OtterCandy, malware used by WaterPlum
WaterPlum, a North Korean-associated attack group, has been using a new malware called OtterCandy in their ClickFake Interview campaign. OtterCandy, implemented in Node.js, combines features of RATatouille and OtterCookie. It targets Windows, macOS, and Linux systems, stealing browser credentials, cryptocurrency wallets, and confidential files. The malware communicates with C2 servers via Socket.IO and has persistence mechanisms. An August 2025 update (v2) enhanced user identification, expanded theft targets, and added trace deletion capabilities. OtterCandy's evolution and its use in ongoing campaigns highlight the need for continued vigilance against WaterPlum's activities.
AI Analysis
Technical Summary
OtterCandy is a sophisticated malware strain developed in Node.js and deployed by the North Korean-linked threat actor WaterPlum as part of their ClickFake Interview campaign. It merges functionalities from previous malware families RATatouille and OtterCookie, enabling it to operate across Windows, macOS, and Linux platforms. The malware’s primary objectives include stealing browser credentials, cryptocurrency wallets, and confidential files, which can lead to significant data breaches and financial losses. Communication with command and control (C2) servers is conducted via the Socket.IO protocol, a real-time bidirectional communication library, which can complicate detection due to its legitimate use in web applications. OtterCandy maintains persistence on infected systems, ensuring long-term access. The August 2025 update (version 2) improved user identification capabilities, broadened the scope of data theft, and introduced trace deletion mechanisms to evade forensic analysis. Despite the absence of a CVE identifier or known exploits in the wild, the malware’s cross-platform targeting and advanced evasion techniques underscore its threat potential. Indicators of compromise include several IP addresses linked to C2 infrastructure. The campaign’s social engineering vector—fake job interviews—leverages human trust to deliver the malware, increasing infection likelihood. Continuous monitoring and threat intelligence sharing are critical to countering this evolving threat.
Potential Impact
For European organizations, OtterCandy poses a significant risk to confidentiality and financial integrity. The malware’s ability to steal browser credentials and cryptocurrency wallets threatens both personal and corporate assets, potentially leading to unauthorized access to sensitive accounts and financial theft. The targeting of Windows, macOS, and Linux systems means a broad range of enterprise environments are vulnerable, including those using mixed operating systems. The persistence and trace deletion features increase the difficulty of detection and remediation, potentially allowing prolonged unauthorized access and data exfiltration. Organizations involved in cryptocurrency trading, financial services, technology development, and those holding sensitive intellectual property are at heightened risk. The social engineering aspect via fake interviews may particularly impact HR departments and job applicants, increasing the attack surface. The malware’s use of Socket.IO for C2 communication may bypass traditional network security controls, complicating detection efforts. Overall, the threat could lead to data breaches, financial losses, reputational damage, and regulatory penalties under GDPR if personal data is compromised.
Mitigation Recommendations
1. Implement advanced endpoint detection and response (EDR) solutions capable of identifying Node.js-based malware behaviors and suspicious persistence mechanisms across Windows, macOS, and Linux systems. 2. Monitor network traffic for unusual Socket.IO communications, especially outbound connections to known malicious IP addresses associated with OtterCandy C2 servers. 3. Conduct targeted threat hunting for indicators of compromise, including the provided IP addresses, and deploy network intrusion detection systems (NIDS) with updated signatures. 4. Enhance user awareness training focusing on social engineering tactics, particularly fake job interview scams, to reduce the risk of initial infection. 5. Enforce strict credential hygiene policies, including multi-factor authentication (MFA) for critical systems and cryptocurrency wallets, to mitigate credential theft impact. 6. Regularly audit and restrict persistence mechanisms such as startup scripts and scheduled tasks that could be abused by malware. 7. Employ endpoint forensic tools to detect and recover from trace deletion attempts, ensuring incident response teams can analyze compromised systems effectively. 8. Collaborate with threat intelligence sharing communities to stay updated on WaterPlum activities and emerging OtterCandy variants. 9. Limit exposure of sensitive data on endpoints and network shares to reduce the value of stolen information. 10. Apply network segmentation to isolate critical assets and reduce lateral movement opportunities for malware.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Switzerland
Indicators of Compromise
- ip: 139.60.163.206
- ip: 162.254.35.14
- ip: 172.86.114.31
- ip: 212.85.29.133
- ip: 74.119.194.205
- ip: 80.209.243.85
OtterCandy, malware used by WaterPlum
Description
WaterPlum, a North Korean-associated attack group, has been using a new malware called OtterCandy in their ClickFake Interview campaign. OtterCandy, implemented in Node.js, combines features of RATatouille and OtterCookie. It targets Windows, macOS, and Linux systems, stealing browser credentials, cryptocurrency wallets, and confidential files. The malware communicates with C2 servers via Socket.IO and has persistence mechanisms. An August 2025 update (v2) enhanced user identification, expanded theft targets, and added trace deletion capabilities. OtterCandy's evolution and its use in ongoing campaigns highlight the need for continued vigilance against WaterPlum's activities.
AI-Powered Analysis
Technical Analysis
OtterCandy is a sophisticated malware strain developed in Node.js and deployed by the North Korean-linked threat actor WaterPlum as part of their ClickFake Interview campaign. It merges functionalities from previous malware families RATatouille and OtterCookie, enabling it to operate across Windows, macOS, and Linux platforms. The malware’s primary objectives include stealing browser credentials, cryptocurrency wallets, and confidential files, which can lead to significant data breaches and financial losses. Communication with command and control (C2) servers is conducted via the Socket.IO protocol, a real-time bidirectional communication library, which can complicate detection due to its legitimate use in web applications. OtterCandy maintains persistence on infected systems, ensuring long-term access. The August 2025 update (version 2) improved user identification capabilities, broadened the scope of data theft, and introduced trace deletion mechanisms to evade forensic analysis. Despite the absence of a CVE identifier or known exploits in the wild, the malware’s cross-platform targeting and advanced evasion techniques underscore its threat potential. Indicators of compromise include several IP addresses linked to C2 infrastructure. The campaign’s social engineering vector—fake job interviews—leverages human trust to deliver the malware, increasing infection likelihood. Continuous monitoring and threat intelligence sharing are critical to countering this evolving threat.
Potential Impact
For European organizations, OtterCandy poses a significant risk to confidentiality and financial integrity. The malware’s ability to steal browser credentials and cryptocurrency wallets threatens both personal and corporate assets, potentially leading to unauthorized access to sensitive accounts and financial theft. The targeting of Windows, macOS, and Linux systems means a broad range of enterprise environments are vulnerable, including those using mixed operating systems. The persistence and trace deletion features increase the difficulty of detection and remediation, potentially allowing prolonged unauthorized access and data exfiltration. Organizations involved in cryptocurrency trading, financial services, technology development, and those holding sensitive intellectual property are at heightened risk. The social engineering aspect via fake interviews may particularly impact HR departments and job applicants, increasing the attack surface. The malware’s use of Socket.IO for C2 communication may bypass traditional network security controls, complicating detection efforts. Overall, the threat could lead to data breaches, financial losses, reputational damage, and regulatory penalties under GDPR if personal data is compromised.
Mitigation Recommendations
1. Implement advanced endpoint detection and response (EDR) solutions capable of identifying Node.js-based malware behaviors and suspicious persistence mechanisms across Windows, macOS, and Linux systems. 2. Monitor network traffic for unusual Socket.IO communications, especially outbound connections to known malicious IP addresses associated with OtterCandy C2 servers. 3. Conduct targeted threat hunting for indicators of compromise, including the provided IP addresses, and deploy network intrusion detection systems (NIDS) with updated signatures. 4. Enhance user awareness training focusing on social engineering tactics, particularly fake job interview scams, to reduce the risk of initial infection. 5. Enforce strict credential hygiene policies, including multi-factor authentication (MFA) for critical systems and cryptocurrency wallets, to mitigate credential theft impact. 6. Regularly audit and restrict persistence mechanisms such as startup scripts and scheduled tasks that could be abused by malware. 7. Employ endpoint forensic tools to detect and recover from trace deletion attempts, ensuring incident response teams can analyze compromised systems effectively. 8. Collaborate with threat intelligence sharing communities to stay updated on WaterPlum activities and emerging OtterCandy variants. 9. Limit exposure of sensitive data on endpoints and network shares to reduce the value of stolen information. 10. Apply network segmentation to isolate critical assets and reduce lateral movement opportunities for malware.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_e"]
- Adversary
- WaterPlum
- Pulse Id
- 68f5f561fd4850f517049919
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip139.60.163.206 | — | |
ip162.254.35.14 | — | |
ip172.86.114.31 | — | |
ip212.85.29.133 | — | |
ip74.119.194.205 | — | |
ip80.209.243.85 | — |
Threat ID: 68f5f63a1a5d33d7b2e42ffd
Added to database: 10/20/2025, 8:43:38 AM
Last enriched: 10/20/2025, 8:44:16 AM
Last updated: 12/4/2025, 4:49:31 PM
Views: 205
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
New Android malware lets criminals control your phone and drain your bank account
MediumNewly Sold Albiriox Android Malware Targets Banks and Crypto Holders
MediumGlobal Corporate Web
Medium4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
MediumAlbiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.