The North Korean threat actor linked to the Contagious Interview campaign has been observed merging some of the functionality of two of its malware programs, indicating that the hacking group is actively refining its toolset.
That's according to new findings from Cisco Talos, which said recent campaigns undertaken by the hacking group have seen the functions of BeaverTail and OtterCookie coming closer to each other more than ever, even as the latter has been fitted with a new module for keylogging and taking screenshots.
The activity is attributed to a threat cluster that's tracked by the cybersecurity community under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, and Void Dokkaebi.
The development comes as Google Threat Intelligence Group (GTIG) and Mandiant revealed the threat actor's use of a stealthy technique known as EtherHiding to fetch next-stage payloads from the BNB Smart Chain (BSC) or Ethereum blockchains, essentially turning decentralized infrastructure into a resilient command-and-control (C2) server. It represents the first documented case of a nation-state actor utilizing the method that has been otherwise adopted by cybercrime groups.
Contagious Interview refers to an elaborate recruitment scam that began sometime around late 2022, with the North Korean threat actors impersonating hiring organizations to target job seekers and deceiving them into installing information-stealing malware as part of a supposed technical assessment or coding task, resulting in the theft of sensitive data and cryptocurrency.
In recent months, the campaign has undergone several shifts, including leveraging ClickFix social engineering techniques for delivering malware strains such as GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. Central to the attacks, however, are malware families known as BeaverTail, OtterCookie, and InvisibleFerret.
BeaverTail and OtterCookie are separate but complementary malware tools, with the latter first spotted in real-world attacks in September 2024. Unlike BeaverTail, which functions as an information stealer and downloader, initial interactions of OtterCookie were designed to contact a remote server and fetch commands to be executed on the compromised host.
The activity detected by Cisco Talos concerns an organization headquartered in Sri Lanka. It's assessed that the company was not intentionally targeted by the threat actors, but rather they had one of their systems infected, likely after a user fell victim to a fake job offer that instructed them to install a trojanized Node.js application called Chessfi hosted on Bitbucket as part of the interview process.
Interestingly, the malicious software includes a dependency via a package called "node-nvm-ssh" published to the official npm repository on August 20, 2025, by a user named "trailer." The package attracted a total of 306 downloads, before it was taken down by the npm maintainers six days later.
It's also worth noting that the npm package in question is one of the 338 malicious Node libraries flagged earlier this week by software supply chain security company Socket as connected to the Contagious Interview campaign.
The package, once installed, triggers the malicious behavior by means of a postinstall hook in its package.json file that's configured to run a custom script called "skip" so as to launch a JavaScript payload ("index.js"), which, in turn, loads another JavaScript ("file15.js") responsible for executing the final-stage malware.
Further analysis of the tool used in the attack has found that "it had characteristics of BeaverTail and of OtterCookie, blurring the distinction between the two," security researchers Vanja Svajcer and Michael Kelley said, adding it incorporated a new keylogging and screenshotting module that uses legitimate npm packages like "node-global-key-listener" and "screenshot-desktop" to capture keystrokes and take screenshots, respectively, and exfiltrate the information to the C2 server.
At least one version of this new module comes equipped with an auxiliary clipboard monitoring feature to siphon clipboard content. The emergence of the new version of OtterCookie paints a picture of a tool that has evolved from basic data-gathering to a modular program for data theft and remote command execution.
Also present in the malware, codenamed OtterCookie v5, are functions akin to BeaverTail to enumerate browser profiles and extensions, steal data from web browsers and cryptocurrency wallets, install AnyDesk for persistent remote access, as well as download a Python backdoor referred to as InvisibleFerret.
Some of the other modules present in OtterCookie are listed below -
- Remote shell module, which sends system information and clipboard content to the C2 server and installs the "socket.io-client" npm package to connect to a specific port on the OtterCookie C2 server and receive further commands for execution
- File uploading module, which systematically enumerates all drives and traverses the file system in order to find files matching certain extensions and naming patterns (e.g., metamask, bitcoin, backup, and phrase) to be uploaded to the C2 server
- Cryptocurrency extensions stealer module, which extracts data from cryptocurrency wallet extensions installed on Google Chrome and Brave browsers (the list of extensions targeted partially overlaps with that of BeaverTail)
Furthermore, Talos said it detected Qt-based BeaverTail artifact and a malicious Visual Studio Code extension containing BeaverTail and OtterCookie code, raising the possibility that the group may be experimenting with new methods of malware delivery.
"The extension could also be a result of experimentation from another actor, possibly even a researcher, who is not associated with Famous Chollima, as this stands out from their usual TTPs," the researchers noted.
