Famous Chollima, a threat group affiliated with North Korea’s Reconnaissance General Bureau, has significantly expanded its operational capabilities by integrating two potent malware strains: BeaverTail and OtterCookie.
This convergence marks a critical evolution in the group’s attack methodology, targeting cryptocurrency and blockchain sectors with renewed sophistication.
The merging of these toolsets reflects a deliberate shift toward JavaScript-based malware delivery, reducing dependency on Python while maintaining broad operational flexibility across multiple platforms and target profiles.
The group’s latest campaign, tracked as Contagious Interview, exploits legitimate job-seeking platforms and recruitment channels to distribute trojanized applications.
Recent discoveries reveal that organizations face compromise through seemingly innocuous supply chain vectors, with a cryptocurrency-themed chess platform serving as an initial infection point.
The malicious payload infiltrated systems through dependency resolution when developers cloned a Bitbucket repository for Chessfi, inadvertently pulling the compromised node-nvm-ssh package from public NPM repositories.
This technique demonstrates how credential theft operations now seamlessly blend social engineering with technical supply chain exploitation.
Polyswarm Threat Response Unit analysts identified the converged malware architecture during investigations of a Sri Lanka-based compromise, where post-install scripts executed obfuscated JavaScript payloads embedded in seemingly legitimate package dependencies.
The attack sequence revealed sophisticated modular construction combining both BeaverTail and OtterCookie capabilities into a unified information-stealing framework targeting cryptocurrency wallets and sensitive documents.
Technical Convergence and Capability Fusion
The integration of BeaverTail and OtterCookie represents a deliberate architectural consolidation rather than coincidental overlap.
BeaverTail handles initial reconnaissance, enumerating browser profiles and targeting cryptocurrency wallet extensions across Chrome, Brave, and Edge browsers, specifically hunting MetaMask, Phantom, and Solflare installations.
The component downloads Python-based InvisibleFerret modules from command-and-control servers over port 1224, bootstrapping complete Python distributions on target Windows systems to enable full execution capabilities.
OtterCookie complements this infrastructure through modular extensions providing remote shell access via socket.io-client for command execution and system fingerprinting, file enumeration scanning drives for documents and credentials, and a dedicated cryptocurrency extension stealer mirroring BeaverTail’s wallet targeting logic.
A novel keylogging module first observed in April 2025 captures keystroke data and screenshot images, buffering exfiltrated information in temporary files before transmission to command infrastructure.
The malware implements anti-analysis countermeasures including environment checking and error-handler eval mechanisms for dynamic code execution, evolving from earlier HTTP cookie-based payload delivery to modular string execution paradigms across five iterations since late 2024.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
