Close Menu
TechurzTechurz
    What's Hot

    Builders Stage agenda revealed for Disrupt 2026

    July 1, 2026

    Startup Battlefield Australia application closes in days: Apply before July 6

    June 30, 2026

    Acti puts AI agents directly into your smartphone keyboard

    June 30, 2026
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Tech Pulse
    • Builders Stage agenda revealed for Disrupt 2026
    • Startup Battlefield Australia application closes in days: Apply before July 6
    • Acti puts AI agents directly into your smartphone keyboard
    • The DeepMind trio who built a poker AI are now making money for quant hedge funds
    • Nvidia competitor Etched hits $5B valuation, $1B in sales for AI chip
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    TechurzTechurz
    • Home
    • Tech Pulse
    • Future Tech
    • AI Systems
    • Cyber Reality
    • Disruption Lab
    • Signals
    TechurzTechurz
    Home - Cyber Reality - North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware
    Cyber Reality

    North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware

    TechurzBy TechurzOctober 17, 2025Updated:May 10, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware
    Share
    Facebook Twitter LinkedIn Pinterest Email


    The North Korean threat actor linked to the Contagious Interview campaign has been observed merging some of the functionality of two of its malware programs, indicating that the hacking group is actively refining its toolset.

    That’s according to new findings from Cisco Talos, which said recent campaigns undertaken by the hacking group have seen the functions of BeaverTail and OtterCookie coming closer to each other more than ever, even as the latter has been fitted with a new module for keylogging and taking screenshots.

    The activity is attributed to a threat cluster that’s tracked by the cybersecurity community under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, and Void Dokkaebi.

    The development comes as Google Threat Intelligence Group (GTIG) and Mandiant revealed the threat actor’s use of a stealthy technique known as EtherHiding to fetch next-stage payloads from the BNB Smart Chain (BSC) or Ethereum blockchains, essentially turning decentralized infrastructure into a resilient command-and-control (C2) server. It represents the first documented case of a nation-state actor utilizing the method that has been otherwise adopted by cybercrime groups.

    Contagious Interview refers to an elaborate recruitment scam that began sometime around late 2022, with the North Korean threat actors impersonating hiring organizations to target job seekers and deceiving them into installing information-stealing malware as part of a supposed technical assessment or coding task, resulting in the theft of sensitive data and cryptocurrency.

    In recent months, the campaign has undergone several shifts, including leveraging ClickFix social engineering techniques for delivering malware strains such as GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. Central to the attacks, however, are malware families known as BeaverTail, OtterCookie, and InvisibleFerret.

    BeaverTail and OtterCookie are separate but complementary malware tools, with the latter first spotted in real-world attacks in September 2024. Unlike BeaverTail, which functions as an information stealer and downloader, initial interactions of OtterCookie were designed to contact a remote server and fetch commands to be executed on the compromised host.

    The activity detected by Cisco Talos concerns an organization headquartered in Sri Lanka. It’s assessed that the company was not intentionally targeted by the threat actors, but rather they had one of their systems infected, likely after a user fell victim to a fake job offer that instructed them to install a trojanized Node.js application called Chessfi hosted on Bitbucket as part of the interview process.

    Interestingly, the malicious software includes a dependency via a package called “node-nvm-ssh” published to the official npm repository on August 20, 2025, by a user named “trailer.” The package attracted a total of 306 downloads, before it was taken down by the npm maintainers six days later.

    It’s also worth noting that the npm package in question is one of the 338 malicious Node libraries flagged earlier this week by software supply chain security company Socket as connected to the Contagious Interview campaign.

    The package, once installed, triggers the malicious behavior by means of a postinstall hook in its package.json file that’s configured to run a custom script called “skip” so as to launch a JavaScript payload (“index.js”), which, in turn, loads another JavaScript (“file15.js”) responsible for executing the final-stage malware.

    Further analysis of the tool used in the attack has found that “it had characteristics of BeaverTail and of OtterCookie, blurring the distinction between the two,” security researchers Vanja Svajcer and Michael Kelley said, adding it incorporated a new keylogging and screenshotting module that uses legitimate npm packages like “node-global-key-listener” and “screenshot-desktop” to capture keystrokes and take screenshots, respectively, and exfiltrate the information to the C2 server.

    At least one version of this new module comes equipped with an auxiliary clipboard monitoring feature to siphon clipboard content. The emergence of the new version of OtterCookie paints a picture of a tool that has evolved from basic data-gathering to a modular program for data theft and remote command execution.

    Also present in the malware, codenamed OtterCookie v5, are functions akin to BeaverTail to enumerate browser profiles and extensions, steal data from web browsers and cryptocurrency wallets, install AnyDesk for persistent remote access, as well as download a Python backdoor referred to as InvisibleFerret.

    Some of the other modules present in OtterCookie are listed below –

    • Remote shell module, which sends system information and clipboard content to the C2 server and installs the “socket.io-client” npm package to connect to a specific port on the OtterCookie C2 server and receive further commands for execution
    • File uploading module, which systematically enumerates all drives and traverses the file system in order to find files matching certain extensions and naming patterns (e.g., metamask, bitcoin, backup, and phrase) to be uploaded to the C2 server
    • Cryptocurrency extensions stealer module, which extracts data from cryptocurrency wallet extensions installed on Google Chrome and Brave browsers (the list of extensions targeted partially overlaps with that of BeaverTail)

    Furthermore, Talos said it detected Qt-based BeaverTail artifact and a malicious Visual Studio Code extension containing BeaverTail and OtterCookie code, raising the possibility that the group may be experimenting with new methods of malware delivery.

    “The extension could also be a result of experimentation from another actor, possibly even a researcher, who is not associated with Famous Chollima, as this stands out from their usual TTPs,” the researchers noted.

    Advanced BeaverTail Combine Hackers Korean malware North OtterCookie
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleCrypto’s next chapter with Solana’s Anatoly Yakovenko at Disrupt 2025
    Next Article Thank you to our Disrupt 2025 sponsors
    Techurz
    • Website

    Related Posts

    Opinion

    Unastella, a South Korean rocket startup that launched from home, raises $24M

    June 1, 2026
    Cyber Reality

    Digital Identity Protection: 7 Hidden Risks Most Users Miss

    May 25, 2026
    Cyber Reality

    Neural Data Policy: 7 Risks That Brain Privacy Laws Miss

    May 25, 2026
    Add A Comment
    Latest Tech Pulse

    College social app Fizz expands into grocery delivery

    September 3, 20252,290

    SolarSquare in talks to raise up to $60M as India’s rooftop solar market draws major VC interest

    May 23, 202622

    Future of Digital Privacy and Security: 7 Truths Nobody Tells You

    May 25, 202619
    Stay In Touch
    • YouTube
    • WhatsApp
    • Twitter
    • Pinterest
    • LinkedIn

    Techurz helps readers stay ahead of digital change with clear, practical, future focused technology intelligence written today,searched tomorrow.

    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Company
    • About Us
    • Contact Us
    • Our Authors / Editorial Team
    • Write For Us
    • Advertise
    Policy
    • Editorial Policy
    • Privacy Policy
    • Terms and Conditions
    • Affiliate Disclosure
    • Cookie Policy
    • Disclaimer
    • DMCA
    Explore
    • AI Systems
    • Cyber Reality
    • Future Tech
    • Disruption Lab
    • Signals
    • Tech Pulse
    • Sitemap

    Join the Techurz Brief

    The future does not arrive suddenly.
    Stay ahead with fast, sharp tech signals.

    Type above and press Enter to search. Press Esc to cancel.