New capabilities to extract files and credentials have been introduced.
Significant updates have been made to OtterCookie, malware tied to the North Korean-aligned Contagious Interview campaign.
According to research by NTT Security Holdings, the attackers have "actively and continuously" updated the malware, introducing versions v3 and v4 in February and April 2025, respectively.
OtterCookie is distributed via deceptive methods including npm packages, fake videoconferencing applications, and trojanised repositories. OtterCookie v3 added a dedicated upload module to exfiltrate targeted files, such as documents, mnemonic phrases for cryptocurrency wallets, and environment variables, through an external server. This function previously relied on server-sent shell commands.
Version 4 introduced further enhancements, including modules to extract credentials from Google Chrome and MetaMask browser extensions, and expanded support for virtual machine detection to avoid analysis.
Researchers noted differences in coding style between modules, suggesting contributions from multiple developers.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
