Additional Features of OtterCookie Malware Used by WaterPlum
Contents
This article is English version of âWaterPlumã使ç¨ãããã«ã¦ã§ã¢OtterCookieã®æ©è½è¿½å â.
The original article is authored by NSJ SOC analyst Masaya Motoda and Rintaro Koike.
Introduction
WaterPlum (also called as Famous Chollima or PurpleBravo) is reportedly a North Korea-linked attack group that targeting financial institutions, cryptocurrency operators and FinTech companies worldwide. They have been using malware called BeaverTail or InvisibleFerret in Contagious Interview campaign since around 2023, they started using new malware since September 2024. We named it "OtterCookie" and published a blog article in December 2024.
OtterCookie, new malware used in Contagious Interview campaign
Attacks using the OtterCookie continued after the blog article was published. We confirmed the updates on them in February and April 2025. In this article, we introduce the distinctive difference observed in the new version. In accordance with the observed date, we allocated versions (from v1 to v4) for convenience.
The following chart summarizes the functions implemented and target OS for each version. v1 …
The original article is authored by NSJ SOC analyst Masaya Motoda and Rintaro Koike.
Introduction
WaterPlum (also called as Famous Chollima or PurpleBravo) is reportedly a North Korea-linked attack group that targeting financial institutions, cryptocurrency operators and FinTech companies worldwide. They have been using malware called BeaverTail or InvisibleFerret in Contagious Interview campaign since around 2023, they started using new malware since September 2024. We named it "OtterCookie" and published a blog article in December 2024.
OtterCookie, new malware used in Contagious Interview campaign
Attacks using the OtterCookie continued after the blog article was published. We confirmed the updates on them in February and April 2025. In this article, we introduce the distinctive difference observed in the new version. In accordance with the observed date, we allocated versions (from v1 to v4) for convenience.
The following chart summarizes the functions implemented and target OS for each version. v1 …
IoC
http://65.21.23.63
http://moralis-api-v3.cloud
http://65.108.122.31
http://116.202.208.125
http://modilus.io
http://95.216.227.188
http://194.164.234.151
http://chainlink-api-v3.cloud
http://135.181.123.177
http://188.116.26.84
http://alchemy-api-v3.cloud
95.216.227.188
188.116.26.84
135.181.123.177
116.202.208.125
65.21.23.63
194.164.234.151
65.108.122.31
http://moralis-api-v3.cloud
http://65.108.122.31
http://116.202.208.125
http://modilus.io
http://95.216.227.188
http://194.164.234.151
http://chainlink-api-v3.cloud
http://135.181.123.177
http://188.116.26.84
http://alchemy-api-v3.cloud
95.216.227.188
188.116.26.84
135.181.123.177
116.202.208.125
65.21.23.63
194.164.234.151
65.108.122.31