Cybersecurity

Famous Chollima, a threat group aligned with the Democratic People’s Republic of Korea (DPRK), has enhanced its arsenal by integrating functionalities of BeaverTail and OtterCookie to facilitate credential and cryptocurrency theft through fake job offers.

Recent campaigns have utilized a trojanized Node.js application distributed via a malicious NPM package, demonstrating the group’s evolving delivery methods.

In these operations, Famous Chollima has combined BeaverTail and OtterCookie in fake job interviews, adding modules for keylogging and screenshot capture. A malicious NPM package, “node-nvm-ssh,” embedded in a cryptocurrency-themed chess application acts as the infection vector, executing obfuscated JavaScript payloads.

OtterCookie has undergone five iterations since late 2024, introducing features such as remote shell access, file exfiltration, and targeting cryptocurrency wallets. The convergence of BeaverTail, OtterCookie, and InvisibleFerret functionalities indicates a shift towards JavaScript-based tools to decrease Python dependency on Windows systems.

The Campaign Activity

Famous Chollima, a subgroup of the DPRK-aligned Lazarus collective, continues to refine its arsenal in Contagious Interview campaigns, integrating BeaverTail and OtterCookie into more unified infostealers. These operations target job seekers by posing as recruiters, tricking them into installing compromised software under the guise of interview-related tasks.

In one incident, an organization in Sri Lanka was incidentally compromised when a user cloned a Bitbucket repository for “Chessfi,” a chess platform with cryptocurrency betting features. The repository’s dependencies included the malicious “node-nvm-ssh” package from NPM, initiating post-install scripts that executed obfuscated JavaScript from files like “test.list.”

This payload reveals a merging of BeaverTail and OtterCookie codebases, with BeaverTail managing browser profile enumeration and targeting extensions for wallets such as MetaMask and Phantom across various browsers. OtterCookie adds modular extensions, including a remote shell for command execution, a file uploader scanning drives for documents and crypto-related files, and a cryptocurrency extension stealer overlapping with BeaverTail’s list.

A new OtterCookie module, first noted in April 2025, introduces keylogging and screenshot capabilities, buffering data in temporary files before exfiltration to command-and-control (C2) endpoints. Clipboard monitoring is present in variants, utilizing OS-native commands like “pbpaste” on macOS or PowerShell on Windows.

Researchers at Cisco Talos also identified a suspicious VS Code extension mimicking an onboarding tool, embedding similar code.

Malware Evolution and Techniques

OtterCookie’s development spans from basic remote code execution (RCE) in version 1 since late 2024 to version 5 in August 2025, incorporating anti-analysis techniques such as environment checks and error-handler eval for code loading. Early versions relied on HTTP cookies for payloads, evolving to modular strings executed on-the-fly.

BeaverTail, active since mid-2023, has adapted with base64 shuffling for C2 URLs and cross-platform support, often employed in supply-chain attacks. Famous Chollima, also known as Wagemole and other aliases, is a North Korean nexus threat actor active since at least 2018.

Famous Chollima targets industries such as cryptocurrency, blockchain, and technology, with a notable focus on India and Western countries, including the US, Germany, and Ukraine. Their operations primarily focus on financial gain and espionage to support the DPRK regime, believed to be affiliated with North Korea’s Reconnaissance General Bureau, a key intelligence service.

Famous Chollima uses sophisticated social engineering, posing as legitimate remote IT workers to infiltrate organizations. They create fake identities, falsify resumes, and use generative AI to craft convincing profiles, securing roles at small to mid-sized businesses via platforms like Upwork and LinkedIn. Once embedded, they deploy custom malware, such as BeaverTail and InvisibleFerret, to steal credentials and sensitive data.

The group delivers malicious Python-based remote access trojans (RATs) like PylangGhost to target the cryptocurrency and blockchain sectors, establishing persistence through registry modifications and using RC4-encrypted HTTP for C2 communication. Their operations fund North Korea’s regime through illicitly earned salaries and stolen assets, evading international sanctions. The group’s infrastructure often relies on anonymization networks to conceal their activities.