Famous Chollima, a North Korean threat group aligned with the DPRK’s Reconnaissance General Bureau, has significantly enhanced its malware capabilities by merging the functionalities of BeaverTail and OtterCookie into unified infostealer variants.
The group’s latest campaign leverages deceptive job recruitment tactics and supply chain attacks via malicious NPM packages, targeting cryptocurrency and blockchain professionals with increasingly sophisticated tools designed to steal credentials and digital assets.
Trojanized NPM Package Delivers Merged Malware
The recent attack campaign centered on a cryptocurrency-themed chess application called Chessfi, distributed through a compromised Bitbucket repository.
When victims cloned the repository, dependencies automatically pulled the malicious “node-nvm-ssh” package from NPM, triggering post-install scripts that executed obfuscated JavaScript payloads from embedded files.
This infection vector represents a notable shift in Famous Chollima’s delivery mechanisms, expanding beyond traditional phishing to exploit developer workflows and trusted package ecosystems.
The payload demonstrates significant convergence between BeaverTail and OtterCookie codebases. BeaverTail handles browser profile enumeration, specifically targeting cryptocurrency wallet extensions including MetaMask, Phantom, and Solflare across Chrome, Brave, Edge, and other Chromium-based browsers.
The malware downloads Python-based InvisibleFerret modules from command-and-control servers via ports such as 1224, automatically installing Python distributions on Windows systems to ensure execution compatibility.
OtterCookie complements these capabilities with modular extensions that provide remote shell access via a socket—io-client for command execution and system fingerprinting.
A file uploader component systematically scans drives for documents, credentials, and cryptocurrency-related files while excluding specific paths to avoid detection.
A novel module introduced in April 2025 adds keylogging and screenshot capture capabilities, buffering collected data in temporary files before exfiltration to C2 endpoints. Clipboard monitoring functionality varies by platform, using “pbpaste” on macOS and PowerShell commands on Windows.
Advanced Evasion and Multi-Version Evolution
OtterCookie has progressed through five distinct versions since late 2024, evolving from basic remote code execution in v1 to sophisticated anti-analysis capabilities in v5, released in August 2025.
Recent versions incorporate environment checks and error-handler eval techniques for dynamic code loading. At the same time, early iterations relied on HTTP cookies for payload delivery before transitioning to modular string-based execution.
BeaverTail has similarly adapted since mid-2023, with base64 shuffling for C2 URLs and cross-platform support, which has been frequently bundled in supply-chain attacks.
Famous Chollima operates within the broader Lazarus collective and maintains operations under multiple aliases, including Wagemole, Nickel Tapestry, and UNC5267.
The group has been active since at least 2018, conducting Contagious Interview campaigns that pose as legitimate recruiters to distribute malware through fake technical assessments.
Their targeting primarily focuses on cryptocurrency, blockchain, and technology sectors across India, the United States, Germany, and Ukraine, with operations designed to generate illicit revenue for the North Korean regime while evading international sanctions.
IOCs
PolySwarm has multiple samples associated with this activity.
- caad2f3d85e467629aa535e0081865d329c4cd7e6ff20a000ea07e62bf2e4394
- 83c145aedfdf61feb02292a6eb5091ea78d8d0ffaebf41585c614723f36641d8
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
