The North Korean risk actor linked to the Contagious Interview marketing campaign has been noticed merging a number of the performance of two of its malware applications, indicating that the hacking group is actively refining its toolset.
That is in response to new findings from Cisco Talos, which mentioned latest campaigns undertaken by the hacking group have seen the capabilities of BeaverTail and OtterCookie coming nearer to one another greater than ever, even because the latter has been fitted with a brand new module for keylogging and taking screenshots.
The exercise is attributed to a risk cluster that is tracked by the cybersecurity neighborhood beneath the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Well-known Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, Void Dokkaebi, and WaterPlum.
The event comes as Google Risk Intelligence Group (GTIG) and Mandiant revealed the risk actor’s use of a stealthy method referred to as EtherHiding to fetch next-stage payloads from the BNB Sensible Chain (BSC) or Ethereum blockchains, primarily turning decentralized infrastructure right into a resilient command-and-control (C2) server. It represents the primary documented case of a nation-state actor using the tactic that has been in any other case adopted by cybercrime teams.
Contagious Interview refers to an elaborate recruitment rip-off that started someday round late 2022, with the North Korean risk actors impersonating hiring organizations to focus on job seekers and deceiving them into putting in information-stealing malware as a part of a supposed technical evaluation or coding process, ensuing within the theft of delicate knowledge and cryptocurrency.
In latest months, the marketing campaign has undergone a number of shifts, together with leveraging ClickFix social engineering strategies for delivering malware strains similar to GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. Central to the assaults, nonetheless, are malware households referred to as BeaverTail, OtterCookie, and InvisibleFerret.
BeaverTail and OtterCookie are separate however complementary malware instruments, with the latter first noticed in real-world assaults in September 2024. Not like BeaverTail, which capabilities as an info stealer and downloader, preliminary interactions of OtterCookie have been designed to contact a distant server and fetch instructions to be executed on the compromised host.
The exercise detected by Cisco Talos issues a company headquartered in Sri Lanka. It is assessed that the corporate was not deliberately focused by the risk actors, however fairly they’d considered one of their techniques contaminated, probably after a person fell sufferer to a pretend job supply that instructed them to put in a trojanized Node.js software referred to as Chessfi hosted on Bitbucket as a part of the interview course of.
Apparently, the malicious software program features a dependency by way of a bundle referred to as “node-nvm-ssh” published to the official npm repository on August 20, 2025, by a person named “trailer.” The bundle attracted a complete of 306 downloads, earlier than it was taken down by the npm maintainers six days later.
It is also value noting that the npm bundle in query is among the 338 malicious Node.js libraries flagged earlier this week by software program provide chain safety firm Socket as linked to the Contagious Interview marketing campaign.
The bundle, as soon as put in, triggers the malicious conduct by way of a postinstall hook in its bundle.json file that is configured to run a customized script referred to as “skip” in order to launch a JavaScript payload (“index.js”), which, in flip, hundreds one other JavaScript (“file15.js”) liable for executing the final-stage malware.
Additional evaluation of the device used within the assault has discovered that “it had traits of BeaverTail and of OtterCookie, blurring the excellence between the 2,” safety researchers Vanja Svajcer and Michael Kelley mentioned, including it included a brand new keylogging and screenshotting module that makes use of professional npm packages like “node-global-key-listener” and “screenshot-desktop” to seize keystrokes and take screenshots, respectively, and exfiltrate the data to the C2 server.
A minimum of one model of this new module comes geared up with an auxiliary clipboard monitoring characteristic to siphon clipboard content material. The emergence of the brand new model of OtterCookie paints an image of a device that has developed from fundamental data-gathering to a modular program for knowledge theft and distant command execution.
Additionally current within the malware, codenamed OtterCookie v5, are capabilities akin to BeaverTail to enumerate browser profiles and extensions, steal knowledge from net browsers and cryptocurrency wallets, set up AnyDesk for persistent distant entry, in addition to obtain a Python backdoor known as InvisibleFerret.
A few of the different modules current in OtterCookie are listed under –
- Distant shell module, which sends system info and clipboard content material to the C2 server and installs the “socket.io-client” npm bundle to hook up with a particular port on the OtterCookie C2 server and obtain additional instructions for execution
- File importing module, which systematically enumerates all drives and traverses the file system with a view to discover information matching sure extensions and naming patterns (e.g., metamask, bitcoin, backup, and phrase) to be uploaded to the C2 server
- Cryptocurrency extensions stealer module, which extracts knowledge from cryptocurrency pockets extensions put in on Google Chrome and Courageous browsers (the checklist of extensions focused partially overlaps with that of BeaverTail)
Moreover, Talos mentioned it detected a Qt-based BeaverTail artifact and a malicious Visible Studio Code extension containing BeaverTail and OtterCookie code, elevating the chance that the group could also be experimenting with new strategies of malware supply.
“The extension may be a results of experimentation from one other actor, presumably even a researcher, who is just not related to Well-known Chollima, as this stands out from their standard TTPs,” the researchers famous.
Contagious Interview Evolves with New OtterCandy Malware
The disclosure comes as NTT Safety Holdings shared particulars of a brand new malware referred to as OtterCandy, deployed in reference to the Contagious Interview marketing campaign since July 2025, focusing on Home windows, macOS, and Linux techniques. An early pattern of OtterCandy was uploaded to the VirusTotal platform in February 2025.
OtterCandy, per the Japanese cybersecurity firm, combines the options of OtterCookie and RATatouille, a distant entry trojan (RAT) distributed by way of the availability chain compromise of the npm bundle “rand-user-agent” again in Could 2025. That is the primary time the assault has been attributed to North Korean risk actors.
The obfuscated payload embedded inside the npm bundle is designed to arrange a stealthy communication channel with a distant server and exfiltrate information inside a specific listing and execute shell instructions, the latter of which is particular solely to Home windows, in response to Aikido.
The complete checklist of supported instructions is under –
- env, to seek for secret filenames throughout your complete file system
- imp, to seek for secret filenames inside the house listing
- pat, to seek for filenames matching a preset sample inside the present listing
- add, to transmit system info, browser passwords, pockets information, and extension knowledge (MetaMask, Phantom, and TronLink) from Google Chrome and Edge to the C2 server
- exec, to cancel in-progress scans or uploads (ss_stop), add a single file (ss_upf), recursively add the contents of a listing (ss_upd), change present listing (cd), or terminate the malware course of (ss_del)
OtterCandy is claimed to be distributed by way of a sub-cluster of exercise tracked as ClickFake Interview (aka Cluster B), which includes deceiving customers with ClickFix-style lures to run malicious instructions in order to repair supposed digital camera or microphone points when job seekers try to supply a video evaluation on a pretend web site beneath their management.
“OtterCandy is a RAT and Information Stealer applied by Node.js,” NTT Safety mentioned. “It’s malware that mixes components of RATatouille and OtterCookie. OtterCandy accepts instructions when linked to the C2 server by way of Socket.IO.”
The primary-stage malware used to ship OtterCandy is known as DiggingBeaver, a JavaScript payload that is executed as soon as the sufferer copies and runs the command by way of the Home windows Run dialog. DiggingBeaver has additionally been discovered to distribute different recognized ClickFake Interview malware, similar to GolangGhost and FROSTYFERRET.
NTT Safety mentioned it additionally noticed a brand new variant of OtterCandy (OtterCandy v2) in August 2025 that comes with expanded performance to reap knowledge from three further cryptocurrency pockets extensions (Suiet, Belief Pockets, and Rabby Pockets), in addition to improve the “ss_del” command to delete Home windows Registry keys and erase information and directories.
(The story was up to date after publication on October 19, 2025, to incorporate particulars of OtterCandy malware from NTT Safety Holdings.)
