North Korea’s WaterPlum APT Deploys Node.js OtterCandy RAT for Crypto Theft with Anti-Forensic Module

A new report from NTT Security Japan has spotlighted an evolved malware family known as OtterCandy, attributed to the North Korea-linked group WaterPlum, also tracked as Famous Chollima or PurpleBravo. The campaign, recently observed targeting Japan, marks a sophisticated update in the group’s multi-platform intrusion capabilities.

According to the report, “WaterPlum can be classified into multiple clusters. Among them, activity by Cluster B (commonly referred to as BlockNovas cluster) is recently observed.” This cluster, known for its involvement in the ClickFake Interview campaign, has long leveraged shared toolsets such as BeaverTail, GolangGhost, and FrostyFerret. Yet, NTT analysts emphasize that Cluster B also “independently develops its own malware and tools, making it a unique cluster even within WaterPlum.”

The ClickFake Interview campaign lured victims through fraudulent job-interview websites before redirecting them to malicious “ClickFix” pages. While earlier waves primarily deployed GolangGhost and FrostyFerret for macOS, NTT’s analysis reveals that “since around July 2025, OtterCandy has been distributed for Windows, macOS, and Linux.”

Built with Node.js, OtterCandy functions as both a Remote Access Trojan (RAT) and an Information Stealer. The malware “combines elements of RATatouille and OtterCookie”, suggesting the developers repurposed features from earlier espionage tools to create a more flexible, cross-platform implant.

The researchers identified the first OtterCandy sample uploaded to VirusTotal in February 2025, which they note was “identical to the sample mistakenly labeled as OtterCookie in Silent Push’s report.” The malware communicates with its command-and-control (C2) infrastructure using Socket.IO, enabling remote operators to execute commands that “steal browser credentials, cryptocurrency wallets, and/or confidential files from the victim’s device.”

NTT Security Japan’s latest discovery highlights a significant August 2025 update that refined the malware’s persistence and data-theft capabilities. Researchers differentiate between two versions — v1 and v2 — noting that earlier samples merely rewrote their C2 addresses, but the new iteration introduced “three major updates.”

“In v1, the information sent to C2 included ‘username’ data… however, starting with v2, ‘client_id’ has been added, and user identification was enhanced compared to the previous version.”

In addition, the threat actors expanded their theft targets: “While v1 specified four browser extensions, v2 specified seven browser extensions.” The exfiltration process for Chromium-based browsers was also upgraded to transmit complete datasets rather than partial records, reflecting a deliberate evolution toward more exhaustive intelligence collection.

Most notably, OtterCandy v2 introduces an anti-forensic module that removes traces after execution. As NTT notes, “Deletion of registry keys used for persistence, as well as the deletion of files and directories, are added to ss_del command implementation in v2.”

Related Posts:

• WaterPlum’s OtterCookie Malware Upgrades to v4 with Credential Theft and Sandbox Detection Features
• Chinese hackers ramp up cyber attacks against European companies
• Built-in Japan AI security camera can identify customers stealing through suspicious behavior
• LockBit 5.0 Ransomware: Cross-Platform Evolution Targets Windows, Linux, and ESXi
• New Yurei Ransomware Emerges: Go-Based Variant Uses Advanced Anti-Forensics for Irreversible Double Extortion