Threats Tagged 'ottercookie'

Between April and May 2026, a likely North Korean threat actor conducted phishing campaigns targeting developers across nearly 100 organizations in finance, cryptocurrency, education, and technology sectors. The attacks used recruitment and code review themes, delivering emails with links to actor-controlled GitHub repositories hosting malicious scripts. The infection chain exploited Visual Studio Code workflows and deployed malicious Visual Studio Extensions (VSIX) requiring minimal user interaction. Cross-platform malware was executed on macOS, Linux, and Windows systems, including the open-source Overlord framework. The campaigns specifically targeted developer assets including API tokens, cryptocurrency wallets, and credentials. Attackers employed fake company personas and professional-looking repositories masquerading as legitimate cryptocurrency and blockchain projects to establish credibility and lure victims.

MediumMalwareUnited States#wallet exfiltration#ottercookie#cryptocurrency theft

Void Dokkaebi, also known as Famous Chollima, has evolved its operations into a self-propagating supply chain threat targeting software developers. The North Korea-aligned group uses fabricated job interviews to lure developers into cloning malicious repositories. Once compromised, the victim's machine becomes an infection vector through two mechanisms: malicious VS Code task configurations that execute automatically when workspaces are opened, and active injection of obfuscated JavaScript into source code files with Git history tampering to conceal modifications. This creates a worm-like propagation chain where each compromised developer seeds new repositories with infection vectors. Analysis in March 2026 identified over 750 infected repositories, with contamination reaching organizations including DataStax and Neutralinojs. The campaign delivers payloads via blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, deploying variants of DEV#POPPER RAT and other tools to steal cryptocurre...

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while pulling malicious dependencies containing the actual payload. Five malicious packages were identified, each containing obfuscated JavaScript files that execute via postinstall hooks. The toolchain steals credentials, files including Solana wallets and environment configurations, and exfiltrates data to Vercel-hosted C2 infrastructure. On Linux systems, it establishes persistence through SSH backdoor installation. The infrastructure overlaps with documented OtterCookie operations and connects to broader DPRK campaigns including Contagious Interview and Contagious Trader, demonstrating continued evolution in North Korean software supply chain attacks targeting developers.

The Contagious Trader campaign is a sophisticated malware operation targeting cryptocurrency users, attributed to North Korea with high confidence. It involves malicious cryptocurrency trading bot projects on GitHub that exfiltrate sensitive data and private keys using various techniques, including malicious npm dependencies. The campaign demonstrates overlaps with known North Korean tactics, particularly those of FAMOUS CHOLLIMA, including the use of GitHub, npm, and Vercel infrastructure, Base64-encoded payload URLs, and anonymizing VPNs for npm package publishing. The operation represents a shift in tactics, expanding beyond the previous Contagious Interview campaign to target a broader range of cryptocurrency users.

MediumMalwareUnited StatesSouth KoreaJapan+7#pylangghost#invisibleferrett#bigsquatrat

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use social engineering tactics, including fake recruiter profiles, to deliver trojanized code during staged job interviews. The malware payload includes BeaverTail and OtterCookie infostealers, along with the InvisibleFerret RAT. The attack chain involves multiple stages, from initial contact to malware delivery, utilizing legitimate websites like JSON Keeper and code repositories to operate stealthily. The campaign also incorporates additional components such as the Tsunami Payload, which adds exceptions to Windows Defender and creates scheduled tasks.

MediumMalwareGermanyNetherlandsUnited Kingdom+2#ottercookie#json storage#tsunami payload

The North Korea-aligned threat actor DeceptiveDevelopment employs social engineering tactics to target software developers, especially those in cryptocurrency and Web3 projects. They use fake job offers and trojanized code challenges to deliver malware like BeaverTail and InvisibleFerret. The group has evolved to include more sophisticated tools like TsunamiKit and AkdoorTea. There are connections between DeceptiveDevelopment and North Korean IT worker fraud campaigns, with both groups collaborating and sharing information. The IT workers use AI-generated fake identities and employ proxy interviewers to secure remote jobs, posing risks to employers. This hybrid threat combines traditional fraud with cybercrime, blurring the lines between targeted APT activity and cybercrime.

MediumMalwareFrancePoland#ottercookie#weaselstore#akdoortea

WaterPlum, a North Korean-associated attack group, has been using a new malware called OtterCandy in their ClickFake Interview campaign. OtterCandy, implemented in Node.js, combines features of RATatouille and OtterCookie. It targets Windows, macOS, and Linux systems, stealing browser credentials, cryptocurrency wallets, and confidential files. The malware communicates with C2 servers via Socket.IO and has persistence mechanisms. An August 2025 update (v2) enhanced user identification, expanded theft targets, and added trace deletion capabilities. OtterCandy's evolution and its use in ongoing campaigns highlight the need for continued vigilance against WaterPlum's activities.

MediumMalwareGermanyUnited KingdomFrance+3#ratatouille#info stealer#ottercandy

This threat report highlights ransomware attacks disproportionately impacting small businesses, emphasizing both financial and psychological damage. It details a new malware campaign by the North Korean group Famous Chollima, which targets job seekers with trojanized applications to steal credentials and cryptocurrency. The campaign employs multiple tactics including credential dumping, phishing, and malware execution techniques. The report stresses the importance of empathetic leadership and comprehensive incident response plans that address technical and human factors. Indicators include multiple malware hashes linked to this campaign. The threat is medium severity due to its targeted nature, impact on confidentiality and availability, and the exploitation complexity. European small businesses, especially those with limited cybersecurity resources, are at heightened risk. Mitigation requires tailored incident response, user awareness focused on job seeker scams, and credential protection strategies. Countries with significant small business sectors and exposure to North Korean threat activity are most likely affected.

MediumMalwareGermanyFranceItaly+7#incident response#small businesses#ransomware

Famous Chollima, a North Korean threat group, has deployed a new malware campaign targeting job seekers by impersonating hiring organizations. The attack involves a trojanized Node. js application named 'Chessfi' and uses evolving malware tools BeaverTail and OtterCookie, which now include keylogging and screenshot capabilities. A malicious Visual Studio Code extension embedding these tools was also discovered, indicating new infection vectors. The malware steals cryptocurrency credentials by targeting multiple browsers and wallet extensions, and it can upload files from compromised systems. This campaign leverages social engineering and developer tools to infiltrate victims, focusing on cryptocurrency theft and credential harvesting. The threat is medium severity due to its broad capabilities and stealth but requires user interaction for infection. European organizations involved in software development, cryptocurrency, and job recruitment are at particular risk.

MediumMalwareGermanyFranceNetherlands+4#vs code extension#beavertail#north korea

This analysis delves into the operations of DeceptiveDevelopment, a North Korea-aligned threat actor, and its connections to North Korean IT worker campaigns. The group targets software developers across major systems, focusing on cryptocurrency and Web3 projects. They use social engineering techniques like fake job offers and the ClickFix method to deliver malware. Their toolset includes multiplatform malware such as BeaverTail, InvisibleFerret, WeaselStore, and TsunamiKit. The group shows links to other North Korean cyber operations through shared malware like Tropidoor and AkdoorTea. The analysis also explores the activities of North Korean IT workers, who use stolen identities and AI-generated content to secure remote jobs, highlighting the interconnected nature of these cyber threats.

MediumCampaignUnited KingdomGermanyFrance+4#north korea#weaselstore#cryptocurrency