The North Korean threat actors behind the Contagious Interview campaign have been spotted using up-to-date types of OtterCookie, a cross-platform malware that has the ability to take credentials from web browsers and other files.
According to NTT Security Holdings, the attackers “actively and consistently” updated the malware, releasing versions v3 and v4 in February and April 2025, both.
The grouping is being tracked by the Chinese security firm WaterPlum, which goes by the names CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan.
NTT initially found OtterCookie last year after having witnessed it in strikes since September 2024. It’s intended to communicate with an additional server to perform commands on damaged hosts via a JavaScript payload delivered via a harmful npm package, a trojanized GitHub or Bitbucket repository, or a fictitious videoconferencing app.
A new publish module that allows files to send files that match a predetermined set of extensions to an additional server has been discovered in OtterCookie v3. This consists of environment variables, pictures, files, spreadsheets, text documents, and files containing shorthand and healing terms related to crypto wallets.
This unit was originally executed in OtterCookie v2 as a barrel command that was received from the client, so it’s worth mentioning.
The malware’s third incarnation expands on its forerunner by adding two more modules to spoof Google Chrome credentials as well as collect data from the MetaMask expansion for Google Chrome, Brave computer, and mac Keychain.
The ability to identify whether it is being executed in virtual machine (VM ) environments for Broadcom VMware, Oracle VirtualBox, Microsoft, and QEMU is another new feature added to OtterCookie v4.
The second stealer unit, which decrypts Google Chrome qualifications, does so after decrypting them, while the next module extracts encrypted login information from browsers like Chrome and Brave, is interesting.
Researchers Masaya Motoda and Rintaro Koike said,” This change in data processing or programming style implies that these units were developed by different engineers.”
The publication comes as several harmful cargo related to the Contagious Interview strategy have been discovered recently, indicating that the threat actors are working on their modus operandi.
A Go-based information stealer is included in this, which is being provided as a Realtek driver update (” WebCam” ). zip” ) that, when opened, executes a shell script that initiates a false macOS application (” DriverMinUpdate .exe” ) and downloads the stealer. app” ) created to spoof the victim’s macOS system password.
According to reports, the ransomware was distributed as part of an updated version of the action last month by Sekoia in order to correct non-existent audio and video concerns during an online examination for a job interview process.
According to Moonlock, the stealer’s primary responsibilities are to” create a consistent C2 channel,” report the compromised system, and extort sensitive data, according to MacPaw’s cybersecurity division. It accomplishes this by combining distant command execution, login theft, and system reconnaissance.
According to the evaluation, DriverMinUpdate is a component of a collection of harmful apps, including those found by dmpdump, SentinelOne, ENKI, and Kandji, including ChromeUpdateAlert, ChromeUpdate, CameraAccess, and DriverEasy.
Tsunami-Framework, which is delivered as a follow-up load to a known Python secret known as , is a second new ransomware home that is associated with the plan. It is a.NET-based modular malware that can be used to steal a variety of data from cryptocurrency wallets and web browsers.
German security company HiSolutions reported in a report released late last month that it also includes features like log keystrokes, collect files, and even a botnet component that appears to be in early development.
According to , Contagious Interview is reportedly a new activity cluster that is affiliated with the , a infamous hacking group from North Korea, which has a long history of planning both espionage- and financial-motivated attacks in an effort to advance the country’s strategic objectives and avoid international sanctions.
The adversarial collective was earlier attributed to the record-breaking from cryptocurrency platform Bybit earlier this year.
The IT Worker Threat in North Korea is Tragic.
The findings come as cybersecurity firm Sophos discovers that the threat actors behind the phony IT worker scam from North Korea have begun to increasingly target businesses in Europe, Asia, and other sectors to snag jobs and funnel the profits back to Pyongyang.
The threat actors frequently digitally manipulate photos for their falsified resumes and LinkedIn profiles, as well as for their forged work histories or group project claims, according to the company’s SecureWorks Counter Threat Unit ( CTU).
” They frequently employ stock photos that have been overlaid with actual self-images. The threat actors have also used more generative AI, including writing and image-editing tools and resume builders.
When hired, the con artists have also been discovered using , Astrill VPN, and KVM over IP for remote access, and in some cases even making eight-hour-long Zoom calls for screen sharing.
After a routine job interview for an engineering position was turned into an intelligence-gathering operation, Kraken, a cryptocurrency exchange platform, discovered a North Korean hacker attempting to infiltrate the business under the name .
The candidate used remote, colocated Mac desktops, according to the company, but they also interacted with other components using a VPN, a method frequently used to conceal location and network activity. Their resume was linked to a GitHub profile that contained a previously disclosed email address.
The candidate’s primary form of identification appeared to have been altered, most likely by using information obtained in a two-year identity theft case.
However, Kraken claimed that its security and recruitment teams” strategically” advanced them through its interview process as a way to trap them by requesting that they confirm their location, provide a government-issued ID, and suggest some nearby restaurants in the city they claimed to be in.
They struggled with the fundamental verification tests and couldn’t convincingly respond to questions about their country of citizenship or city of residence, according to Kraken. By the time the interview was over, it was clear that this was not a legitimate applicant trying to break into our systems.
A 40-year-old Maryland man, , admitted to fraud after securing a job with a government contractor and then outsourced the work to a North Korean national residing in Shenyang, China, underscoring the seriousness of the illegal fundraising activity in a separate case documented by the U.S. Department of Justice ( DoJ) last month.
The ability of North Korea to stealthily smuggle thousands of its employees into major corporations, frequently with the assistance of who run what’s known as a laptop farm, has resulted in repeated warnings from the Japanese, South Korean, U.K., and U.S. governments.
After being fired, these workers were discovered to have been inside for up to 14 months, with the threat actors also making threats of data theft and extortion.
Organizations” should ] establish enhanced identity verification procedures as part of their interview process,” Sophos said. Human resources staff and recruiters should be kept informed about the methods employed in these campaigns to help them find potential phony North Korean IT workers.
Organizations should also keep an eye out for” traditional insider threat activity,” suspicious use of legitimate tools, and “impossible travel alerts,” according to the authors.