A North Korean-linked group, WaterPlum’s Cluster B, has evolved its tactics by introducing OtterCandy—a Node.js–based RAT and information stealer—through the ClickFake Interview campaign, with significant enhancements observed in August 2025.
This threat actor, attributed to North Korea, orchestrated two primary campaigns: Contagious Interview and ClickFake Interview.
Although multiple clusters operate under the WaterPlum umbrella, Cluster B—often referred to as the BlockNovas cluster—stands out for independently developing bespoke tools, including the newly uncovered OtterCandy malware.
ClickFake Interview leverages deceptive web content to lure unsuspecting targets into interacting with malicious pages.
In recent months, cybersecurity researchers have documented a surge in attacks originating from WaterPlum, also known by its aliases Famous Chollima and PurpleBravo.
In Cluster B’s variant, victims encounter a tailored “ClickFix” webpage disguised as an interview platform. Once users engage, they are prompted to download what appears to be an interview application or document.
Historically, Cluster B distributed GolangGhost for Windows and FrostyFerret for macOS, mirroring tactics used by other clusters. Starting in July 2025, however, OtterCandy emerged as the primary implant across Windows, macOS, and Linux systems.
The campaign reflects WaterPlum’s broader strategy of carousel exploitation: alternating between shared malware frameworks and proprietary strains to complicate detection and attribution.
OtterCandy’s debut marks a notable shift, blending features from two earlier payloads—RATatouille and OtterCookie—to deliver a multifaceted threat.
Technical Analysis of OtterCandy
OtterCandy is crafted in Node.js and relies on the Socket.IO library for real-time command-and-control (C2) communications.
A sample matching OtterCandy’s signature was first identified on VirusTotal in February 2025, mistakenly tagged as OtterCookie in Silent Push’s initial reporting. Subsequent forensic analysis confirmed identical file hashes, cementing its lineage within the WaterPlum ecosystem.
Upon establishing a C2 connection, OtterCandy accepts various commands designed for credential theft and system reconnaissance.
Cluster B operators deploy these functions to harvest browser credentials, extract cryptocurrency wallets, and siphon confidential documents from compromised devices.
Although OtterCandy depends on a secondary implant—DiggingBeaver—to maintain persistence, it also features a self-resurrect mechanism: upon receiving a SIGINT event, the malware relaunches itself via Node.js’s process.on handler.
August 2025 Update: From v1 to v2
During an August 2025 monitoring cycle, analysts observed OtterCandy undergo significant revisions, demarcated as v1 and v2. These enhancements demonstrate Castle B’s commitment to iterative improvements and evasion techniques.
Adding client_id
In the original v1 release, OtterCandy transmitted a “username” field to identify victims. Version 2 augments this with a unique “client_id,” enabling more precise tracking of infected hosts and streamlining operator control over large botnets.
Expanding theft targets
OtterCandy’s core functionality includes stealing data from specific browser extensions. While v1 targeted four extension IDs, v2 expands the scope to seven, broadening the range of compromised artifacts. Moreover, v1’s partial data exfiltration from Chromium-based browsers has been replaced in v2 with comprehensive extraction of all available user data, increasing the breadth of stolen information.
Trace deletion enhancements
Version 2 also bolsters its cleanup routines. The new ss_del command now not only removes registry keys used by DiggingBeaver for persistence but also purges associated files and directories. These additions aim to erase forensic evidence, thwarting incident response efforts and prolonging stealth.
Implications and Recommendations
The emergence of OtterCandy underscores Cluster B’s growing sophistication and the evolving threat landscape posed by WaterPlum.
Organizations operating in high-risk sectors—particularly within Japan, where attacks have already been recorded—should heighten monitoring of Node.js–based anomalies and Socket.IO traffic patterns.
Proactive threat hunting for duplicated client_id signatures and unexpected registry modifications can expedite detection.
Continuous threat intelligence sharing and timely patching of development frameworks remain critical. Security teams are advised to deploy behavioral analysis tools capable of flagging unusual process activity, enforce strict application whitelisting, and conduct regular audits of browser extension inventories.
As WaterPlum’s Cluster B refines its malware arsenal, defenders must adapt by integrating dynamic analysis into their security operations and fostering collaboration across industry peers. Ongoing close monitoring of OtterCandy’s evolution will be vital to mitigating the next wave of ClickFake Interview assaults.
The ClickFake Interview campaign’s pivot to OtterCandy demonstrates a calculated escalation in WaterPlum’s operational playbook.
With its August 2025 enhancements, OtterCandy poses a more formidable challenge to defenders, necessitating vigilant monitoring and robust defensive postures.
Continuous analysis of this threat will be essential to safeguarding critical infrastructure and sensitive data against this North Korean–linked adversary.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
