{
	"id": "81f496f8-152c-4f6a-a0e2-afc81a837ea0",
	"created_at": "2026-04-10T03:21:33.056623Z",
	"updated_at": "2026-04-10T13:12:47.160347Z",
	"deleted_at": null,
	"sha1_hash": "0da65d61c5e3ebef1a092a46d53be2e0c73520f5",
	"title": "OtterCandy, malware used by WaterPlum",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 715230,
	"plain_text": "OtterCandy, malware used by WaterPlum\r\nBy NTTセキュリティ・ジャパン株式会社\r\nPublished: 2025-10-15 · Archived: 2026-04-10 02:57:04 UTC\r\nThis article is English version of “WaterPlumが使用するマルウェアOtterCandyについて”.\r\nThe original article is authored by NSJ SOC analyst Rintaro Koike.\r\nIntroduction\r\nWaterPlum (also called as Famous Chollima or PurpleBravo) is believed to be an attack group associated with\r\nNorth Korea, notably conducting two attack campaigns: Contagious Interview[1] and ClickFake Interview[2].\r\nWaterPlum can be classified into multiple clusters Among them, activity by Cluster B (commonly referred to as\r\nBlockNovas cluster) is recently observed.\r\nRegarding Cluster B, reports [3,4] have been published by Silent Push and Trend Micro in the past. While\r\nutilizing malware and tools shared within WaterPlum, such as BeaverTail, GolangGhost, and FrostyFerret, Cluster\r\nB also independently develops its own malware and tools, making it a unique cluster even within WaterPlum.\r\nRecently, it has been conducting attacks using a new malware called OtterCandy, which combines features of\r\nRATatouille[5] and OtterCookie[6]. Since attacks have been observed in Japan also, its activities require close\r\nmonitoring.\r\nThis article introduces analysis results of OtterCandy and details the update observed in August 2025.\r\nClickFake Interview\r\nClickFake Interview is an attack campaign involving multiple WaterPlum clusters. Cluster B is also involved in\r\nClickFake Interview, and their attack flow is as follows:\r\nhttps://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_e/\r\nPage 1 of 6\n\nThe design of the ClickFix webpage used in ClickFake Interviews varies slightly by cluster. For Cluster B, users\r\nare directed to ClickFix from a webpage like below.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_e/\r\nPage 2 of 6\n\nPreviously, Cluster B attacked primarily using GolangGhost same as other clusters, with additionally distributing\r\nFrostyFerret for macOS. However, since around July 2025, OtterCandy has been distributed for Windows,\r\nmacOS, and Linux.\r\nOtterCandy\r\nOtterCandy is a RAT and Info Stealer implemented by Node.js. It is malware that combines elements of\r\nRATatouille and OtterCookie. Investigation on VirusTotal revealed a sample submitted in February 2025. We have\r\nconfirmed that this February 2025 sample is identical to the sample mistakenly labeled as OtterCookie in Silent\r\nPush's report[3].\r\nOtterCandy accepts commands when connected to the C2 server via Socket.IO. Cluster B uses these commands to\r\nsteal browser credentials, cryptocurrency wallets, and/or confidential files from the victim's device. The\r\nimplemented commands are as follows:\r\nhttps://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_e/\r\nPage 3 of 6\n\nOtterCandy achieves persistence by the preceding DiggingBeaver, but it also has a simple persistence feature. It is\r\nimplemented so that when it receives SIGINT event via process.on, it folks itself again.\r\nUpdate\r\nOtterCandy has been using the same code since February, with only rewriting the C2 server address portion.\r\nHowever, an update was implemented at the end of August. We refer to these as v1 and v2. There are three major\r\nupdates implemented in v2. This chapter introduces the differences between each version.\r\nAdding client_id\r\nIn v1, the information sent to C2 included “username” data, which was used for user identification. However,\r\nstarting with v2, “client_id” has been added, and user identification was enhanced compared to the previous\r\nversion.\r\nAdding theft target data\r\nThere are hardcoded browser extension IDs as theft targets in OtterCandy. While v1 specified four browser\r\nextensions, v2 specified seven browser extensions.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_e/\r\nPage 4 of 6\n\nAdditionally, in the functionality designed to steal user data from Chromium-based browsers, only partial data\r\nwere transmitted in v1. However, in v2, it has been changed to transmit all data.\r\nDeleting traces\r\nDeletion of registry keys used for persistence, as well as the deletion of files and directories are added to ss_del\r\ncommand implementation in v2.\r\nConclusion\r\nIn this article, we introduced the ClickFake Interview campaign conducted by Cluster B. Cluster B is carrying out\r\nattacks using a new malware called OtterCandy. Because its update was confirmed in August 2025, continuous\r\nclose monitoring will be required.\r\nIoC\r\n162[.]254.35.14\r\n74[.]119.194.205\r\n172[.]86.114.31\r\n139[.]60.163.206\r\nhttps://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_e/\r\nPage 5 of 6\n\n212[.]85.29.133\r\n80[.]209.243.85\r\nReferences\r\n[1]: Palo Alto Networks, \"Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear\r\nHallmarks of North Korean Threat Actors\", https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\n[2]: Sekoia, \"From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix\r\ntactic\", https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/\r\n[3]: Silent Push, \"Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to\r\nDeliver a Trio of Malware: BeaverTail, InvisibleFerret, and\r\nOtterCookie\", https://www.silentpush.com/blog/contagious-interview-front-companies/\r\n[4]: Trend Micro, \"Russian Infrastructure Plays Crucial Role in North Korean Cybercrime\r\nOperations\", https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html\r\n[5]: aikido, \"RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain\r\nCompromise)\", https://www.aikido.dev/blog/catching-a-rat-remote-access-trojian-rand-user-agent-supply-chain-compromise\r\n[6]: NTT Security, \" OtterCookie, new malware used in Contagious Interview\r\ncampaign\", https://jp.security.ntt/insights_resources/tech_blog/en-contagious-interview-ottercookie/\r\nSource: https://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_e/\r\nhttps://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_e/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_e/"
	],
	"report_names": [
		"ottercandy_malware_e"
	],
	"threat_actors": [],
	"ts_created_at": 1775791293,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0da65d61c5e3ebef1a092a46d53be2e0c73520f5.pdf",
		"text": "https://archive.orkl.eu/0da65d61c5e3ebef1a092a46d53be2e0c73520f5.txt",
		"img": "https://archive.orkl.eu/0da65d61c5e3ebef1a092a46d53be2e0c73520f5.jpg"
	}
}