North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware

Steven

North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware

Summary

Cisco Talos has observed a North Korean-linked threat cluster (tracked under many names including Famous Chollima and UNC5342) merging features of two JavaScript-based malware families, BeaverTail and OtterCookie, into a more capable, modular toolset. The updated OtterCookie v5 now includes keylogging, screenshot capture and clipboard monitoring via legitimate npm packages, browser and crypto-wallet theft routines, remote-shell capability using socket.io-client, file-harvesting and the ability to install AnyDesk and drop a Python backdoor called InvisibleFerret. The intrusion analysed affected a Sri Lankan organisation and appears to have begun with a trojanised Node.js interview application hosted on Bitbucket. Researchers also highlighted the actor’s novel use of EtherHiding to fetch payloads from BNB Smart Chain / Ethereum and the presence of a malicious npm package (node-nvm-ssh) that briefly appeared in the official registry.

Key Points

  • BeaverTail (information stealer/downloader) and OtterCookie (command fetcher) are converging — OtterCookie v5 now includes BeaverTail-like data theft functions.
  • New modules add keylogging, screenshots and clipboard monitoring using legitimate npm packages (node-global-key-listener, screenshot-desktop).
  • OtterCookie v5 modules: remote shell via socket.io-client, file uploader scanning drives for wallet/backups, browser and crypto-extension theft, AnyDesk installer and Python backdoor (InvisibleFerret).
  • Infection vector in the reported case: fake interview trojan (Chessfi) hosted on Bitbucket; npm supply-chain abuse also used (node-nvm-ssh package with ~306 downloads before takedown).
  • The actor used EtherHiding to retrieve next-stage payloads from blockchain (BSC/Ethereum), making the C2 more resilient and stealthy.
  • Researchers found a Qt-based BeaverTail artifact and a malicious VS Code extension containing BeaverTail/OtterCookie code, suggesting experimentation with new delivery methods.
  • Campaign is part of the “Contagious Interview” recruitment-scam operations that have targeted job seekers since late 2022.

Why should I read this?

Because this isn’t just another malware story — it shows a state-linked group sharpening its toolset, blending data theft and remote control into a single modular JS platform and even abusing blockchains as C2. If you work in security, software development or hire remotely, this one matters: it highlights supply-chain risk in npm/Bitbucket, a creative C2 technique, and social-engineering through fake interviews. We’ve done the skimming for you; read the detail if you want the indicators and mitigation leads.

Source

Source: https://thehackernews.com/2025/10/north-korean-hackers-combine-beavertail.html