Famous Chollima, a DPRK-aligned threat group, has evolved its arsenal, with BeaverTail and OtterCookie increasingly merging functionalities to steal credentials and cryptocurrency via deceptive job offers.
A recent campaign involved a trojanized Node.js application distributed through a malicious NPM package, highlighting the group’s adaptation in delivery methods.
In the campaign, Famous Chollima notes merged BeaverTail and OtterCookie variants in fake job interviews, incorporating new modules for keylogging and screenshot capture.
A malicious NPM package “node-nvm-ssh” embedded in a cryptocurrency-themed chess app serves as the infection vector, executing obfuscated JavaScript payloads.
OtterCookie has evolved through five versions since late 2024, adding capabilities like remote shell access, file exfiltration, and cryptocurrency wallet targeting.
Functional overlaps between BeaverTail, OtterCookie, and InvisibleFerret suggest a shift toward JavaScript-based tooling to reduce Python dependencies on Windows systems.
The Campaign Activity
Famous Chollima, a subgroup of the DPRK-aligned Lazarus collective, continues to refine its arsenal in the Contagious Interview campaigns, blending BeaverTail and OtterCookie into more unified infostealers.
These operations prey on job seekers by posing as recruiters, luring victims into installing tainted software under the guise of interview-related tasks.
In one observed incident, an organization in Sri Lanka suffered an incidental compromise when a user cloned a Bitbucket repository for “Chessfi,” a web3 chess platform with cryptocurrency betting features.
The repository’s dependencies pulled in the malicious “node-nvm-ssh” package from NPM, triggering post-install scripts that spawned child processes to execute obfuscated JavaScript from embedded files like “test.list.”
This payload reveals a convergence of BeaverTail and OtterCookie codebases. BeaverTail handles browser profile enumeration, targeting extensions for wallets such as MetaMask, Phantom, and Solflare across Chrome, Brave, Edge, and other browsers. It also downloads Python-based InvisibleFerret modules from C2 servers over ports like 1224, installing Python distributions on Windows to enable execution.
OtterCookie complements this with modular extensions including a remote shell using socket.io-client for command execution and system fingerprinting, a file uploader scanning drives for documents, credentials, and crypto-related files while excluding specific paths, and a cryptocurrency extension stealer overlapping with BeaverTail’s list.
A novel OtterCookie module, first seen in April 2025, adds keylogging and screenshot capabilities, buffering data in temp files before exfiltration to C2 endpoints. Clipboard monitoring appears in variants, using OS-native commands like “pbpaste” on macOS or PowerShell on Windows.
Cisco Talos researchers also uncovered a suspicious VS Code extension mimicking an onboarding tool, embedding similar code.
Although attribution remains tentative, it signals potential experimentation with editor-based delivery.
Malware Evolution and Techniques
OtterCookie’s progression spans from basic RCE in version 1 from late 2024 to version 5 in August 2025, incorporating anti-analysis tricks like environment checks and error-handler eval for code loading.
Early versions relied on HTTP cookies for payloads, evolving to modular strings executed on-the-fly. BeaverTail, active since mid-2023, has similarly adapted with base64 shuffling for C2 URLs and cross-platform support, often bundled in supply-chain attacks.
Famous Chollima, also known as Wagemole, Nickel Tapestry, Purple Bravo, Tenacious Pungsan, Void Dokkaebi, Storm-1877, and UNC5267, is a North Korea nexus threat actor active since at least 2018.
Famous Chollima targets cryptocurrency, blockchain, and technology sectors, with a notable focus on India and Western countries, including the US, Germany, and Ukraine.
Their activities primarily focus on financial gain and espionage to support the DPRK regime. The group is assessed to be affiliated with North Korea’s Reconnaissance General Bureau, a key intelligence service.
Famous Chollima employs sophisticated social engineering, posing as legitimate remote IT workers to infiltrate organizations. They create fraudulent identities, falsify resumes, and use generative AI to craft convincing profiles, securing roles at small to mid-sized businesses via platforms like Upwork and LinkedIn. Once embedded, they deploy custom malware, such as BeaverTail and InvisibleFerret, to steal credentials and sensitive data.
The group leverages fake job recruitment campaigns, delivering malicious Python-based RATs like PylangGhost to target cryptocurrency and blockchain sectors. They establish persistence through registry modifications and use RC4-encrypted HTTP for command-and-control communication.
Their operations fund North Korea’s regime through illicitly earned salaries and stolen assets, evading international sanctions. The group’s infrastructure often relies on anonymization networks to conceal their activities.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
