Additional Features of OtterCookie Malware Used by WaterPlum
Summary:
A newly updated malware strain called OtterCookie is being actively deployed by North Korea-linked threat actors known as the WaterPlum group (Famous Chollima/PurpleBravo). This malware is a successor to earlier WaterPlum payloads like BeaverTail and InvisibleFerret and was initially identified in December 2024. Since then, OtterCookie has undergone significant evolution, with the latest versions, v3 (observed in February 2025) and v4 (April 2025), exhibiting expanded functionality and cross-platform capabilities targeting both Windows and macOS systems. The malware is a key component of the ongoing "Contagious Interview" campaign, which lures victims who work at financial institutions, cryptocurrency platforms, and fintech companies globally through deceptive job offers. While the initial version focused on file exfiltration, the newer iterations include sophisticated multi-module stealers designed to harvest sensitive information, including documents, images, cryptocurrency-related files, browser login credentials (specifically targeting Google Chrome using Windows DPAPI), and browser-stored wallet data (including MetaMask, Chrome, Brave, and macOS keychains). Version 4 also incorporates enhanced environment checks, including virtual machine detection, and replaces third-party tools with native OS commands for clipboard operations.
Security Officer Comments:
The emergence and rapid evolution of OtterCookie as part of the Contagious Interview campaign highlight the relentlessly persistent cyber threat posed by North Korean state-sponsored actors. The upgrade from a simple malware solely with file grabber capabilities to an information stealer with remote code execution and targeted modules for credential and cryptocurrency wallet data theft demonstrates a clear intent to compromise high-value targets within the financial and digital currency sectors. The implementation of virtual environment detection to evade analysis in the latest version suggests the malware is polished enough to operate more effectively within real-world environments and is reaching the final stages of its development lifecycle. OtterCookie’s emergence following InvisibleFerret and BeaverTail suggests it may be the successor to these North Korean operations. The attribution to the well-established WaterPlum group, coupled with the consistent targeting and technical advancements observed, underscores the need for heightened vigilance and robust security measures within targeted industries, especially following the recent Wagemole campaign activity targeting the Kraken cryptocurrency platform. The continued development and deployment of OtterCookie emphasize the importance of organizations establishing enhanced identity verification procedures as part of their interview process, and working cooperatively with HR departments to proactively avoid these fake interviewees.
Suggested Corrections:
IOCs are available here.
Organizations can make APT groups’ lives more difficult. Here’s how:
https://jp.security.ntt/tech_blog/en-waterplum-ottercookie
A newly updated malware strain called OtterCookie is being actively deployed by North Korea-linked threat actors known as the WaterPlum group (Famous Chollima/PurpleBravo). This malware is a successor to earlier WaterPlum payloads like BeaverTail and InvisibleFerret and was initially identified in December 2024. Since then, OtterCookie has undergone significant evolution, with the latest versions, v3 (observed in February 2025) and v4 (April 2025), exhibiting expanded functionality and cross-platform capabilities targeting both Windows and macOS systems. The malware is a key component of the ongoing "Contagious Interview" campaign, which lures victims who work at financial institutions, cryptocurrency platforms, and fintech companies globally through deceptive job offers. While the initial version focused on file exfiltration, the newer iterations include sophisticated multi-module stealers designed to harvest sensitive information, including documents, images, cryptocurrency-related files, browser login credentials (specifically targeting Google Chrome using Windows DPAPI), and browser-stored wallet data (including MetaMask, Chrome, Brave, and macOS keychains). Version 4 also incorporates enhanced environment checks, including virtual machine detection, and replaces third-party tools with native OS commands for clipboard operations.
Security Officer Comments:
The emergence and rapid evolution of OtterCookie as part of the Contagious Interview campaign highlight the relentlessly persistent cyber threat posed by North Korean state-sponsored actors. The upgrade from a simple malware solely with file grabber capabilities to an information stealer with remote code execution and targeted modules for credential and cryptocurrency wallet data theft demonstrates a clear intent to compromise high-value targets within the financial and digital currency sectors. The implementation of virtual environment detection to evade analysis in the latest version suggests the malware is polished enough to operate more effectively within real-world environments and is reaching the final stages of its development lifecycle. OtterCookie’s emergence following InvisibleFerret and BeaverTail suggests it may be the successor to these North Korean operations. The attribution to the well-established WaterPlum group, coupled with the consistent targeting and technical advancements observed, underscores the need for heightened vigilance and robust security measures within targeted industries, especially following the recent Wagemole campaign activity targeting the Kraken cryptocurrency platform. The continued development and deployment of OtterCookie emphasize the importance of organizations establishing enhanced identity verification procedures as part of their interview process, and working cooperatively with HR departments to proactively avoid these fake interviewees.
Suggested Corrections:
IOCs are available here.
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://jp.security.ntt/tech_blog/en-waterplum-ottercookie