famous_chollima

Famous Chollima is a North Korea-affiliated threat actor cluster (also tracked as WaterPlum and reported under aliases including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, PurpleBravo, and Tenacious Pungsan) associated with recruitment-themed social engineering and trojanized developer tooling to enable credential theft, cryptocurrency theft, and espionage. The actor is linked in reporting to the Contagious Interview / ClickFake Interview activity and is described as part of broader North Korean operations believed to be associated with Lazarus Group activity. The group targets software developers, job seekers, and organizations/individuals in the defense, blockchain, and Web3/cryptocurrency ecosystem, including users of cryptocurrency-related services and browser wallets. Initial access is achieved via fake job offers/interview websites (ClickFix/ClickFake Interview lures), trojanized applications and repositories (e.g., Bitbucket/GitHub), and malicious npm packages (e.g., node-nvm-ssh). Delivery channels mentioned include platforms such as Fiverr and Discord. Tooling and malware attributed in the content includes BeaverTail, OtterCookie (versions 1–5 active from Nov 2024 through Aug 2025; v3 and v4 released Feb/Apr 2025; v5 observed Aug 2025), InvisibleFerret, and OtterCandy (distributed July 2025; v2 in late Aug 2025). OtterCookie and OtterCandy are described as Node.js-based, cross-platform (Windows/macOS/Linux) infostealer/RAT families used to steal browser credentials and cryptocurrency wallet data and to exfiltrate files; OtterCookie v4 includes modules targeting Chrome credentials and data from MetaMask/Brave/iCloud Keychain and includes virtual machine detection (VMware/VirtualBox/Microsoft/QEMU). OtterCookie v5 is noted as adding keylogging and screenshot capability. OtterCandy is described as integrating RAT and infostealer functionality (including features associated with RATatouille and OtterCookie), maintaining persistence by self-restarting, and expanding targeted browsers in v2; it was reported targeting Japanese developers and job seekers. Observed TTPs include multi-stage infection chains; WebSocket and HTTP-based C2; keylogging, screenshot capture, clipboard monitoring, file exfiltration, remote shell/command execution, and use of obfuscation, encryption, anti-debugging, and persistence mechanisms. The actor also leveraged trojanized software and fake videoconferencing apps, and is noted to have used AnyDesk for remote control in some intrusions. The content also notes broader North Korean tradecraft such as blockchain-based delivery techniques (e.g., EtherHiding) and malware/infrastructure sharing across North Korean threat actors. Separately, the content describes North Korean IT worker schemes also referred to as Famous Chollima (and also called Nickel Tapestry and Wagemole) in which fraudulent workers use digitally manipulated photos, generative AI, and resume builders to obtain employment, then use remote access and evasion tooling (e.g., Astrill VPN, KVM over IP, mouse jigglers) to maintain access and facilitate data theft and extortion over extended periods.