North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie.
Contagious Interview (aka DeceptiveDevelopment) refers to a persistent attack campaign that employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into downloading malware under the guise of an interview process.
This involves distributing malware-laced videoconferencing apps or npm packages either hosted on GitHub or the official package registry, paving the way for the deployment of malware such as BeaverTail and InvisibleFerret.
Palo Alto Networks Unit 42, which first exposed the activity in November 2023, is tracking the cluster under the moniker CL-STA-0240. It's also referred to as Famous Chollima and Tenacious Pungsan.
In September 2024, Singaporean cybersecurity company Group-IB documented the first major revision to the attack chain, highlighting the use of an updated version of BeaverTail that adopts a modular approach by offloading its information-stealing functionality to a set of Python scripts collectively tracked as CivetQ.
It's worth noting at this stage that Contagious Interview is assessed to be disparate from Operation Dream Job, another long-running North Korean hacking campaign that also employs similar job-related decoys to trigger the malware infection process.
The latest findings from Japanese cybersecurity company NTT Security Holdings reveal that the JavaScript malware responsible for launching BeaverTail is also designed to fetch and execute OtterCookie. The new malware is said to have been introduced in September 2024, with a new version detected in the wild last month.

OtterCookie, upon running, establishes communications with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It's designed to run shell commands that facilitate data theft, including files, clipboard content, and cryptocurrency wallet keys.
The older OtterCookie variant spotted in September is functionally similar, but incorporates a minor implementation difference wherein the cryptocurrency wallet key theft feature is directly built into the malware, as opposed to a remote shell command.
The development is a sign that the threat actors are actively updating their tools while leaving the infection chain largely untouched, a continued sign of the campaign's effectiveness.
South Korea Sanctions 15 North Koreans for IT Worker Scam
It also comes as South Korea's Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organization in connection with a fraudulent IT worker scheme orchestrated by its northern counterpart to illegally generate a steady source of income that can be funneled back to North Korea, steal data, and even demand ransoms in some cases.
There is evidence to suggest that the Famous Chollima threat cluster is behind the insider threat operation as well. It's also called by various names, such as Nickel Tapestry, UNC5267, and Wagemole.
One of the 15 sanctioned individuals, Kim Ryu Song, was also indicted by the U.S. Department of Justice (DoJ) earlier this month for his alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations.
Also sanctioned by MoFA is the Chosun Geumjeong Economic Information Technology Exchange Company, which has been accused of dispatching a large number of IT personnel to China, Russia, Southeast Asia, and Africa for procuring funds for the regime by securing freelance or full-time jobs in Western companies.
These IT workers are said to be part of the 313th General Bureau, an organization under the Munitions Industry Department of the Workers' Party of Korea.
"The 313th General Bureau [...] dispatches many North Korean IT personnel overseas and uses the foreign currency earned to secure funds for nuclear and missile development, and is also involved in the development of software for the military sector," the ministry said.
"North Korea's illegal cyber activities are not only criminal acts that threaten the safety of the cyber ecosystem, but also pose a serious threat to international peace and security as they are used as funds for North Korea's nuclear and missile development."
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
HighPath Traversal
InformationalInformation Disclosure - Sensitive Information in HTTP Referrer Header
LowStrict-Transport-Security Missing Max-Age (Non-compliant with Spec)
InformationalContent Security Policy (CSP) Report-Only Header Found
MediumX-Frame-Options Defined via META (Non-compliant with Spec)
CWE-1234 Hardware Internal or Debug Modes Allow Override of Locks
CWE-1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
HighCWE-646 Reliance on File Name or Extension of Externally-Supplied File
CWE-1247 Improper Protection Against Voltage and Clock Glitches
MediumCWE-1022 Use of Web Link to Untrusted Target with window.opener Access
Free online web security scanner