Time

       ·       November 2024 – April 2025: Activities of OtterCookie versions 1 to 4

·         August 2025: Observation of the OtterCookie v5 campaign

Target

       ·        For software developers and job seekers

·         Users of cryptocurrency-related services (ChessFi, wallets, Chrome/Brave browsers, etc.)

Initial Access

·         Encouraging the installation of the ChessFi Node.js application uploaded on Bitbucket

·         Executing the malicious package (node-nvm-ssh) from the npm official repository using the postinstall script

·         Threat actor delivers the code repository to the victim via Fiverr or Discord

Vulnerability

·         None

Malware and Tools

·         BeaverTail

·         OtterCookie v1-v5

·         InvisibleFerret: Python-based module

·         node-nvm-ssh: Malicious npm package

·         ChessFi: Trojanized Node.js app

·         Mercer Onboarding Helper: Malicious VS Code extension

·         AnyDesk: Remote control tool

TTPs

·         Keylogging and sending screenshots to C2

·         Monitoring clipboard and stealing its contents

·         Enumerating file system and uploading files with specific extensions

·         HTTP→WebSocket C2 communication based on socket.io

·         Remote shell command execution

·         Obfuscation (Obfuscator.io, base64, XOR)

·         Virtual environment detection and anti-debugging

·         JavaScript-based module for disabling the Python environment

Damage

·         Theft of cryptocurrency wallets, browser login credentials, and credentials

·         Screenshots, keylogs, and clipboard data

·         Potential for remote system control by installing AnyDesk

Details

·         Performing cryptocurrency and credential theft operations using BeaverTail and OtterCookie malware

·         Gradual integration of BeaverTail and OtterCookie features to extend information theft capabilities in JavaScript

·         Through the versions, OtterCookie has developed modules including a keylogger and screenshot feature in v5, on top of a loader, file uploader, clipboard exfiltration, virtual environment detection, and keylogger

·         The threat actor uses developers and the cryptocurrency ecosystem as bait to lure victims into installing the malware and exfiltrating data

Source

·         BeaverTail and OtterCookie evolve with a new Javascript module [1]

Timeline

·         July 2025: OtterCandy distributed

·         Late August 2025: OtterCandy v2 update

Targets

·         Japanese software developers and job seekers

Initial Access

·         Connected to the fake job and interview website ClickFix through the ClickFake Interview webpage

·         Deployed in the form of malicious Node.js packages or applications

Vulnerability

·         None

Malware and Tools

·         OtterCandy: A RAT and information theft tool based on Node.js

·         DiggingBeaver: A prerequisite tool for persistence

·         BeaverTail, GolangGhost, FrostyFerret

·         Mention of feature integration in RATatouille and OtterCookie

Techniques

·         Connecting to C2 server and receiving commands using Socket.IO

·         Stealing browser extensions and stored data (including cryptocurrency wallets)

·         Maintaining persistence by self-restarting upon receiving SIGINT events

·         In v2, client_id is added and the list of targeted browsers is expanded (from 4 to 7). Additional features are confirmed by checking the deletion of registry and files using the ss_del command.

Impact

·         Browser credentials and cryptocurrency wallets

·         Possibility of leaking sensitive files

Description

·         Utilized shared tools such as BeaverTail and FrostyFerret, and independently developed OtterCandy to launch attacks

·         OtterCandy is a Node.js-based multi-platform malware that integrates the features of RATatouille and OtterCookie. It is used in attacks targeting Windows, macOS, and Linux.

       ·        Through a fake job search site, they induce the installation of malicious applications

Source

·         OtterCandy, malware used by WaterPlum [2]

Time

·         September 2025

Target

·         Organization in South Korea

Initial Access

·         Phishing email with a ZIP attachment disguised as a VPN quotation

Exploited Vulnerability

·         None

Malware and Tools

·         Dropper

·         MemLoad

·         HttpTroy

Technique

·        PDF disguise and COM server registration

·         RC4 encryption and XOR obfuscation

·        Base64 + XOR 2-Step Communication Encryption

·         C2 Communication: HTTP POST-based, command and response separated by ID

·         Maintaining persistence through AhnlabUpdate scheduler registration

Damage

       ·        Complete control over the system, such as file transfer and download, screenshot, and executing commands

       ·        Risk of data breach and ongoing remote access

Description

·         Continuing their espionage campaigns targeting South Korea and enhancing reconnaissance and control features using HttpTroy

·         Known for their multi-layered structure, obfuscation, encryption, and the abuse of system services for concealment

Source

·         DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant [3]