WaterPlum’s OtterCookie Malware Upgrades to v4 with Credential Theft and Sandbox Detection Features

Cyber threat actors tied to North Korea are expanding their global reach with an updated strain of malware dubbed OtterCookie, a successor to earlier WaterPlum payloads like BeaverTail and InvisibleFerret. First exposed in December 2024 by NSJ SOC analysts Masaya Motoda and Rintaro Koike, OtterCookie has since undergone multiple evolutions, with the latest variants—v3 and v4—demonstrating a significant increase in functionality and cross-platform threat capability.

OtterCookie is deployed as part of the Contagious Interview campaign, a long-running operation aimed at financial institutions, cryptocurrency platforms, and fintech companies worldwide. The campaign leverages fake job offers or talent engagement to lure victims into opening malicious payloads.

While OtterCookie v1 functioned primarily as a file grabber, by v3 (observed in February 2025) and v4 (April 2025), the malware had evolved into a multi-module stealer with features tailored for both Windows and macOS systems.

The v3 version of OtterCookie introduced a two-module architecture:

• Main Module: Retains legacy functions, scanning for sensitive files related to documents, images, and cryptocurrency.
• Upload Module: Adds support for Windows environments, sending files that match pre-defined extension filters in the searchKey array to a remote command-and-control (C2) server.

“Other than Windows environment, it collects document files, image files and files related to cryptocurrency and sends them to a remote server,” the report states.

Unlike earlier versions that relied on remote shell commands for file collection, v3 uses hardcoded logic, improving efficiency and stealth.

In April 2025, researchers observed OtterCookie v4 in the wild. This version integrates:

• Two new Stealer modules
• Enhanced environment checks, including virtual machine detection
• Replacement of third-party clipboard tools with native macOS and Windows commands

“Virtual environment detection function was added… We assume that the attackers intended to discern the logs for sandbox environment and that of actual infection,” the report explains.

One Stealer module specifically targets Google Chrome login credentials, leveraging Windows’ Data Protection API (DPAPI) to decrypt and extract passwords from the Login Data file. The stolen credentials are stored in a local database file (1.db) before further processing.

A second Stealer module focuses on browser-stored wallet data, collecting files related to MetaMask, Google Chrome, Brave, and macOS keychains. Notably, this module does not decrypt the data, hinting at either a relay model or separate post-processing infrastructure.

OtterCookie is attributed to the WaterPlum group, also known as Famous Chollima or PurpleBravo. The actor’s consistent targeting of financial and cryptocurrency sectors, coupled with the technical sophistication of each OtterCookie update, points to a well-resourced APT campaign likely supported by state-level directives.

Related Posts:

• Hackers attack MetaMask users via phishing and steal $655,000
• North Korean APT ‘Contagious Interview’ Launches Fake Crypto Companies to Spread Malware Trio
• Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
• Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains