Cybercriminals related to the North Korean menace group WaterPlum, often known as Well-known Chollima or PurpleBravo, have escalated their actions with a classy new malware pressure known as OtterCandy.
This cross-platform RAT and knowledge stealer represents a harmful evolution within the group’s capabilities, combining options from beforehand noticed malware households RATatouille and OtterCookie to create a stronger weapon for credential theft and system compromise.
The malware emerges as a part of WaterPlum’s ClickFake Interview marketing campaign, a misleading social engineering operation that masquerades as respectable job recruitment processes within the blockchain and cryptocurrency sectors.
Attackers create convincing faux firm web sites, reminiscent of BlockForgeX, which current seemingly genuine job purposes and interview processes to lure unsuspecting victims into downloading malicious software program beneath the guise of digital camera setup directions or driver updates.
ClickFake assault stream (Supply – NTT Safety)
NTT Safety researchers recognized OtterCandy as the newest addition to WaterPlum’s arsenal, noting its deployment throughout Home windows, macOS, and Linux platforms since July 2025.
The malware’s impression extends past particular person programs, as assaults have been noticed focusing on victims in Japan and different areas, demonstrating the menace group’s increasing world attain and ambitions.
Constructed utilizing Node.js, OtterCandy establishes communication with command-and-control servers by way of Socket.IO connections, enabling menace actors to execute a complete vary of malicious actions remotely.
The malware’s command construction reveals its subtle design, implementing features reminiscent of ‘imp’ for sweeping dwelling directories, ‘pat’ for pattern-based file searches, and ‘add’ for extracting system info, browser credentials, and cryptocurrency pockets information.
Superior Persistence and Evasion Mechanisms
OtterCandy demonstrates exceptional resilience by way of its multi-layered persistence technique that ensures continued operation even after detection makes an attempt.
ClickFix webpage (Supply – NTT Safety)
Whereas the malware usually depends on the previous DiggingBeaver element for preliminary persistence, it incorporates an impartial backup mechanism that mechanically restarts processes when interrupted.
This self-preservation characteristic makes use of JavaScript’s course of occasion dealing with to observe for SIGINT alerts:-
operate startChildProcess() {
const_0x4777b5 = fork(path[‘join’) (_dirname, ‘decode.js’), [], {
‘indifferent’: !![],
‘stdio’: ‘ignore’
});
_0x4777b5[‘unref’]();
}
course of[‘on’](‘SIGINT’, () => {
startChildProcess();
course of[‘exit’]();
});
The malware’s August 2025 replace launched enhanced anti-forensic capabilities, together with complete hint deletion features that take away registry entries, downloaded information, and non permanent directories.
This cleanup mechanism operates by way of the ‘ss_del’ command, systematically erasing proof of compromise whereas sustaining operational safety for the menace actors’ ongoing campaigns.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most popular Supply in Google.
