OtterCookie v4 Introduces Enhanced Virtual Machine Detection and Advanced Credential Theft Features for Chrome and MetaMask

The North Korean threat actors behind the Contagious Interview campaign have been observed employing upgraded versions of a cross-platform malware known as OtterCookie. This malware is capable of stealing credentials from web browsers and other sensitive files.

Recent findings from NTT Security Holdings reveal that the attackers have actively updated the malware, with versions v3 and v4 being introduced in February and April 2025, respectively. NTT has been tracking this activity under the cluster name WaterPlum, which is also identified as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan.

OtterCookie was initially documented by NTT last year after it was observed in attacks since September 2024. The malware is typically delivered through a malicious JavaScript payload embedded in npm packages, trojanized GitHub or Bitbucket repositories, or fraudulent videoconferencing applications. Its design allows for communication with external servers to execute commands on compromised systems.

The third version of OtterCookie introduces a new upload module that transmits files with specific extensions to an external server. This includes various types of files such as environment variables, images, documents, spreadsheets, text files, and files related to cryptocurrency wallets.

The fourth iteration of the malware enhances its functionality by adding new modules to extract credentials from Google Chrome and to gather data from the MetaMask extension used in Google Chrome, Brave browser, and iCloud Keychain. Notably, OtterCookie v4 can also detect execution within virtual machine environments, specifically those associated with Broadcom VMware, Oracle VirtualBox, Microsoft, and QEMU.

The first stealer module for Google Chrome credentials decrypts the data, whereas the second module collects encrypted login information from various browsers. This distinction in data processing suggests the involvement of different developers for these modules.

The continuous discovery of various malicious payloads linked to the Contagious Interview campaign indicates that the threat actors are refining their operational techniques. Additionally, researchers have identified a Go-based information stealer masquerading as a Realtek driver update, which, when executed, installs a shell script to download this stealer and a deceptive macOS application designed to harvest macOS system passwords.

The malware’s distribution is believed to be part of an updated launch of activity previously classified as ClickFake Interview. This method utilizes fake job scenarios to trick potential victims as they apply for positions, with links to fictitious audio and video issues during online assessments.

The primary function of the stealer is to establish a persistent command-and-control (C2) channel, profile the infected system, and exfiltrate sensitive data through system reconnaissance and credential theft.

Furthermore, a new malware family associated with this campaign, Tsunami-Framework, has emerged, which follows a known Python backdoor called InvisibleFerret. This .NET-based malware is designed to steal various data from web browsers and cryptocurrency wallets, incorporating functionalities such as keystroke logging, file collection, and the potential for botnet capabilities.

Contagious Interview is part of a larger operational cluster attributed to the Lazarus Group, a notorious North Korean hacking unit known for their espionage and financially motivated attacks aimed at supporting national interests and evading international sanctions.

As this campaign continues, the tactics employed by North Korean threat actors extend beyond malware to deceptive employment strategies. The infamous IT worker scheme, also referred to as Famous Chollima, has increasingly targeted organizations in Europe and Asia, leveraging falsified resumes and digital manipulation to secure employment.

Falsified identities often involve stock photos and generative AI tools, enabling the creation of convincing profiles for job applications. Once employed, these actors utilize various methods such as mouse jiggler utilities and VPN software to maintain the façade of legitimate remote work.

Security teams have reported instances where job interviews turned into intelligence-gathering operations, with candidates using altered documentation and suspicious remote work setups.

To counter these threats, organizations are advised to implement robust identity verification processes during their hiring phases. Human resources staff should be regularly trained on the evolving tactics used by these campaigns to increase their ability to spot fraudulent actors. Continuous monitoring of potential insider threats, along with reviews of suspicious tool usage and travel alerts, will further enhance security against these sophisticated infiltration attempts.