Famous Chollima Evolves Its Arsenal, Merging BeaverTail and OtterCookie
Contents
Verticals Targeted: Not specified
Regions Targeted: Sri Lanka
Related Families: BeaverTail, OtterCookie, InvisibleFerret
Executive Summary
Famous Chollima, a DPRK-aligned threat group, has evolved its arsenal, with BeaverTail and OtterCookie increasingly merging functionalities to steal credentials and cryptocurrency via deceptive job offers. A recent campaign involved a trojanized Node.js application distributed through a malicious NPM package, highlighting the group's adaptation in delivery methods.
Key Takeaways
- In the campaign, Famous Chollima deploys merged BeaverTail and OtterCookie variants in fake job interviews, incorporating new modules for keylogging and screenshot capture.
- A malicious NPM package "node-nvm-ssh" embedded in a cryptocurrency-themed chess app serves as the infection vector, executing obfuscated JavaScript payloads.
- OtterCookie has evolved through five versions since late 2024, adding capabilities like remote shell access, file exfiltration, and cryptocurrency wallet targeting.
- Functional overlaps between BeaverTail, OtterCookie, and InvisibleFerret suggest a shift toward JavaScript-based tooling to reduce Python dependencies on Windows systems.
The Activity
Famous Chollima, a subgroup of the DPRK-aligned …
Regions Targeted: Sri Lanka
Related Families: BeaverTail, OtterCookie, InvisibleFerret
Executive Summary
Famous Chollima, a DPRK-aligned threat group, has evolved its arsenal, with BeaverTail and OtterCookie increasingly merging functionalities to steal credentials and cryptocurrency via deceptive job offers. A recent campaign involved a trojanized Node.js application distributed through a malicious NPM package, highlighting the group's adaptation in delivery methods.
Key Takeaways
- In the campaign, Famous Chollima deploys merged BeaverTail and OtterCookie variants in fake job interviews, incorporating new modules for keylogging and screenshot capture.
- A malicious NPM package "node-nvm-ssh" embedded in a cryptocurrency-themed chess app serves as the infection vector, executing obfuscated JavaScript payloads.
- OtterCookie has evolved through five versions since late 2024, adding capabilities like remote shell access, file exfiltration, and cryptocurrency wallet targeting.
- Functional overlaps between BeaverTail, OtterCookie, and InvisibleFerret suggest a shift toward JavaScript-based tooling to reduce Python dependencies on Windows systems.
The Activity
Famous Chollima, a subgroup of the DPRK-aligned …
IoC
caad2f3d85e467629aa535e0081865d329c4cd7e6ff20a000ea07e62bf2e4394
83c145aedfdf61feb02292a6eb5091ea78d8d0ffaebf41585c614723f36641d8
83c145aedfdf61feb02292a6eb5091ea78d8d0ffaebf41585c614723f36641d8