North Korean hackers are using new OtterCookie malware to target job seekers. The malware is part of the ongoing Contagious Interview campaign, which relies on social engineering tricks. Hackers pose as recruiters and trick individuals into downloading malicious software disguised as job-related tools.
The attackers use malware-laden videoconferencing apps or npm packages. These are often hosted on platforms like GitHub or official package registries. Reports revealed that this campaign also involves previously identified malware, such as BeaverTail and InvisibleFerret.
OtterCookie, a newly identified JavaScript malware, was introduced in September 2024. It connects to a command-and-control (C2) server using the Socket.IO JavaScript library. Once active, it can steal sensitive data like files, clipboard content, and cryptocurrency wallet keys. The malware’s updated versions show an evolving sophistication in its methods while retaining the same infection approach.
Researchers first uncovered this attack campaign in late 2023. The hacking group, often referred to as CL-STA-0240, has continuously enhanced its tools. Reports also differentiate Contagious Interview from another North Korean campaign, Operation Dream Job, which uses similar decoys.
Recent discoveries highlight a modular design in their tools. For example, BeaverTail’s information-stealing capabilities are now outsourced to Python scripts collectively called CivetQ. The OtterCookie malware has also seen changes. Earlier variants included a cryptocurrency theft feature directly within the code. Newer versions now execute these tasks through remote shell commands, making the attack harder to detect.
However, the infection chain remains consistent, proving the hackers’ approach is effective. This adaptability shows their commitment to refining tools while maintaining their strategy.
Preventing Such Attacks
To stay safe, users should avoid downloading unknown files from recruiters or unfamiliar sources. Use trusted software platforms for interviews and always verify their authenticity. Organizations must educate employees on identifying phishing attempts and implement strict cybersecurity measures. Regular updates and monitoring of systems can also prevent malware infections.