Rabby Wallet – Official Installation and Expert Setup Guide

What Is Rabby Wallet

Rabby Wallet is a browser-based, non-custodial wallet built for Ethereum and all EVM-compatible chains. It serves as a secure interface for managing tokens, interacting with DeFi protocols, and handling NFTs. Rabby’s distinguishing features include live transaction previews, automatic network selection, and advanced risk analysis.

Core Capabilities

Supports a wide range of EVM chains: Ethereum, BNB Chain, Polygon, Arbitrum, Avalanche, Fantom, among others

Auto-switches to the correct blockchain when a dApp requests access

Simulates transactions in real-time, revealing net balance changes and potential risks before signing

Issues alerts for potentially unsafe token approvals or contract calls

Integrates hardware wallets such as Ledger and Trezor for enhanced security

Enables seamless import from MetaMask or private keys

Designed with a clear, DeFi-optimized user interface

Installation Steps

Open a Chromium-based browser (Chrome, Brave, Edge)

Navigate to Rabby’s official download page

Install the browser extension via the Chrome Web Store or equivalent

Confirm installation

Access Rabby via its toolbar icon

Wallet Initialization

Launch the extension, then choose either "Create New Wallet" or "Import Wallet"

When creating new, set a strong local-only password

Rabby will generate a 12- or 24-word recovery phrase

Write the phrase down, store it offline, and confirm if prompted

Completion leads to your secured wallet environment

Importing an Existing Wallet

Supports import via:

Recovery phrase (mnemonic)

Private key

JSON keystore file

Direct MetaMask transfer

Operating Rabby Wallet

Visit any EVM-compatible dApp

Select “Connect Wallet” and choose Rabby

Rabby auto-switches to the appropriate network

A transaction preview appears, detailing impact and risk

Confirm or cancel based on provided simulation

Security Protocols

Rabby does not store your password or seed phrase

Never share your recovery phrase

No official mobile app exists—avoid any imitators

Pair Rabby with a hardware wallet for optimal security

The wallet blocks suspicious transactions with real-time risk alerts

Account Recovery & Backups

Losing your password means restoring via your recovery phrase

Rabby has no cloud backup; all data resides locally

Updates are managed through the browser extension store

For troubleshooting, consult the in-extension help or official support

The Nexera protocol fell victim to a devastating private key exploit, resulting in a multi-million dollar loss. The root cause? The BeaverTail malware.

This malware has been traced back to North Korea’s state-sponsored cybercriminals, the Lazarus Group. Over the past three years, this group has wreaked havoc across the cryptocurrency landscape, causing losses exceeding $3 billion. Their speciality? Private key exploits, often executed through highly targeted social engineering attacks.


Unfortunately for the crypto space, it appears that the Lazarus Group has now set out to cause maximum damage with their latest iteration of the BeaverTail malware.


This version introduces new capabilities, allowing them to steal much more, and with greater efficiency, from all participants in the crypto space. Their expanded targeting now ranges from DeFi protocols to individual crypto users, with private key theft threatening popular wallets like Rabby.


Here’s how.


How BeaverTail Operates

BeaverTail’s core functionality revolves around the theft of sensitive information from compromised machines.


As an infostealer, DPRK threat actors have deployed BeaverTail in multiple campaigns aimed at ensnaring job seekers through various deceptive tactics.


Even when it was only “a JavaScript-based information stealer,” Beaver was already a powerful tool.


Once installed, BeaverTail performs initial reconnaissance on the infected system. It then downloads a secondary tool known as InvisibleFerret.


This secondary tool is a Python-based backdoor that significantly enhances BeaverTail’s capabilities. InvisibleFerret includes features such as keylogging, data exfiltration, and remote control, allowing the malware to harvest a broad range of sensitive data.


Zoom image will be displayed


Source: Unit42

“As an information stealer, BeaverTail targets cryptocurrency wallets and credit card information stored in the victim’s web browsers. As a loader, BeaverTail retrieves and runs the next stage of malware, InvisibleFerret.”


— Palo Alto


The BeaverTail-InvisibleFerret integration allows the attackers to conduct more comprehensive and persistent attacks, increasing the overall impact of the malware.


Since its first iteration, BeaverTail has evolved into a more complex and dangerous threat.


The malware now includes a native macOS variant, designed to masquerade as legitimate software such as MiroTalk, a video conferencing application. This new iteration of BeaverTail was identified in July 2024.


The malware is adept at disguising itself as legitimate software, tricking users into downloading and executing it.


The trojanized version of MiroTalk mimics the legitimate video conferencing service while actually delivering the malware.


Zoom image will be displayed

Zoom image will be displayed

Image 1: Trojanized Version of MiroTalk — Image 2: Scam Repo Alert By Victims of Trojanized MiroTalk-BeaverTrail attack I Source: Unit42

Functionality and Features of macOS’ BeaverTail

BeaverTail’s primary objective is to extract valuable information, particularly targeting cryptocurrency-related data. The malware focuses on capturing browser extension IDs for popular cryptocurrency wallets, paths to user browser data, and macOS keychain information. This data is crucial for cybercriminals seeking to compromise cryptocurrency assets.


The newer macOS variant of BeaverTail operates as a native Mach-O executable, offering a more stealthy and efficient means of infection compared to its JavaScript predecessor.


The malware’s behavior includes communicating with specific API endpoints, indicative of its sophisticated data exfiltration and command-and-control operations.


The evolution from the old JavaScript-based BeaverTail to the new native versions represents a significant advancement in the malware’s capabilities and sophistication.


1.Old BeaverTail (JavaScript-Based) — The earlier iteration of BeaverTail was distributed primarily through JavaScript files embedded within Node Package Manager (NPM) packages.


Zoom image will be displayed


Source: Unit42

This version used obfuscated JavaScript to evade detection, operating within the constraints of a web environment.


It was designed to target browsers and extract information related to cryptocurrency wallets and other sensitive data.


The use of JavaScript made it somewhat less efficient and more easily detectable compared to compiled executables.


2.New BeaverTail — The newer version of BeaverTail is a native executable tailored for a specific operating system: macOS. For macOS, the malware is now a Mach-O executable.


These native versions offer several advantages over the JavaScript variant, including deeper system integration, more efficient execution, and improved stealth.


Native executables can bypass some of the security mechanisms designed to protect against JavaScript-based threats and offer more robust capabilities for data exfiltration and system control.


But even worse, just a few weeks ago, Group-IB Threat Intelligence uncovered that a Windows variant of the malware, similar to the macOS version, is now also active.


The New Windows Version of BeaverTail

The Windows variant of BeaverTail represents a significant development in the malware’s evolution. Building on the capabilities of its predecessors, this new version extends BeaverTail’s reach beyond macOS, targeting Windows operating systems with sophisticated tactics.


Deployment and Operation

The Windows version, identified as FCCCall.exe and mimicking the legitimate “FreeConferenceCall.com” app, was part of a campaign observed by Group-IB Threat Intelligence between late July and early August 2024. This campaign is similar to the earlier operation that trojanized the MiroTalk application.


It also operates similarly to its macOS counterpart, performing functions such as data exfiltration and payload execution. This version also leverages the InvisibleFerret backdoor to enhance its capabilities, including keylogging and remote access.


Expansion of Targeting and Scope

The introduction of the Windows version and the expansion of targeting capabilities signify a strategic evolution in BeaverTail’s operations. The malware now targets a broader range of browser extensions and cryptocurrency wallets, including new entries such as Kaikas, Rabby, Argent X, and Exodus web3, as reported by Group-IB Threat Intelligence.


The differences in deployment and functionality between the two versions highlight BeaverTail’s versatility and the attackers’ ability to adapt their tactics to various platforms. Each version is optimized for its target environment, enhancing the malware’s effectiveness and making detection more challenging.


This expansion shows that BeaverTail’s operators are intent on targeting a broader spectrum of victims’ cryptocurrency assets. The widened scope highlights the malware’s adaptability and the attackers’ determination to maximize their data theft operations, now extending their reach from small retail investors to large-scale “whale” targets.


We can expect more diverse and intensified exploit campaigns, aimed at mapping the entire crypto ecosystem and exploiting every vulnerability — whether existing or newly created (by them) — to siphon off every available fund.


While simultaneously see those North Korean threat actors pursue their very lucrative two distinct campaigns linked targeting job seekers and recruiters. Dubbed “Contagious Interview,” by Unit 42 researchers, the first campaign involves attackers posing as employers to trick software developers into installing malware during the interview process, potentially leading to various types of theft. This strategy has been a key element in some of the most significant heists orchestrated by the Lazarus Group, netting them billions.


The second campaign, dubbed “Wagemole,” by Unit 42, involves threat actors infiltrating organizations through unauthorized employment, with the dual aims of financial gain and espionage. According to the latest report from crypto investigator ZachXBT, this campaign has already siphoned at least $7.7 million from crypto entities in just a few weeks.


Zoom image will be displayed

Zoom image will be displayed

Fake Employees Data — Source: ZachXBT

BeaverTail’s evolution from a JavaScript-based infostealer to advanced native macOS and Windows variants showcases its increased sophistication, enhancing both its efficiency and stealth to evade threat detection entirely.


This advancement makes the Lazarus Group and other North Korean threat actors involved in these heist campaigns an even greater menace to the crypto ecosystem — exactly the kind of threat it could least afford.


About us

Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or threats.


Nefture core services includes Real-Time Transaction Security and a Threat Monitoring Platform that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in DeFi.


Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.