The North Korean threat actors behind the Contagious Interview campaign have been observed using updated versions of a cross-platform malware called OtterCookie with capabilities to steal credentials from web browsers and other files.
NTT Security Holdings, which detailed the new findings, said the attackers have “actively and continuously” updated the malware, introducing versions v3 and v4 in February and April 2025, respectively.
The Japanese cybersecurity company is tracking the cluster under the name WaterPlum, which is also known as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan.
OtterCookie was first documented by NTT last year after having observed it in attacks since September 2024. Delivered by means of a JavaScript payload via a malicious npm package, trojanized GitHub or Bitbucket repository, or a bogus videoconferencing app, it’s designed to contact an external server to execute commands on compromised hosts.
OtterCookie v3 has been found to incorporate a new upload module to send files matching a predefined set of extensions to the external server. This consists of environment variables, images, documents, spreadsheets, text files, and files containing mnemonic and recovery phrases associated with cryptocurrency wallets.
It’s worth pointing out that this module was previously executed in OtterCookie v2 as a shell command received from the server.
The fourth iteration of the malware expands on its predecessor by adding two more modules to steal credentials from Google Chrome, as well as extract data from the MetaMask extension for Google Chrome, Brave browser, and iCloud Keychain.
Another new feature addition to OtterCookie v4 is the ability to detect if it’s being executed in virtual machine (VM) environments pertaining to Broadcom VMware, Oracle VirtualBox, Microsoft, and QEMU.
Interestingly, it has been found that the first stealer module responsible for gathering Google Chrome credentials does so after decrypting them, whereas the second module harvests encrypted login data from browsers like Chrome and Brave.
“This difference in data processing or coding style implies that these modules were developed by different developers,” researchers Masaya Motoda and Rintaro Koike said.
The disclosure comes as multiple malicious payloads related to the Contagious Interview campaign have been unearthed in recent months, indicating that the threat actors are refining their modus operandi.
This includes a Go-based information stealer that’s delivered under the guise of a Realtek driver update (“WebCam.zip”) that, when opened, runs a shell script responsible for downloading the stealer and launching a deceptive macOS application (“DriverMinUpdate.app”) engineered to harvest the victim’s macOS system password.
It’s believed that the malware was distributed as part of an updated version of the activity codenamed ClickFake Interview by Sekoia last month owing to the use of ClickFix-style lures to fix non-existent audio and video issues during an online assessment for a job interview process.
“The stealer’s primary role is to establish a persistent C2 channel, profile the infected system, and exfiltrate sensitive data,” MacPaw’s cybersecurity division, Moonlock, said. “It achieves this through a combination of system reconnaissance, credential theft, and remote command execution.”
It’s assessed that the application DriverMinUpdate is part of a larger set of similar malicious apps that have been uncovered by dmpdump, SentinelOne, ENKI, and Kandji such as ChromeUpdateAlert, ChromeUpdate, CameraAccess, and DriverEasy.
A second new malware family connected to the campaign is Tsunami-Framework, which is delivered as a follow-up payload to a known Python backdoor referred to as InvisibleFerret. A .NET-based modular malware, it’s equipped to steal a wide range of data from web browsers and cryptocurrency wallets.
It also incorporates features to log keystrokes, collect files, and even a botnet component that appears to be under early development, German security company HiSolutions said in a report published late last month.
Contagious Interview, per ESET, is believed to be a new activity cluster that’s part of the Lazarus Group, a notorious hacking group from North Korea that has a storied history of orchestrating both espionage- and financially-motivated attacks as a way to advance the nation’s strategic goals and sidestep international sanctions.
Earlier this year, the adversarial collective was attributed to the record-breaking billion-dollar heist from cryptocurrency platform Bybit.
The North Korean IT Worker Threat Endures
The findings come as cybersecurity company Sophos revealed that the threat actors behind the fraudulent IT worker scheme from North Korea — also known as Famous Chollima, Nickel Tapestry, and Wagemole — have begun to increasingly target organizations in Europe and Asia, and industries beyond the technology sector to secure jobs and funnel the proceeds back to Pyongyang.
“Throughout the pre-employment phase, the threat actors often digitally manipulate photos for their falsified resumes and LinkedIn profiles, and to accompany prior work history or group project claims,” the company’s SecureWorks Counter Threat Unit (CTU) said.
“They commonly use stock photos overlaid with real images of themselves. The threat actors have also increased usage of generative AI, including writing tools, image-editing tools, and resume builders.”
The fraudulent workers, upon landing a job, have also been found using mouse jiggler utilities, VPN software like Astrill VPN, and KVM over IP for remote access, in some cases even resorting to eight-hour-long Zoom calls for screen sharing.
Last week, cryptocurrency exchange platform Kraken disclosed how a routine job interview for an engineering position turned into an intelligence-gathering operation after it spotted a North Korean hacker attempting to infiltrate the company using the name Steven Smith.
“The candidate used remote colocated Mac desktops but interacted with other components through a VPN, a setup commonly deployed to hide location and network activity,” the company said. “Their resume was linked to a GitHub profile containing an email address exposed in a past data breach.”
“The candidate’s primary form of ID appeared to be altered, likely using details stolen in an identity theft case two years prior.”
But instead of rejecting the candidate’s application outright, Kraken said its security and recruitment teams “strategically” advanced them through its interview process as way a to trap them by asking them to confirm their location, hold up a government-issued ID, and recommend some local restaurants in the city they claimed to be in.
“Flustered and caught off guard, they struggled with the basic verification tests, and couldn’t convincingly answer real-time questions about their city of residence or country of citizenship,” Kraken said. “By the end of the interview, the truth was clear: this was not a legitimate applicant, but an imposter attempting to infiltrate our systems.”
In another case documented by the U.S. Department of Justice (DoJ) last month, a 40-year-old Maryland man, Minh Phuong Ngoc Vong, pleaded guilty to fraud after securing a job with a government contractor and then outsourcing the work to a North Korean national residing in Shenyang, China – underscoring the severity of the illicit fundraising activity.
North Korea’s ability to stealthily slip thousands of its workers into major companies, often with the help of facilitators who run what’s called a laptop farm, has led to repeated warnings from Japanese, South Korean, U.K., and U.S. governments.
These workers have been found to spend up to 14 months inside an organization, with the threat actors also engaging in data theft and extortion threats following termination.
“Organizations [should] establish enhanced identity verification procedures as part of their interview process,” Sophos said. “Human resources staff and recruiters should be regularly updated on tactics used in these campaigns to help them identify potential fraudulent North Korean IT workers.”
“Additionally, organizations should monitor for traditional insider threat activity, suspicious usage of legitimate tools, and impossible travel alerts to detect activity often associated with fraudulent workers.”
