Researchers at Cisco Talos have uncovered a sophisticated campaign by the Famous Chollima subgroup of Lazarus, wherein attackers deploy blended JavaScript tools—BeaverTail and OtterCookie—to carry out stealthy keylogging, screenshot capture, and data exfiltration.
This cluster of activity, part of the broader “Contagious Interview” operation, has evolved significantly since first noted, blurring lines between previously distinct toolsets and revealing new modules for credential theft and surveillance.
In a recent incident, Talos observed an infection at a Sri Lankan organization that fell victim after a user accepted a fake job offer. The user installed a trojanized Node.js project named ChessFi, touted as a web3-based chess platform with cryptocurrency betting features.
Instead of a legitimate development environment, the npm dependencies included a malicious package, node-nvm-ssh, which triggered a chain of postinstall scripts ultimately executing a highly obfuscated payload.
This payload merged BeaverTail’s browser-profile enumeration and Python-stealer downloader with OtterCookie’s JavaScript-based modules, including novel keylogging capabilities.
Keylogging and Screenshot Module Unveiled
Talos discovered a previously undocumented OtterCookie module that simultaneously logs keystrokes and captures periodic screenshots.
Using the Node.js packages “node-global-key-listener” for keystroke events, “screenshot-desktop” for image capture, and “sharp” for format conversion, the module writes keystrokes to “1.tmp” and screenshots to “2.jpeg” in a temporary folder.
Keystrokes flush to disk every second while screenshots are taken every four seconds. In some variants, clipboard monitoring was also integrated, allowing attackers to harvest copied text.
The stolen data and images upload to the OtterCookie C2 server at TCP port 1478 via an “/upload” endpoint, facilitating real-time surveillance without raising obvious alerts.
Further analysis revealed other OtterCookie features: a remote shell module that detects host platforms, verifies virtual environments, gathers system information, and maintains a WebSocket-based command loop over socket.io-client on port 1418; a file upload module that traverses drives, filters out system folders, and exfiltrates documents, scripts, and wallet files; and a hidden cryptocurrency extension stealer targeting Chrome and Brave profiles.
Remarkably, researchers also found a malicious VS Code extension masquerading as an “Onboarding Helper,” which embedded OtterCookie code to infect developers directly within their editor environment.
While attribution to Famous Chollima remains tentative for the extension, it underscores the threat actor’s experimentation with diverse vectors.
BeaverTail, first seen in mid-2023 as a lightweight downloader for Python-based InvisibleFerret stealer modules, has long facilitated credential harvesting and remote access installations.
Over time, it adopted code obfuscation via Obfuscator.io, shuffled base64 C2 URL schemes, and even Qt-compiled C++ variants.
Meanwhile, OtterCookie’s initial loader—using HTTP response cookies to fetch JavaScript code—evolved through five versions, each adding modules for clipboard stealing, file theft, sandbox evasion, and now keylogging and screenshotting in version 5, observed in August 2025.
In the recent ChessFi attack, BeaverTail’s browser-extension targeting and Python downloader functionality seamlessly merged with OtterCookie’s JavaScript modules, eliminating the need for a full Python runtime on Windows hosts.
Mitigations
Organizations can defend against these blended threats by enforcing application whitelisting, monitoring unexpected npm dependencies, and leveraging endpoint protection solutions that inspect both JavaScript and Python executables.
The loader code is small and easy to miss, and along with the risk of false positive detections, this may be why the detection of the OtterCookie loaders on VirusTotal is not very successful.
Cisco Secure Endpoint can block execution of malicious scripts, while Secure Email and Secure Firewall appliances can prevent delivery of phishing lures and C2 traffic.
Additionally, network analytics tools such as Stealthwatch can alert on unusual connections to known BeaverTail and OtterCookie C2 ports (1224, 1244, 1418, 1478).
Regular audits of developer environments and strict code-review processes will further reduce the risk posed by trojanized open-source projects.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
