" or url like "147.124.202.1242"

    Detection Query 3 :

    dstipaddress IN ("45.43.11.245","147.124.202.1242","45.59.160.199","66.235.168.20","45.59.160.210","45.59.160.211","45.59.163.50") or srcipaddress IN ("45.43.11.245","147.124.202.1242","45.59.160.199","66.235.168.20","45.59.160.210","45.59.160.211","45.59.163.50")

    Detection Query 4 :

    sha256hash IN ("f298b8e7f7c4c0c394f29f848c1483679d15eb095e8cc7c67e5a3599ad4bcca2","6a81d8041de41d796be6bdb1dd75c4d0e1624fc6074ab667097c6b0a3f9a462e","947521bf9fea9b75656400ee5e0602083c471951853d967dc55b132234d46e31","14749e579e0b6e1429bc75e0816dccd8f8007da8e80fbbf046bfd198dde80835","429dec1abbef575c8540201c61c03096f25df4d548c5a22b73d824e7659d6e32","e884fe5353849eda5d94d4479118283a06d49a85ec83f0dbc39a10aa1d1b7397","8c159dc15cba44ca6e0c42b9d6d1cc301316833d613369e9a71b3015758264c5","ddb1d1b587f0be504f8c58f1f90e78b13b4d56b3e11312eab631773d584b2882","c53f3591142b4742b14ad43733a800fc2c1f17d64c7625965d685e74bdaf33c6","8a2c2194bf9e71847ca2c97c898803417b0c99b3824a4707c647fbfb7413d921","b8a9804ffd137fddc1d187b4747dc0535c32927ee5e61465f12448b08f2ce07f","df515c24bd0d3500316d24f8357afd8b60ea69e92755fd40e53097d5ad01df38","ffb7cf05927dbf664acf597902d2c4ff8a39cf77ed82438587eb804051eed8d7","f96cb2c582ec43aa230df086acc1824ec577f342ec7c0c6c88be17383ec52303","728486086331ee4d63050d9c81fbbc5b2a14eadecbb27a978ce71cafbb97e891","f2df45291e4c0083f13d69e8ebb29b2558b2c92daf89980a31ae5f77b5fc1c12","968db31fc33a6c42fa82f7459c2ad7d0ca2ad92b61dfcd53e1b946dd7e9d6fcb","bf2ca7da5c2285cdeeabe296e99ad2d774151856f788ea32d811046891a9f027","0397d0678bef6721bb123eb9f957022abc4538835b4c9be62ca6604e0a2ac039","9f0235c6698219e7c414720384a48c8399da232344e2a9d5f4a129a8e875464e","7fe6daaedbcacf14f1168d4652ae0d987e9ec83db1c01eb0a87a822012a9360a","1f43c3940b1c05b5de5f56a7dba16276b1843993970c09d803d487e7a8f4cdee","6aa985715d4fbeb6b19022c10f7a3cb8e100ae164dfa417cc52775d1b4434d15","b4cc5337882da500899770fdb2314223afba4399bf283a92924590a270d1ce9b","d65911de9ba5e52e174627f755590df0fe4f051b63a117cfce8a77fcc03893bf","a3f03e23059bc2f58f6d990e737aa1e7a2fe0ce966b3c95f73cb774c50d4d4e1","5673a8d36aaae43799831e81736022c16d84342a3699b3ea7e9f8f4c8414e91c","d6babcdca4e5bff5417b8030b73c04923e7a6decf53ae1f6bcb29950290e3b6e","4fcdeb290cb7b0d9dbb0f1018eecceebd37a479fa16fb9308b456bfcfa59ceb8","634c4200baaa999e479c618af42bb3bed11e6795486476c81b048c224d4b5c08","812299610b383b54b3645afcc7ad014276ec98a4c0255182ce917a3817d8c841","b23ebdd465525d3f943eefbba8818c5d9025ef4b402f96d4806c6310899c37d2","6055212de884b78d0730d520f01d3961136b171554afe8acb71e83413f444716","1b911d1ed5c6624a160f8601f6b6cff678707eaff8bfa4a7b12472e5e7b8c82f","84a8e051a7687d3dfbe88648726e85b79d7bf7f031f9d2f6615e3d45b8700af9")

    Reference:    

    https://www.trendmicro.com/en_us/research/26/e/analyzing-void-dokkaebi-invisibleferret-malware.html                    


    Tags

    KeyloggerBeaverTailCrypto walletsMalwareThreat ActorChollimaPythoncryptocurrencyCredentialTheft

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.