The North Korean threat actors behind the infectious interview campaign have been observed using an updated version of cross-platform malware called OtterCookies, which has the ability to steal credentials from web browsers and other files.
Detailing the new findings, NTT Security Holdings said that attackers updated the malware “actively and continuously” and introduced versions V3 and V4 in February and April 2025, respectively.
Japanese cybersecurity companies track clusters under the name Waterplum, also known as CL-STA-0240, DeceptedEvelopment, Dev#Popper, Famous Chollima, Purplebravo and tenacious Pungsan.
OtterCookies were first documented last year by NTT after observing them in attacks since September 2024. It was delivered via a malicious NPM package via JavaScript payload, a Trojanized Github or Bitbucket repository, or via the Bogus VideoConferencing app.
OtterCookie V3 is known to incorporate a new upload module to send files that match a predefined set of extensions to an external server. It consists of environment variables, images, documents, spreadsheets, text files, and files containing mnemonics and recovery phrases related to cryptocurrency wallets.
It is worth pointing out that this module was previously running in OtterCookie V2 as a shell command received from the server.
The fourth iteration of malware extends to its predecessor by adding two more modules to steal credentials from Google Chrome and extracting data from the Metamask extensions of Google Chrome, Brave Browser and iCloud Keychain.
Another new feature added to OtterCookie V4 is the ability to detect whether it is running in a virtual machine (VM) environment related to Broadcom VMware, Oracle VirtualBox, Microsoft, and QEMU.
Interestingly, the first Stealer module responsible for collecting Google Chrome credentials is known to do so after decrypting them, while the second module harvests encrypted login data from browsers such as Chrome or Brave.
“This difference in data processing or coding style means that these modules were developed by a variety of developers,” said researchers Masaya Motoda and Rintaro Koike.
This disclosure has been caused by the unearthing multiple malicious payloads associated with infectious interview campaigns in recent months, indicating threat actors are refined in their modus operandi.
This includes GO-based information steelers that are delivered in the appearance of the RealTek driver update (“webcam.zip”). This runs a shell script to download the steeler when opened and launch a deceptive MacOS application (“Driverminupdate.app”).
The malware is believed to have been distributed last month as part of an updated version of the CodeNamed Clickfake interview by Sekoia, as it uses Clickfix-style lures to fix audio and video issues that are not present during the online evaluation of the employment interview process.
“The main role of steelers is to establish a permanent C2 channel, profile infected systems, and remove sensitive data,” said MoonLock, cybersecurity division at MacPaw. “We accomplish this through a combination of system reconnaissance, qualification theft, and execution of remote commands.”
The application Driverminupdate is rated as part of a large set of similar malicious apps discovered by DMPDump, Sentinelone, Enki, and Kandji, including ChromeupdateAlert, Chromeupdate, CameraCcess, Drivereasy.
The second new malware family connected to the campaign is Tsunami Flamework. It is delivered as a follow-up payload to a known Python backdoor called Invisibleferret. .NET-based modular malware is equipped to steal a wide range of data from web browsers and cryptocurrency wallets.
It also includes the ability to record keystrokes, collect files and even incorporate botnet components that are believed to be in early development, German security company Hisolutions said in a report released last month.
Infectious interviews per ESET are considered to be a new activity cluster that is part of the Lazarus group. It is a notorious North Korean hacking group with a celebratory history of coordinating both espionage and financially motivated attacks as a way to advance international investigations of the country’s strategic goals and Sidestep.
Earlier this year, the hostile group was attributed to a record $1 billion robbery on cryptocurrency platform Bybit.
The threat of North Korean IT workers endures
The findings came when cybersecurity firm Sophos revealed that North Korea’s fraudulent IT workers schemes (also known as the famous Cholima, Nickel Tapestry and Wagemall were increasingly targeting Europe and Asia, gaining employment across the technology sector and reverting procedures to Piongang.
“Threat actors often digitally manipulate photos for forged resumes and LinkedIn profiles throughout the preemptive phase, accompanied by claims from previous work history or group projects,” said the company’s SecureWorks Counter Threat Unit (CTU).
“They generally use stock photos overlaid with real images of themselves. Threat actors are increasing their use of generator AI, including writing tools, image editing tools, and resume builders.”
Scam workers were discovered using IP for remote access using Mouse Zigler Utility, VPN software such as Astrill VPN, and KVM when they acquired the job.
Last week, Kraken of Cryptocurrency Exchange Platform revealed how routine job interviews for engineering positions have turned into intelligence news agencies after finding a North Korean hacker trying to infiltrate the company using the name Stephen Smith.
“The candidate used a MAC desktop with remote colocated, but interacted with other components via a VPN, which hid the locations and network activity that were commonly deployed,” the company said. “Their resumes were linked to a GitHub profile containing email addresses published in past data breaches.”
“The main format of candidate IDs appears to have been changed, using details that were stolen in an identity theft case probably two years ago.”
But instead of rejecting candidate applications altogether, Kraken said its security and recruitment team went “strategically” through the interview process as a way to check their location, lift up government-issued IDs and ask them to recommend some local restaurants in the city they claim to be.
“We were upset, caught off guard, they struggled with basic verification tests and were unable to answer real-time questions about residential cities and citizenship with confidence,” Kraken said. “By the end of the interview, the truth was clear. This was not a legitimate applicant, but a scammer trying to break into our system.”
In another case, documented last month by the U.S. Department of Justice (DOJ), 40-year-old Minh Phuong Ngoc Vong of Maryland, pleaded guilty to fraud after securing work with government contractors and subsequently outsourced work to North Korean citizens living in Shenyang, China.
The ability to secretly slide thousands of workers into large businesses with the help of facilitators, often called laptop farms, has led to repeated warnings from Japan, South Korea, the UK and the US governments.
These workers are known to spend up to 14 months within the organization, and threat actors are also involved in data theft and threats after firing.
“Organization [should] Sophos will establish an enhanced identity verification procedure as part of the interview process.
“In addition, organizations need to monitor traditional insider threat activities, suspicious use of legitimate tools, and impossible travel alerts to detect often related activities related to fraudulent workers.”
Source link
