{"description": "Enterprise techniques used by BeaverTail, ATT&CK software S1246 (v1.0)", "name": "BeaverTail (S1246)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has used HTTP GET request to download malicious payloads to include [InvisibleFerret](https://attack.mitre.org/software/S1245) and HTTP POST to exfiltrate data to C2 infrastructure.(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has collected and archived sensitive data in a zip file.(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has searched the victim device for browser extensions including those commonly associated with cryptocurrency wallets.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has executed malicious JavaScript code.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023) [BeaverTail](https://attack.mitre.org/software/S1246) has also been compiled with the Qt framework to execute in both Windows and macOS.(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has collected keys stored for Solana stored in `.config/solana/id.json` and other login details associated with macOS within `/Library/Keychains/login.keychain` or for Linux within `/.local/share/keyrings`.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1555.001", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has collected keys associated with macOS within `/Library/Keychains/login.keychain`.(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has stolen passwords saved in web browsers.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024) [BeaverTail](https://attack.mitre.org/software/S1246) has also been known to collect login data from Firefox within key3.db, key4.db and logins.json from `/.mozilla/firefox/` for exfiltration.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has exfiltrated data collected from local systems.(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.001", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has added junk data or a dummy character prepended to a string to hamper decoding attempts.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has staged collected data to the system\u2019s temporary directory.(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has exfiltrated data collected from victim devices to C2 servers.(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has searched for .ldb and .log files stored in browser extension directories for collection and exfiltration.(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1657", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has searched the victim device for browser extensions commonly associated with cryptocurrency wallets.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has deleted files from a compromised host after they were exfiltrated.(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has been used to download a malicious payload to include Python based malware [InvisibleFerret](https://attack.mitre.org/software/S1245).(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1654", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has identified .ldb and .log files stored in browser extension directories for collection and exfiltration.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has masqueraded as MiroTalk installation packages: \u201cMiroTalk.dmg\u201d for macOS and \u201cMiroTalk.msi\u201d for Windows, and has included login GUIs with MiroTalk themes.(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has communicated with C2 IP addresses over ports 1224 or 1244.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has obfuscated strings of code with Base64 encoding within the JavaScript version of the malware.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024) [BeaverTail](https://attack.mitre.org/software/S1246) has also utilized the open-source tool JavaScript-Obfuscator to obfuscate strings and functions.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1195", "showSubtechniques": true}, {"techniqueID": "T1195.001", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has been hosted on code repositories and disseminated to victims through NPM packages.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has been known to collect basic system information.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023) [BeaverTail](https://attack.mitre.org/software/S1246) has also collected data to include hostname and current timestamp prior to uploading data to the API endpoint `/uploads` on the C2 server.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has obtained and sent the current timestamp associated with the victim device to C2.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[BeaverTail](https://attack.mitre.org/software/S1246) has been executed through lures involving malicious JavaScript projects or trojanized remote conferencing software such as MicroTalk or FreeConference.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024) [BeaverTail](https://attack.mitre.org/software/S1246) has also been executed through macOS and Windows installers disguised as chat applications.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BeaverTail", "color": "#66b1ff"}]}