The North Korean menace actor linked to the Contagious Interview marketing campaign has been noticed merging a few of the performance of two of its malware applications, indicating that the hacking group is actively refining its toolset.
That is in response to new findings from Cisco Talos, which stated current campaigns undertaken by the hacking group have seen the features of BeaverTail and OtterCookie coming nearer to one another greater than ever, even because the latter has been fitted with a brand new module for keylogging and taking screenshots.
The exercise is attributed to a menace cluster that is tracked by the cybersecurity group underneath the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Well-known Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
The event comes as Google Menace Intelligence Group (GTIG) and Mandiant revealed the menace actor’s use of a stealthy approach often known as EtherHiding to fetch next-stage payloads from the BNB Good Chain (BSC) or Ethereum blockchains, basically turning decentralized infrastructure right into a resilient command-and-control (C2) server. It represents the primary documented case of a nation-state actor using the tactic that has been in any other case adopted by cybercrime teams.
Contagious Interview refers to an elaborate recruitment rip-off that started someday round late 2022, with the North Korean menace actors impersonating hiring organizations to focus on job seekers and deceiving them into putting in information-stealing malware as a part of a supposed technical evaluation or coding process, ensuing within the theft of delicate knowledge and cryptocurrency.
In current months, the marketing campaign has undergone a number of shifts, together with leveraging ClickFix social engineering strategies for delivering malware strains akin to GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. Central to the assaults, nonetheless, are malware households often known as BeaverTail, OtterCookie, and InvisibleFerret.
BeaverTail and OtterCookie are separate however complementary malware instruments, with the latter first noticed in real-world assaults in September 2024. Not like BeaverTail, which features as an info stealer and downloader, preliminary interactions of OtterCookie have been designed to contact a distant server and fetch instructions to be executed on the compromised host.
The exercise detected by Cisco Talos considerations a corporation headquartered in Sri Lanka. It is assessed that the corporate was not deliberately focused by the menace actors, however relatively that they had certainly one of their methods contaminated, probably after a consumer fell sufferer to a pretend job supply that instructed them to put in a trojanized Node.js utility referred to as Chessfi hosted on Bitbucket as a part of the interview course of.
Apparently, the malicious software program features a dependency through a package deal referred to as “node-nvm-ssh” printed to the official npm repository on August 20, 2025, by a consumer named “trailer.” The package deal attracted a complete of 306 downloads, earlier than it was taken down by the npm maintainers six days later.
It is also value noting that the npm package deal in query is without doubt one of the 338 malicious Node libraries flagged earlier this week by software program provide chain safety firm Socket as related to the Contagious Interview marketing campaign.
The package deal, as soon as put in, triggers the malicious conduct by way of a postinstall hook in its package deal.json file that is configured to run a customized script referred to as “skip” in order to launch a JavaScript payload (“index.js”), which, in flip, masses one other JavaScript (“file15.js”) chargeable for executing the final-stage malware.
Additional evaluation of the software used within the assault has discovered that “it had traits of BeaverTail and of OtterCookie, blurring the excellence between the 2,” safety researchers Vanja Svajcer and Michael Kelley stated, including it included a brand new keylogging and screenshotting module that makes use of reputable npm packages like “node-global-key-listener” and “screenshot-desktop” to seize keystrokes and take screenshots, respectively, and exfiltrate the data to the C2 server.
At the very least one model of this new module comes outfitted with an auxiliary clipboard monitoring characteristic to siphon clipboard content material. The emergence of the brand new model of OtterCookie paints an image of a software that has developed from fundamental data-gathering to a modular program for knowledge theft and distant command execution.
Additionally current within the malware, codenamed OtterCookie v5, are features akin to BeaverTail to enumerate browser profiles and extensions, steal knowledge from net browsers and cryptocurrency wallets, set up AnyDesk for persistent distant entry, in addition to obtain a Python backdoor known as InvisibleFerret.
A few of the different modules current in OtterCookie are listed under –
Distant shell module, which sends system info and clipboard content material to the C2 server and installs the “socket.io-client” npm package deal to connect with a selected port on the OtterCookie C2 server and obtain additional instructions for execution
File importing module, which systematically enumerates all drives and traverses the file system with a view to discover information matching sure extensions and naming patterns (e.g., metamask, bitcoin, backup, and phrase) to be uploaded to the C2 server
Cryptocurrency extensions stealer module, which extracts knowledge from cryptocurrency pockets extensions put in on Google Chrome and Courageous browsers (the checklist of extensions focused partially overlaps with that of BeaverTail)
Moreover, Talos stated it detected Qt-based BeaverTail artifact and a malicious Visible Studio Code extension containing BeaverTail and OtterCookie code, elevating the likelihood that the group could also be experimenting with new strategies of malware supply.
“The extension is also a results of experimentation from one other actor, probably even a researcher, who isn’t related to Well-known Chollima, as this stands out from their ordinary TTPs,” the researchers famous.
