Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

The Hacker News by The Hacker News
December 27, 2024
Home Cybersecurity
Share on FacebookShare on Twitter


Dec 27, 2024Ravie LakshmananCryptocurrency / Cyber Espionage

North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie.

Contagious Interview (aka DeceptiveDevelopment) refers to a persistent attack campaign that employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into downloading malware under the guise of an interview process.

This involves distributing malware-laced videoconferencing apps or npm packages either hosted on GitHub or the official package registry, paving the way for the deployment of malware such as BeaverTail and InvisibleFerret.

Palo Alto Networks Unit 42, which first exposed the activity in November 2023, is tracking the cluster under the moniker CL-STA-0240. It’s also referred to as Famous Chollima and Tenacious Pungsan.

In September 2024, Singaporean cybersecurity company Group-IB documented the first major revision to the attack chain, highlighting the use of an updated version of BeaverTail that adopts a modular approach by offloading its information-stealing functionality to a set of Python scripts collectively tracked as CivetQ.

Cybersecurity

It’s worth noting at this stage that Contagious Interview is assessed to be disparate from Operation Dream Job, another long-running North Korean hacking campaign that also employs similar job-related decoys to trigger the malware infection process.

The latest findings from Japanese cybersecurity company NTT Security Holdings reveal that the JavaScript malware responsible for launching BeaverTail is also designed to fetch and execute OtterCookie. The new malware is said to have been introduced in September 2024, with a new version detected in the wild last month.

OtterCookie Malware

OtterCookie, upon running, establishes communications with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It’s designed to run shell commands that facilitate data theft, including files, clipboard content, and cryptocurrency wallet keys.

The older OtterCookie variant spotted in September is functionally similar, but incorporates a minor implementation difference wherein the cryptocurrency wallet key theft feature is directly built into the malware, as opposed to a remote shell command.

The development is a sign that the threat actors are actively updating their tools while leaving the infection chain largely untouched, a continued sign of the campaign’s effectiveness.

South Korea Sanctions 15 North Koreans for IT Worker Scam

It also comes as South Korea’s Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organization in connection with a fraudulent IT worker scheme orchestrated by its northern counterpart to illegally generate a steady source of income that can be funneled back to North Korea, steal data, and even demand ransoms in some cases.

There is evidence to suggest that the Famous Chollima threat cluster is behind the insider threat operation as well. It’s also called by various names, such as Nickel Tapestry, UNC5267, and Wagemole.

Cybersecurity

One of the 15 sanctioned individuals, Kim Ryu Song, was also indicted by the U.S. Department of Justice (DoJ) earlier this month for his alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations.

Also sanctioned by MoFA is the Chosun Geumjeong Economic Information Technology Exchange Company, which has been accused of dispatching a large number of IT personnel to China, Russia, Southeast Asia, and Africa for procuring funds for the regime by securing freelance or full-time jobs in Western companies.

These IT workers are said to be part of the 313th General Bureau, an organization under the Munitions Industry Department of the Workers’ Party of Korea.

“The 313th General Bureau […] dispatches many North Korean IT personnel overseas and uses the foreign currency earned to secure funds for nuclear and missile development, and is also involved in the development of software for the military sector,” the ministry said.

“North Korea’s illegal cyber activities are not only criminal acts that threaten the safety of the cyber ecosystem, but also pose a serious threat to international peace and security as they are used as funds for North Korea’s nuclear and missile development.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
outboundIQ Achieves Certified Implementation Partner (CIP) Status with Five9

outboundIQ Achieves Certified Implementation Partner (CIP) Status with Five9

Recommended.

Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw

Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw

June 15, 2026
Huawei publicó el documento técnico para redes LAN ópticas pasivas

Huawei publicó el documento técnico para redes LAN ópticas pasivas

March 7, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio