Researchers have uncovered significant updates to OtterCookie, a cross-platform malware tied to the North Korean-aligned Contagious Interview campaign, according to The Hacker News.
Japanese cybersecurity firm NTT Security Holdings observed the malwares continued development, with versions 3 and 4 released in early 2025. Tracked as part of the WaterPlum threat group, OtterCookie is distributed via deceptive methods including npm packages, fake videoconferencing applications, and trojanized repositories. OtterCookie v3 added a dedicated upload module to exfiltrate targeted files, such as documents, mnemonic phrases for cryptocurrency wallets, and environment variables, through an external server. This function previously relied on server-sent shell commands. Version 4 introduced further enhancements, including modules to extract credentials from Google Chrome and MetaMask browser extensions, and expanded support for virtual machine detection to avoid analysis. Researchers noted differences in coding style between modules, suggesting contributions from multiple developers. The campaign also employs a Go-based stealer disguised as a Realtek driver update for macOS, intended to extract system credentials. Another malware family, Tsunami-Framework, linked to the same campaign, includes keylogging, data theft, and botnet functionality.
Japanese cybersecurity firm NTT Security Holdings observed the malwares continued development, with versions 3 and 4 released in early 2025. Tracked as part of the WaterPlum threat group, OtterCookie is distributed via deceptive methods including npm packages, fake videoconferencing applications, and trojanized repositories. OtterCookie v3 added a dedicated upload module to exfiltrate targeted files, such as documents, mnemonic phrases for cryptocurrency wallets, and environment variables, through an external server. This function previously relied on server-sent shell commands. Version 4 introduced further enhancements, including modules to extract credentials from Google Chrome and MetaMask browser extensions, and expanded support for virtual machine detection to avoid analysis. Researchers noted differences in coding style between modules, suggesting contributions from multiple developers. The campaign also employs a Go-based stealer disguised as a Realtek driver update for macOS, intended to extract system credentials. Another malware family, Tsunami-Framework, linked to the same campaign, includes keylogging, data theft, and botnet functionality.
