OtterCandy, malware used by WaterPlum
Contents
OtterCandy, malware used by WaterPlum
2025.10.15
テクニカルブログ
目次
閉じる
Introduction
ClickFake Interview
OtterCandy
Update
Conclusion
IoC
This article is English version of “WaterPlumが使用するマルウェアOtterCandyについて”.
The original article is authored by NSJ SOC analyst Rintaro Koike.
Introduction
WaterPlum (also called as Famous Chollima or PurpleBravo) is believed to be an attack group associated with North Korea, notably conducting two attack campaigns: Contagious Interview[1] and ClickFake Interview[2]. WaterPlum can be classified into multiple clusters Among them, activity by Cluster B (commonly referred to as BlockNovas cluster) is recently observed.
Regarding Cluster B, reports [3,4] have been published by Silent Push and Trend Micro in the past. While utilizing malware and tools shared within WaterPlum, such as BeaverTail, GolangGhost, and FrostyFerret, Cluster B also independently develops its own malware and tools, making it a unique cluster even within WaterPlum. Recently, it has been conducting attacks using a new malware called OtterCandy, which combines features of RATatouille[5] and OtterCookie[6]. Since attacks have been observed in Japan also, its activities require …
2025.10.15
テクニカルブログ
目次
閉じる
Introduction
ClickFake Interview
OtterCandy
Update
Conclusion
IoC
This article is English version of “WaterPlumが使用するマルウェアOtterCandyについて”.
The original article is authored by NSJ SOC analyst Rintaro Koike.
Introduction
WaterPlum (also called as Famous Chollima or PurpleBravo) is believed to be an attack group associated with North Korea, notably conducting two attack campaigns: Contagious Interview[1] and ClickFake Interview[2]. WaterPlum can be classified into multiple clusters Among them, activity by Cluster B (commonly referred to as BlockNovas cluster) is recently observed.
Regarding Cluster B, reports [3,4] have been published by Silent Push and Trend Micro in the past. While utilizing malware and tools shared within WaterPlum, such as BeaverTail, GolangGhost, and FrostyFerret, Cluster B also independently develops its own malware and tools, making it a unique cluster even within WaterPlum. Recently, it has been conducting attacks using a new malware called OtterCandy, which combines features of RATatouille[5] and OtterCookie[6]. Since attacks have been observed in Japan also, its activities require …
IoC
http://74.119.194.205
http://172.86.114.31
http://139.60.163.206
http://162.254.35.14
http://212.85.29.133
http://80.209.243.85
74.119.194.205
212.85.29.133
162.254.35.14
80.209.243.85
139.60.163.206
172.86.114.31
http://172.86.114.31
http://139.60.163.206
http://162.254.35.14
http://212.85.29.133
http://80.209.243.85
74.119.194.205
212.85.29.133
162.254.35.14
80.209.243.85
139.60.163.206
172.86.114.31