BeaverTail and OtterCookie evolve with new Javascript module targeting cryptocurrency and credentials

Free, Unbiased, and Open threat intelligence

BeaverTail and OtterCookie evolve with new Javascript module targeting cryptocurrency and credentials

threat Profile

HIGH

Description

Cisco Talos uncovered a new attack linked to Famous Chollima (Lazarus subgroup), a DPRK-aligned threat actor targeting job seekers through fake employment offers. The campaign delivers trojanized Node.js applications containing evolved BeaverTail and OtterCookie malware with new keylogging, screenshotting, and data exfiltration capabilities. The malware was distributed via NPM package 'node-nvm-ssh' and targets cryptocurrency wallets, credentials, and sensitive files.

MITRE ATT&CK Techniques

T1566 - Phishing T1204 - User Execution T1056.001 - Keylogging T1113 - Screen Capture T1115 - Clipboard Data T1005 - Data from Local System T1039 - Data from Network Shared Drive T1041 - Exfiltration Over C2 Channel T1059.007 - Command and Scripting Interpreter: JavaScript T1518.001 - Security Software Discovery T1497 - Virtualization/Sandbox Evasion T1555.003 - Credentials from Password Stores: Credentials from Web Browsers T1081 - Credentials in Files

Related Entities

Threat Actors

WageMole Lazarus Group

Malware

BeaverTail OtterCookie PylangGhost InvisibleFerret Chessfi GolangGhost

Indicators of Compromise (10)

172.86.88.188

OtterCookie C2 server - keylogging upload, socket.io communication, file upload, and logging

9e65de386b40f185bf7c1d9b1380395e5ff606c2f8373c63204a52f8ddc01982

Malicious VS Code extension containing OtterCookie (SHA256)

144.172.96.35

OtterCookie C2 server for logging

www.npmjs.com/package/node-nvm-ssh

Malicious NPM package distribution URL

172.86.73.46

OtterCookie C2 server

dff2a0fb344a0ad4b2c129712b2273fda46b5ea75713d23d65d5b03d0057f6dd

VS Code extension raw.js file (SHA256)

d89c45d65a825971d250d12bc7a449321e1977f194e52e4ca541e8a908712e47

Campaign-related sample (SHA256)

8efa928aa896a5bb3715b8b0ed20881029b0a165a296334f6533fa9169b4463b

BeaverTail evolution sample (SHA256)

72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d

BeaverTail evolution sample (SHA256)

83c145aedfdf61feb02292a6eb5091ea78d8d0ffaebf41585c614723f36641d8

Malicious NPM package test.list from August 2025 (SHA256)

Metadata

Published

7 months ago

Views