OtterCandy is a sophisticated malware strain developed in Node.js and deployed by the North Korean-linked threat actor WaterPlum as part of their ClickFake Interview campaign. It merges functionalities from previous malware families RATatouille and OtterCookie, enabling it to operate across Windows, macOS, and Linux platforms. The malware’s primary objectives include stealing browser credentials, cryptocurrency wallets, and confidential files, which can lead to significant data breaches and financial losses. Communication with command and control (C2) servers is conducted via the Socket.IO protocol, a real-time bidirectional communication library, which can complicate detection due to its legitimate use in web applications. OtterCandy maintains persistence on infected systems, ensuring long-term access. The August 2025 update (version 2) improved user identification capabilities, broadened the scope of data theft, and introduced trace deletion mechanisms to evade forensic analysis. Despite the absence of a CVE identifier or known exploits in the wild, the malware’s cross-platform targeting and advanced evasion techniques underscore its threat potential. Indicators of compromise include several IP addresses linked to C2 infrastructure. The campaign’s social engineering vector—fake job interviews—leverages human trust to deliver the malware, increasing infection likelihood. Continuous monitoring and threat intelligence sharing are critical to countering this evolving threat.

For European organizations, OtterCandy poses a significant risk to confidentiality and financial integrity. The malware’s ability to steal browser credentials and cryptocurrency wallets threatens both personal and corporate assets, potentially leading to unauthorized access to sensitive accounts and financial theft. The targeting of Windows, macOS, and Linux systems means a broad range of enterprise environments are vulnerable, including those using mixed operating systems. The persistence and trace deletion features increase the difficulty of detection and remediation, potentially allowing prolonged unauthorized access and data exfiltration. Organizations involved in cryptocurrency trading, financial services, technology development, and those holding sensitive intellectual property are at heightened risk. The social engineering aspect via fake interviews may particularly impact HR departments and job applicants, increasing the attack surface. The malware’s use of Socket.IO for C2 communication may bypass traditional network security controls, complicating detection efforts. Overall, the threat could lead to data breaches, financial losses, reputational damage, and regulatory penalties under GDPR if personal data is compromised.

1. Implement advanced endpoint detection and response (EDR) solutions capable of identifying Node.js-based malware behaviors and suspicious persistence mechanisms across Windows, macOS, and Linux systems. 2. Monitor network traffic for unusual Socket.IO communications, especially outbound connections to known malicious IP addresses associated with OtterCandy C2 servers. 3. Conduct targeted threat hunting for indicators of compromise, including the provided IP addresses, and deploy network intrusion detection systems (NIDS) with updated signatures. 4. Enhance user awareness training focusing on social engineering tactics, particularly fake job interview scams, to reduce the risk of initial infection. 5. Enforce strict credential hygiene policies, including multi-factor authentication (MFA) for critical systems and cryptocurrency wallets, to mitigate credential theft impact. 6. Regularly audit and restrict persistence mechanisms such as startup scripts and scheduled tasks that could be abused by malware. 7. Employ endpoint forensic tools to detect and recover from trace deletion attempts, ensuring incident response teams can analyze compromised systems effectively. 8. Collaborate with threat intelligence sharing communities to stay updated on WaterPlum activities and emerging OtterCandy variants. 9. Limit exposure of sensitive data on endpoints and network shares to reduce the value of stolen information. 10. Apply network segmentation to isolate critical assets and reduce lateral movement opportunities for malware.