North Korean Famous Chollima APT Deploys OtterCookie and BeaverTail Malware via Trojanized Node.js Apps for Cryptocurrency Theft
The North Korean state-sponsored hacking group known as Famous Chollima has been identified as orchestrating a sophisticated cyber campaign targeting individuals and organizations with the goal of stealing cryptocurrency and sensitive credentials. Security researchers have observed that the group is leveraging trojanized Node.js applications, such as fake versions of legitimate apps like Chessfi, to deliver malicious payloads. Victims are lured through job scam tactics, where they are enticed to install what appears to be a legitimate application, but which actually contains hidden malware. The infection process involves the user executing an 'npm install' command, which surreptitiously downloads a malicious package named 'node-nvm-ssh.' This package is engineered to execute a series of obfuscated commands, ultimately deploying the OtterCookie and BeaverTail malware families onto the victim's system.
Recent analysis by Cisco Talos has revealed that the functionalities of BeaverTail and OtterCookie are being merged, indicating a strategic move by the attackers to streamline and enhance their toolset for future campaigns. The evolution of the OtterCookie malware has been particularly notable, with successive versions adding increasingly invasive capabilities. Early versions focused on stealing browser profiles, while later iterations introduced clipboard theft, file exfiltration from all mounted drives, and, most recently, advanced surveillance features. The latest version, designated V5, incorporates a keylogger to capture every keystroke and a screenshotting module that takes images of the victim's desktop every four seconds, with all collected data exfiltrated to the attackers' command and control infrastructure.
The campaign has been observed targeting high-value individuals and organizations, with at least one confirmed infection at a Sri Lanka-based organization. The attackers' use of legitimate-looking applications and sophisticated evasion techniques makes detection and prevention challenging. The campaign's primary objective appears to be the theft of cryptocurrency and sensitive user credentials, which are highly valuable on underground markets. Security experts warn that the merging of malware capabilities and the use of evolving infection vectors signal an ongoing and escalating threat from the Famous Chollima group. Organizations are advised to implement robust endpoint protection, monitor for suspicious npm package installations, and educate users about the risks of unsolicited job offers and software downloads. The campaign underscores the persistent and adaptive nature of North Korean cyber operations, particularly in their pursuit of financial gain through cybercrime.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Reporting identifies WaterPlum using Node.js OtterCandy RAT
A later report described a related North Korea-linked campaign attributed to WaterPlum that used a Node.js-based OtterCandy RAT for cryptocurrency theft and included an anti-forensic module, indicating continued evolution of this malware ecosystem.
Talos links campaign to broader DPRK fake-recruitment operations
Researchers connected the activity to North Korea's wider strategy of using job-themed lures and fake-company recruitment scams, consistent with earlier Lazarus Group-linked operations using the same malware families.
Researchers document expanded BeaverTail and OtterCookie capabilities
Talos said the malware toolset had evolved from browser-profile theft to broader credential and cryptocurrency theft, adding clipboard theft, file theft from mounted drives, keylogging, and frequent screenshot capture with exfiltration to command-and-control infrastructure.
Talos observes Sri Lanka infection via hidden npm package
In one observed case at an organization headquartered in Sri Lanka, a victim executed an npm install that fetched a concealed malicious package named "node-nvm-ssh," leading to BeaverTail and OtterCookie malware deployment.
Famous Chollima runs job-offer scam using trojanized apps
Cisco Talos reported that the North Korea-aligned group Famous Chollima used fake job offers to trick targets into installing trojanized applications such as "Chessfi," initiating infections through malicious Node.js packages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Post by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourceNorth Korea’s WaterPlum APT Deploys Node.js OtterCandy RAT for Crypto Theft with Anti-Forensic Module
securityonline.info
Open sourceNorth Korea’s Famous Chollima APT Uses Trojanized Node.js App to Deploy OtterCookie RAT for Crypto Theft
securityonline.info
Open sourceNK’s Famous Chollima Use BeaverTail and OtterCookie Malware in Job Scam
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean 'Contagious Interview' Campaign Expands with Malicious npm Packages and OtterCookie Malware
North Korea-linked threat actors have significantly expanded the 'Contagious Interview' campaign, targeting software developers in the crypto and Web3 sectors by uploading 197 new malicious npm packages designed to distribute an updated version of the OtterCookie infostealer. These actors, posing as recruiters on platforms like LinkedIn, use sophisticated social engineering tactics such as fake job interviews and trojanized demo projects to lure victims on Windows, Linux, and macOS. The campaign leverages a full delivery infrastructure, including a threat actor–controlled GitHub account and Vercel-hosted staging sites, to store and deliver malware, with command and control servers used for data theft and remote tasking. The campaign's payloads include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT, and the malicious npm packages have been downloaded over 31,000 times, highlighting the scale and persistence of the operation. Technical analysis reveals that the attackers have built a robust malware delivery system, using their GitHub account to host repositories and fetch the latest payloads from Vercel, while maintaining separate C2 infrastructure for exfiltration and tasking. At least five npm packages, including 'tailwind-magic' and its variants, have been directly linked to this campaign. The operation demonstrates the increasing sophistication of North Korean supply chain attacks, with a focus on compromising developers in high-value sectors through open-source ecosystems. Security researchers continue to monitor the evolving tactics and infrastructure associated with this campaign, warning organizations and developers to exercise heightened vigilance when interacting with unsolicited job offers and npm packages.
Apr 9, 2026
North Korean 'Contagious Interview' Campaign Floods npm Registry with Malicious Packages Targeting Crypto Developers
North Korean state-sponsored threat actors have significantly escalated their 'Contagious Interview' campaign by flooding the npm registry with over 338 malicious packages designed to steal cryptocurrency and sensitive credentials. The operation leverages a repeatable playbook, with threat actors creating more than 180 fake personas and using new npm aliases and registration emails to distribute the malware. These malicious packages have collectively been downloaded over 50,000 times, indicating a substantial reach and potential impact on the developer community. The attackers primarily target Web3, cryptocurrency, and blockchain developers, as well as technical job seekers, often approaching them on LinkedIn under the guise of recruiters or hiring managers. The campaign follows a multi-stage attack chain, beginning with reconnaissance on social media, followed by weaponization through the publication of typosquatted npm packages. Delivery occurs via recruiter lures, leading to exploitation through malware loaders that execute in memory. The malware tooling has evolved, with initial stages using direct BeaverTail droppers, and more recent waves employing HexEval, XORIndex, and encrypted loaders that reconstruct BeaverTail in memory. Once executed, these loaders typically fetch the InvisibleFerret backdoor, which establishes persistence and enables further malicious actions. The attackers use over a dozen command and control endpoints to manage the compromised systems. The campaign is iterative, with new malicious packages appearing weekly and loader code being regularly tweaked to evade detection. The npm security team has been notified, and takedown requests have been submitted, but as of the latest reports, 25 malicious packages remain live on the registry. The operation has resulted in multi-stage compromises, including the theft of wallet keys and sensitive credentials, leading to financial losses for victims. The attackers' use of social engineering, technical obfuscation, and rapid distribution across new aliases demonstrates a high level of sophistication and adaptability. The campaign has been mapped to the Lockheed Martin Cyber Kill Chain, illustrating its comprehensive approach from reconnaissance to actions on objectives. Security researchers emphasize the need for heightened vigilance among developers, especially those in the cryptocurrency and blockchain sectors, and recommend immediate review of npm dependencies and enhanced monitoring for suspicious package activity. The ongoing nature of the campaign and the attackers' ability to quickly adapt their tactics pose a persistent threat to the software supply chain. Organizations are urged to implement robust security controls, educate staff about social engineering risks, and coordinate with npm and security vendors to mitigate exposure. The incident highlights the growing risk of supply chain attacks via open-source ecosystems and the need for industry-wide collaboration to address such threats.
Apr 11, 2026
North Korean Contagious Interview Campaign Uses JSON Services for Malware Delivery
North Korean threat actors associated with the Contagious Interview campaign have adopted new tactics by leveraging JSON storage services such as JSON Keeper, JSONsilo, and npoint.io to host and deliver malware. These actors approach software developers, particularly those in cryptocurrency and Web3 sectors, via professional networking platforms like LinkedIn, posing as recruiters or collaborators. Victims are lured into downloading trojanized code projects from platforms like GitHub or GitLab, which contain hidden links to malicious payloads stored in JSON services. The initial payload, often disguised as an API key, leads to the download of JavaScript malware such as BeaverTail, which can harvest sensitive data and deploy additional backdoors like InvisibleFerret. The campaign's modular approach allows for further payloads, including TsunamiKit, to be fetched from external sources like Pastebin or .onion addresses. The malware toolkit is capable of system fingerprinting, data collection, and persistent access, with some payloads specifically targeting multiple operating systems including Windows, Linux, and macOS. The Contagious Interview campaign remains focused on financial gain for the DPRK regime and demonstrates ongoing evolution in its social engineering and malware delivery techniques, as highlighted by recent research from NVISO and corroborated by other security firms.
Apr 30, 2026