North Korean Chollima Actors Added BeaverTail and OtterCookie to its Arsenal

Famous Chollima, a DPRK-aligned threat group, has evolved its arsenal, with BeaverTail and OtterCookie increasingly merging functionalities to steal credentials and cryptocurrency via deceptive job offers.

A recent campaign involved a trojanized Node.js application distributed through a malicious NPM package, highlighting the group’s adaptation in delivery methods.

In the campaign, Famous Chollima notes merged BeaverTail and OtterCookie variants in fake job interviews, incorporating new modules for keylogging and screenshot capture.

A malicious NPM package “node-nvm-ssh” embedded in a cryptocurrency-themed chess app serves as the infection vector, executing obfuscated JavaScript payloads.

OtterCookie has evolved through five versions since late 2024, adding capabilities like remote shell access, file exfiltration, and cryptocurrency wallet targeting.

Functional overlaps between BeaverTail, OtterCookie, and InvisibleFerret suggest a shift toward JavaScript-based tooling to reduce Python dependencies on Windows systems.

The Campaign Activity

Famous Chollima, a subgroup of the DPRK-aligned Lazarus collective, continues to ...