North Korea’s Famous Chollima APT Uses Trojanized Node.js App to Deploy OtterCookie RAT for Crypto Theft
Ddos 
A new report from Cisco Talos has exposed a malware campaign linked to Famous Chollima, a North Korean threat group aligned with the Lazarus APT and known for its long-running job-themed espionage operations. This campaign, part of the broader “Contagious Interview” activity, uses fake job offers and trojanized open-source tools to infect developers with BeaverTail and OtterCookie — two evolving malware families that now include keylogging, clipboard theft, and cryptocurrency wallet stealing capabilities.
The campaign’s infection chain begins with a fake job offer shared via freelancing platforms like Fiverr or Discord messages, instructing victims to download a Node.js project called “Chessfi” — a trojanized web3-based chess application.
“It is likely that a user fell for a fake job offer instructing them to install a trojanised Node.js application called Chessfi as part of a fake job interview process,” Talos explained.
Once cloned from Bitbucket, the application’s package.json file executes a malicious dependency named “node-nvm-ssh” from the NPM repository. This package contains postinstall scripts that spawn a hidden process chain, ultimately loading an obfuscated payload — a combined variant of BeaverTail and OtterCookie malware.
Talos notes that the multi-stage loading sequence “makes it quite difficult for an unsuspecting software engineer to discover that the installation of the Chessfi application will eventually lead to execution of malicious code.”
While both BeaverTail and OtterCookie originated as distinct tools, recent evidence shows that their codebases have merged, creating a cross-platform malware suite written in JavaScript capable of operating on Windows, macOS, and Linux.
“Once Talos conducted the initial analysis, we realized that the tools used to conduct it had characteristics of BeaverTail and of OtterCookie, blurring the distinction between the two. The code also contained some additional functionality we have not previously encountered,” Cisco Talos stated.
BeaverTail focuses on browser data exfiltration, cryptocurrency wallet theft, and remote access through tools like AnyDesk, while OtterCookie has evolved into a modular data-theft framework with keylogging, screenshotting, and file upload capabilities.
“OtterCookie evolved from the initial basic data-gathering capabilities to a more modular design for data theft and remote command execution techniques,” Talos noted, adding that the latest version (v5) introduces “a keylogging module that captures screenshots and uploads them to the C2 server together with keystrokes.”
The newly identified OtterCookie v5 includes a keylogging and screenshot module using public Node.js packages such as “node-global-key-listener” and “screenshot-desktop”. The captured data — including keystrokes, screenshots, and clipboard content — is stored locally and exfiltrated to a command-and-control (C2) server at 172.86.88.188:1478/upload.
“The keylogging module uses the packages node-global-key-listener for keylogging, screenshot-desktop for taking desktop screenshots, and sharp for converting the captured screenshots into web-friendly image formats,” Talos described.
Another module enumerates local drives, searches for sensitive file types such as .env, .wallet, .json, and .xlsx, and exfiltrates them to the C2 server at 172.86.88.188:1476/upload.
Talos also found a remote shell component that communicates over WebSocket using socket.io-client, enabling attackers to execute arbitrary commands and steal clipboard data via PowerShell or macOS commands.
Talos discovered a malicious Visual Studio Code (VS Code) extension that embeds OtterCookie functionality. The fake extension masquerades as “Mercer Onboarding Helper”, pretending to help recruiters manage candidate tests, but actually loads OtterCookie code when installed.
“While Talos cannot attribute this VS Code extension to Famous Chollima with high confidence, this may indicate that the threat actor is experimenting with different delivery vectors,” the researchers wrote.
Such experimentation suggests that North Korean operators are expanding their toolset to target developers directly through popular IDEs and open-source ecosystems, leveraging the trust and reach of supply chain platforms like NPM and GitHub.
Talos analysis found that both BeaverTail and OtterCookie actively target cryptocurrency browser extensions such as MetaMask, Phantom, and TrustWallet, and extract saved credentials from Chrome, Brave, Opera, and Firefox browsers.
“The cryptocurrency module targets Google Chrome and Brave browsers. If any extensions are found in any of the browser profiles, the extension files as well as the saved Login and Web data are uploaded to a C2 server URL,” the report stated.
This evolution shows how Famous Chollima continues to blend espionage and financial crime, aligning with DPRK’s focus on cryptocurrency theft as a means of evading international sanctions.
Cisco Talos also highlighted overlaps between BeaverTail, OtterCookie, and another DPRK-linked malware framework known as InvisibleFerret, a Python-based modular payload.
“All additional modules present in OtterCookie code correspond well to the functionality that is traditionally associated with InvisibleFerret and its Python-based modules,” Talos wrote.
By transitioning key capabilities from Python to JavaScript, the group can deploy attacks without needing a local Python runtime, increasing stealth and compatibility across developer systems.
To hinder detection, the attackers heavily obfuscate JavaScript code using Obfuscator.io, XOR-based string encryption, and shuffled base64 C2 addresses.
“The operational tempo of groups attributed to Famous Chollima is high and the detection of completely new samples on VirusTotal remains unreliable, allowing threat actors enough time to successfully attack some victims,” Talos warned.
Donate