The North Korea-aligned hacking group Famous Chollima is once again exploiting the job market, using fake job offers to trick victims into installing malicious software to steal cryptocurrency and user credentials, according to a recent report from Cisco Talos.
BeaverTail and OtterCookie Merge to Expand Attacks
The threat comes from two malware families, BeaverTail and OtterCookie, which Cisco Talos found are merging their functionalities. This suggests the attackers are unifying their tools for future attack campaigns.
Cisco Talos detected this campaign after a system was infected at an organisation headquartered in Sri Lanka. The infection path begins when a user is lured to install a Trojan-loaded application like Chessfi. The user runs the ‘npm install’ command, downloading a hidden malicious package named “node-nvm-ssh.”
This package uses special instructions to execute a complex series of commands, finally loading the heavily disguised file that contains the combined BeaverTail and OtterCookie code.
Malware Evolution
The malware evolution shows a clear increase in data theft capabilities; the earliest versions (from September to November 2024 (V1)), focused on stealing browser profiles, whereas V2 (November 2024 to February 2025) added a module to steal clipboard content. Then, V3 (February to April 2025) began stealing specific files from all mounted disk drives.
However, the most concerning development is the latest version of OtterCookie, designated as V5 (seen between April and August 2025), which now includes powerful new capabilities. This version adds a keylogging module to record every keystroke, and a screenshotting module that takes a screenshot of the user’s desktop every four seconds. The keystrokes and images are then uploaded to the hacker’s command and control (C2) server.
High-Value Targets and Advanced Evasion
The primary goal of this campaign is to steal financial data, specifically targeting a long list of popular cryptocurrency browser extensions and wallets. As we know it, a user’s crypto holdings are only as safe as their wallet security, and that’s where the campaign gets sneakier, as OtterCookie is designed to go after secure accounts like MetaMask, Trust Wallet, Binance Chain Wallet (B.A.K.A. BEW lite), and many others.
Moreover, researchers note the attackers have begun incorporating core functions into the malware’s main JavaScript code, reducing reliance on other programming tools like Python. This makes the attacks more versatile and easier to deploy, particularly targeting popular browsers like Google Chrome and Brave for the cryptocurrency extension stealer.
This vital research was shared exclusively with Hackread.com. It proves that North Korea’s cyber strategy relies heavily on job-based scams. It follows earlier reports from firms like Silent Push, as covered by Hackread.com, which detailed the Lazarus Group targeting crypto job seekers via fake companies like BlockNovas LLC. Interestingly, the same BeaverTail and OtterCookie malware were found in those earlier attacks and are now being upgraded for the next wave.
