The North Korean threat actors involved in the Contagious Interview campaign have been observed merging some of the functionality of its two malware programs, indicating that the hacker group is actively refining its toolset.
This is according to new research from Cisco Talos, which finds that the hacking group’s recent campaigns have brought BeaverTail and OtterCookie closer in functionality than ever before, even though the latter is equipped with new modules for keylogging and taking screenshots.
This activity can be attributed to threat clusters tracked by the cybersecurity community under the names CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
This development comes after Google Threat Intelligence Group (GTIG) and Mandiant revealed that threat actors are using a stealth technique known as EtherHiding to fetch next-stage payloads from the BNB Smart Chain (BSC) or Ethereum blockchain, effectively turning decentralized infrastructure into resilient command and control (C2) servers. This is the first documented case of a nation-state actor leveraging techniques previously employed by cybercrime groups.
Contagious Interview is an elaborate recruitment scam that began around late 2022. North Korean threat actors target job seekers by impersonating hiring organizations and trick them into installing information-stealing malware under the guise of technical assessments or coding work, resulting in the theft of sensitive data and cryptocurrencies.
In recent months, the campaign has undergone several changes, including leveraging ClickFix social engineering techniques to distribute malware strains such as GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. However, the focus of the attack is on a malware family known as BeaverTail, OtterCookie, and InvisibleFerret.
BeaverTail and OtterCookie are separate but complementary malware tools, the latter first discovered in a live attack in September 2024. Unlike BeaverTail, which functions as an information stealer and downloader, OtterCookie’s initial interactions were designed to connect to a remote server and retrieve commands to be executed on a compromised host.
The activity detected by Cisco Talos pertains to organizations headquartered in Sri Lanka. It is assessed that the company was not intentionally targeted by the attackers, but rather that one of its systems became infected after falling victim to a fake job posting instructing the company to install a Trojanized Node.js application called Chessfi hosted on Bitbucket, likely as part of the interview process.
Interestingly, this malicious software includes a dependency via a package called ‘node-nvm-ssh’ that was published to the official npm repository by a user named ‘trailer’ on August 20, 2025. This package garnered a total of 306 downloads and was removed by the npm maintainer after 6 days.
It’s also worth noting that the npm package in question is one of 338 malicious Node libraries flagged by software supply chain security firm Socket as being associated with the Contagious Interview campaign earlier this week.
Once installed, this package triggers malicious behavior via a postinstall hook in the package.json file. This hook is configured to run a custom script called “skip” to launch a JavaScript payload (“index.js”), which loads another JavaScript (“file15.js”) responsible for executing the final stage of the malware.
Security researchers Vanja Svajcer and Michael Kelley said further analysis of the tool used in the attack revealed that “the tool had characteristics of BeaverTail and OtterCookie, with a blurred distinction between the two,” adding that it included a new keylogging and screenshot module that captures using legitimate npm packages such as node-global-key-listener and screenshot-desktop. Each captures keystrokes and screenshots and exfiltrates information to a C2 server.
At least one version of this new module includes an auxiliary clipboard monitor for siphoning clipboard contents. The new version of OtterCookie highlights the tool’s evolution from basic data collection to a modular program for data theft and remote command execution.
The malware, codenamed OtterCookie v5, also has BeaverTail-like functionality that enumerates browser profiles and extensions, steals data from web browsers and cryptocurrency wallets, installs AnyDesk for persistent remote access, and downloads a Python backdoor called InvisibleFerret.
Some of the other modules present in OtterCookie are listed below.
A remote shell module that sends system information and clipboard contents to the C2 server, installs the “socket.io-client” npm package, connects to a specific port on the OtterCookie C2 server, and receives further commands for execution.A file upload module that methodically enumerates all drives and traverses the file system, searching for files matching a particular extension and naming pattern (such as Metamask, Bitcoin, Backup, etc.) to the C2 server (phrases). Cryptocurrency extension stealer module. Extracts data from cryptocurrency wallet extensions installed on Google Chrome and Brave browsers (list of eligible extensions partially overlaps BeaverTail’s list)
In addition, Talos announced the detection of a Qt-based BeaverTail artifact and a malicious Visual Studio Code extension containing BeaverTail and OtterCookie code, raising the possibility that the group is experimenting with new methods of malware distribution.
“Since this extension is different from regular TTP, it is also possible that it is the result of experimentation by another actor, perhaps a researcher, unrelated to Famous Chollima,” the researchers noted.
Source link
