{ "id": "dbe6bf2c-55b3-4fc1-af0b-2018b784f881", "created_at": "2026-04-06T00:18:05.992309Z", "updated_at": "2026-04-10T13:12:01.813911Z", "deleted_at": null, "sha1_hash": "2f5218ca65a083c1460dd82c116c9f30485ec13d", "title": "BeaverTail and OtterCookie evolve with a new Javascript module", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2143306, "plain_text": "BeaverTail and OtterCookie evolve with a new Javascript module\r\nBy Vanja Svajcer\r\nPublished: 2025-10-16 · Archived: 2026-04-05 18:48:16 UTC\r\nThursday, October 16, 2025 06:00\r\nCisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North\r\nKorea (DPRK). This group is known for impersonating hiring organizations to target job seekers, tricking\r\nthem into installing information-stealing malware to obtain cryptocurrency and user credentials. \r\nIn this incident, although the organization was not directly targeted, one of its systems was compromised-likely because a user was deceived by a fake job offer and installed a trojanized Node.js application called\r\n\"Chessfi.\" \r\nThe malicious software was distributed via a Node.js package named \"node-nvm-ssh\" on the official NPM\r\nrepository.\r\nFamous Chollima often uses two malicious tools, BeaverTail and OtterCookie, which started as separate\r\nbut complementary programs. Recent campaigns have seen their functions merging, and Talos has\r\nidentified a new module for keylogging and taking screenshots. \r\nWhile searching for related threats, Talos also found a malicious VS Code extension containing BeaverTail\r\nand OtterCookie code. Although attribution to Famous Chollima is not certain, this suggests the group may\r\nbe testing new methods for delivering their malware. \r\nIntroduction \r\nIn a previous Cisco Talos blog post, we described one side of the Contagious Interview (Deceptive Development)\r\ncampaigns, where the threat actor utilized fake employment websites, ClickFix social engineering techniques and\r\npayload variants of credential and cryptocurrency remote access trojans (RATs) known as GolangGhost and\r\nPylangGhost. \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 1 of 20\n\nTalos is actively monitoring other clusters of these campaigns, which are attributed to the threat actor group\r\nFamous Chollima, a subgroup of Lazarus, and aligned with the economic interests of DPRK. This post discusses\r\nsome of the tactics, techniques and procedures (TTPs) and changes in tooling developed over time by another\r\nlarge cluster of Contagious Interview activities. These campaigns center around tools known as BeaverTail and\r\nOtterCookie.  \r\n Famous Chollima frequently uses BeaverTail and OtterCookie, with many individual sub-clusters of activities\r\ninstalling InvisibleFerret, a Python based modular payload. Although BeaverTail and OtterCookie originated as\r\nseparate-but-complementary entities, their functionality in some recent campaigns started to merge, along with the\r\ninclusion of new functional OtterCookie modules. \r\n Talos detected a Famous Chollima campaign in an organization headquartered in Sri Lanka. The organization was\r\nnot deliberately targeted by the attackers, but it had one of the systems on the network infected. It is likely that a\r\nuser fell for a fake job offer instructing them to install a trojanised Node.js application called Chessfi as a part of a\r\nfake job interview process. \r\nOnce Talos conducted the initial analysis, we realized that the tools used to conduct it had characteristics of\r\nBeaverTail and of OtterCookie, blurring the distinction between the two. The code also contained some additional\r\nfunctionality we have not previously encountered.  \r\nBeaverTail and OtterCookie combine \r\nThis blog focuses on OtterCookie modules and will not provide a deep dive into well-known BeaverTail and\r\nOtterCookie functionality. While some of these modules are already known, at least one was not previously\r\ndocumented. The examples we show are already deobfuscated, and with the help of an LLM, the function and\r\nvariable names are replaced by names that correspond to their actual functionality. \r\nKeylogging and screenshotting module \r\nTalos encountered a keylogging and screenshotting module in this campaign that has not been previously\r\ndocumented. We were able to find earlier OtterCookie samples containing the module that were uploaded to\r\nVirusTotal in April 2025.  \r\nThe keylogging module uses the packages “node-global-key-listener\" for keylogging, “screenshot-desktop” for\r\ntaking desktop screenshots and “sharp” for converting the captured screenshots into web-friendly image formats. \r\nThe module configures the packages to listen for keystrokes and periodically takes a screenshot of the current\r\ndesktop session to upload them to the OtterCookie command and control (C2) server. \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 2 of 20\n\nFigure 1. The keylogger listens for the keyboard and mouse key presses and saves them into a file. \r\nThe keystrokes are saved in the user’s temporary sub-folder windows-cache with the file name “1.tmp” and\r\nscreenshots are saved in the same sub-folder with the file name “2.jpeg”. While the keylogger runs in a loop and\r\nflushes the buffer every second, a screenshot is taken every four seconds.  \r\nTalos also discovered one instance of the module where the clipboard monitoring was included in the module\r\ncode, extending its functionality to stealing clipboard content.  \r\nThe keylogging data and the captured screenshots are uploaded to the OtterCookie C2 server at a specific TCP\r\nport 1478, using the URL “hxxp[://]172[.]86[.]88[.]188:1478/upload”. \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 3 of 20\n\nFigure 2. Keystrokes saved as “1.tmp” and screenshots as “2.jpeg”, then uploaded to C2 server. \r\nOtterCookie VS Code extension \r\nDuring the search for similar samples on VirusTotal, Talos discovered a recently-uploaded VS Code extension,\r\nwhich may attempt to run OtterCookie if installed in the victim’s editor environment. The extension is a fake\r\nemployment onboarding helper, supposedly allowing the user to track and manage candidate tests. \r\nWhile Talos cannot attribute this VS Code extension to Famous Chollima with high confidence, this may indicate\r\nthat the threat actor is experimenting with different delivery vectors. The extension could also be a result of\r\nexperimentation from another actor, possibly even a researcher, who is not associated with Famous Chollima, as\r\nthis stands out from their usual TTPs. \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 4 of 20\n\nFigure 3. VS Code extension configuration pretends to be Mercer Onboarding Helper but contains\r\nOtterCookie code. \r\nOther OtterCookie modules \r\nThe OtterCookie section of code starts with the definition of a JSON object that contains configuration values\r\nsuch as unique campaign ID and C2 server IP address. The OtterCookie portion of the code constructs additional\r\nmodules from strings, which are executed as child processes. In the attack we analyzed, we observed three\r\nmodules, but we also found one additional module while hunting for similar samples in our repositories and on\r\nVirusTotal.  \r\nRemote shell module \r\nThe first module is fundamental for OtterCookie and begins with the detection of the infected system platform and\r\na virtual machine check, followed by reporting the collected user and host information to the OtterCookie C2\r\nserver. \r\nFigure 4. Main Ottercookie module starts with machine checking and includes virtual machines\r\ncheck. \r\nOnce the system information is submitted, the module installs the “socket.io-client” package, which is used to\r\nconnect to a specific port on the OtterCookie C2 server to wait for the commands and execute them in a loop.\r\nsocket.io-client first uses HTTP and then switches to WebSocket protocol to communicate with the server, which\r\nwe observed listening on the TCP port 1418.  \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 5 of 20\n\nFigure 5. socket.io-client package used for communication with C2 server. \r\nFinally, depending on the operating system, this module periodically checks the clipboard content using the\r\ncommands “pbpaste” on macOS or “powershell Get-Clipboard” on Windows. It sends the clipboard content to the\r\nC2 server URL specifically used for logging OtterCookie activities at\r\n“hxxp[://]172[.]86[.]88[.]188/api/service/makelog”. \r\nFile uploading module \r\nThis module enumerates all drives and traverses the file system in order to find files to be uploaded to the\r\nOtterCookie C2 IP address at a specific port and URL (in this case, “hxxp[://]172[.]86[.]88[.]188:1476/upload”).  \r\nThis module contains a list of folder and file names to be excluded from the search, and another list with target file\r\nname extensions and file name search patterns to select files to be uploaded.  \r\nFigure 6. The list of excluded folders and patterns for files uploaded to C2. \r\nThe “interesting” file list contains the following search patterns: \r\n \"*.env*\", \"*metamask*\", \"*phantom*\", \"*bitcoin*\", \"*btc*\", \"*Trust*\", \"*phrase*\", \"*secret*\", \"*phase*\",\r\n\"*credential\", \"*profile*\", \"*account*\", \"*mnemonic*\", \"*seed*\", \"*recovery*\", \"*backup*\", \"*address*\",\r\n\"*keypair*\", \"*wallet*\", \"*my*\", \"*screenshot*\", \"*.doc\", \"*.docx\", \"*.pdf\", \"*.md\", \"*.rtf\", \"*.odt\", \"*.xls\",\r\n\"*.xlsx\", \"*.txt\", \"*.ini\", \"*.secret\", \"*.json\", \"*.ts\", \"*.js\", \"*.csv\"\r\nCryptocurrency extensions stealer module \r\nWhile not present in the campaign Talos analyzed, this module was found while looking for similar files on\r\nVirusTotal. In addition to the targeting of cryptocurrency browser extensions by the BeaverTail code, this\r\nOtterCookie module targets extensions from a list that partially overlaps with the list of cryptocurrency wallet\r\nextensions from the BeaverTail part of the payload. \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 6 of 20\n\nTable 1. Cryptocurrency modules targeted by OtterCookie. \r\nThe cryptocurrency module targets Google Chrome and Brave browsers. If any extensions are found in any of the\r\nbrowser profiles, the extension files as well as the saved Login and Web data are uploaded to a C2 server URL. In\r\nthe discovered sample Talos found, the uploading C2 URL was “hxxp[://]138[.]201[.]50[.]5:5961/upload”. \r\nOtterCookie evolution \r\nOtterCookie malware samples were first observed by NTT Security Holdings around November 2024, leading to a\r\nblog article published in December 2024. However, it is believed that the malware has been in use since\r\napproximately September 2024. The motivation for using the name OtterCookie seems to come from the early\r\nsamples that used content of HTTP response cookies to transfer the malicious code executed by the response\r\nhandler. This remote code loading functionality evolved over time to include additional functionality.  \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 7 of 20\n\nHowever, in April 2025, Talos started seeing additional modules included within the OtterCookie code and the\r\nusage of the C2 server, mostly for downloading a simple OtterCookie configuration and uploading stolen data. \r\nFigure 7. OtterCookie modules evolution timeline.\r\nOtterCookie evolved from the initial basic data-gathering capabilities to more modular design for data theft and\r\nremote command execution techniques. The modules are stored within OtterCookie strings and executed on the\r\nfly. \r\nThe earliest versions, corresponding to what NTT researchers refer to as v1, contain code for remote command\r\nexecution (RCE) and use a socket.IO package to communicate with a C2 server. Over time, OtterCookie modules\r\nevolved by adding code to steal and upload files, with the end goal of stealing cryptocurrency wallets from a list\r\nof hardcoded browser extensions and saved browser credentials. Targeted browsers include Brave, Google\r\nChrome, Opera and Mozilla Firefox. \r\nThe next iteration, referred to as v2, included a clipboard stealing code using the Clipboardy package to send\r\nclipboard contents to the remote server. This version also handles the loading of Javascript code from the server\r\nslightly differently. Instead of evaluating the returned header cookie as v1, the server generates an error which gets\r\nhandled by the error handler on the client side. The error handler simply passes the error response data to the eval\r\nfunction, where it gets executed. The loader code is small and easy to miss, and along with the risk of false\r\npositive detections, this may be why the detection of the OtterCookie loaders on VirusTotal is not very successful. \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 8 of 20\n\nFigure 8. C2 server generates an error but the code is still executed by OtterCookie. \r\nFigure 9. OtterCookie loader error handler evaluates the response data. \r\nThe v3 variant, observed in February 2025, includes a function to send specific files (documents, image files and\r\ncryptocurrency-related files) to the C2 server. OtterCookie v4, observed since April 2025, includes a virtual\r\nenvironment detection code to help attackers discern logs from sandbox environments from those of actual\r\ninfections, indicating a focus on evading analysis. The code also contains some anti-debugging and anti-logging\r\nfunctionality.  \r\nThe v4 variant improves on the previous version’s code and updates the clipboard content-stealing method. It no\r\nlonger uses the Clipboardy library and instead it uses standard macOS or Windows commands for retrieving\r\nclipboard content. \r\nIt is important to note that over time the difference between BeaverTail and OtterCookie became blurred and in\r\nsome attacks their code was merged into a single tool.  \r\nOtterCookie v5 \r\nThe campaign Talos observed in August 2025 uses the most recent version of OtterCookie, which we call v5,\r\ndemonstrated by the addition of a keylogging module. The keylogging module contains code to capture\r\nscreenshots, which are uploaded to the C2 server together with keyboard keystrokes. \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 9 of 20\n\nFigure 10. Node-nvm-ssh infection path. \r\nThe initial infection vector was a modified Chessfi application hosted on Bitbucket. ChessFi is a web3-based\r\nmultiplayer chess platform where players can challenge each other and bet cryptocurrency on the outcome of their\r\nmatches. The choice of a cryptocurrency-related application to lure victims is consistent with previous reporting of\r\nFamous Chollima targeting.  \r\nThe first sign of the attack was the user installing the source code of the application. Based on the folder name of\r\nthe project, we assess with moderate confidence that the victim was approached by the threat actor through the\r\nfreelance marketplace site Fiverr, which is consistent with the previous reporting. While hunting for similar\r\nsamples we have also discovered code repositories that were uploaded for the victim as attachments to Discord\r\nconversations.   \r\nThe infection process started with the victim running Git to clone the repository: \r\nFigure 11. The initial infection vector. \r\nThe Development section of the application’s readme document gives instructions to developers on how to install\r\nand run the project. After cloning the repository, it states that the users should run npm install to install\r\ndependencies, which, in this campaign, also included a malicious npm package named “node-nvm-ssh\". \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 10 of 20\n\nFigure 12. Modified application installation steps. \r\nDuring the installation of dependencies, the malicious package is downloaded from the repository and installed.\r\nThe npm installer parses the package.json file of the malicious package and finds instructions to run commands\r\nafter the installation. This is executed by parsing the “postinstall” value of the JSON object named “scripts”. At\r\nthe first glance, it seems like the postinstall scripts are there to run tests, transpile TypeScript files to Java script\r\nand possibly run other test scripts. \r\nFigure 13. Malicious package.json file contains the instruction that will cause the malicious code to\r\nrun. \r\nHowever, the package.json module installation instruction “npm run skip” causes npm to call the command node\r\ntest/fixtures/eval specified in the value “skip”. The default node.js loading conventions will try loading a number\r\nof file names if none of them are specifically mentioned, one of them being index.js. \r\nThe test/fixtures/eval/index.js content contains code to spawn a child process using the file\r\n“test/fixtures/eval/node_modules/file15.js”. \r\nFigure 14. index.js spawning a child process to execute file15.js. \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 11 of 20\n\nEventually, file15.js loads the file test.list, which is the final payload. This somewhat complex process to reach the\r\npayload code makes it quite difficult for an unsuspecting software engineer to discover that the installation of the\r\nChessfi application will eventually lead to execution of malicious code.   \r\nFigure 15. file15.js reads and calls eval on the content of the file test.list.\r\nWith test.list we have finally reached the last piece of the puzzle of how the malicious code is run. The test.list file\r\nis over 100KB long and obfuscated using Obfuscator.io. Thankfully, the obfuscation in this case is not configured\r\nto make the analysis very difficult and with the help of the deobfuscator and an LLM, Talos was able to\r\ndeobfuscate most of its functionality, revealing a combination of BeaverTail and OtterCookie. \r\nStandard BeaverTail functionality \r\nThere seem to be two distinguishable parts in the code. The first is associated with BeaverTail, including\r\nenumeration of various browser profiles and extensions as well as the download of a Python distribution and\r\nPython client payload from the C2 server “23.227.202[.]244” using the common BeaverTail/InvisibleFerret TCP\r\nport 1224. The second part of the code is associated with OtterCookie. \r\nThe BeaverTail portion starts with a function that disables the console logging, moving toward loading the\r\nrequired modules and calling functions in order to steal data from a list of browser extensions, cryptocurrency\r\nwallets and browser credentials storage.   \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 12 of 20\n\nTable 2. Targeted BeaverTail cryptocurrency browser extensions.\r\nBeaverTail evolution \r\nBeaverTail has been observed since at least May 2023, and originally was a relatively small downloader\r\ncomponent, designed to be included with Node.js based Javascript applications. BeaverTail was also used in\r\nsupply chain attacks affecting packages in the NPM package repository, which was extensively covered in the\r\nprevious research and it is outside of the scope of this post. \r\nFrom the beginning, BeaverTail supported Windows, Linux and macOS, taking advantage of the fact that Node.js\r\napplications can be run on different operating system platforms.  \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 13 of 20\n\nFigure 16. Early BeaverTail OS platform check. \r\nThe other major functionalities within BeaverTail are the download of InvisibleFerret Python stealer payload\r\nmodules and installation of a remote access module, typically an AnyDesk client, which would allow the attacker\r\nto take over the control of the infected machine remotely. Information stealing and remote access have remained\r\nrecurring BeaverTail operational techniques over time. \r\nSoon after the initial samples were discovered in June 2023, BeaverTail started to use simple base64 encoding of\r\nstrings and renaming of variables to make the detection and analysis more difficult. This also included a scheme\r\nused to encode the C2 URL as a shuffled string whose slices are base64 decoded individually and then\r\nconcatenated in a correct order to generate the final URL.  \r\nFigure 17. C2 URL encoding scheme used from early BeaverTail variants until the present. \r\nAlthough BeaverTail is typically written in Javascript, Talos has also discovered several Javascript C2 IP server\r\naddresses. These were shared with C++ compiled binary variants created with the help of the Qt framework. \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 14 of 20\n\nFigure 18. Qt based BeaverTail setting a Qthread parameters. \r\nFrom the early beginnings in mid-2023, to the last quarter of 2024. BeaverTail C2 URL patterns stabilized around\r\nthe most commonly-used TCP ports 1224 and 1244, rather than the port 3306 used by early variants. It seems that\r\nthe threat actors quickly realized that most Windows installations do not come with preinstalled Python\r\ninterpreters as Linux distributions and macOS. To tackle this issue, they included code which installs a Python\r\ndistribution, typically from the “/pdown” URL path, required to run Python InvisibleFerret modules. This TTP\r\nremains until today. \r\nIn terms of detection evasion, Famous Chollima are using several methods to obfuscate code, most frequently\r\nutilzing different configurations of the free Javascript tool Obfuscator.io which does make the analysis and\r\nespecially detection of the malicious code more challenging.  \r\nIn addition to obfuscating the Javascript code they also regularly use various modes of XOR-based obfuscation of\r\ndownloaded modules. XORed Python InvisibleFerret modules start with a unique user based string assignment\r\nfollowed by a reversed base64 encoded string, which contains the final Python module’s code that can also be\r\nXORed for obfuscation. \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 15 of 20\n\nFigure 19. A typical InvisibleFerret self-decoding Python module. \r\nThankfully, by using the combination of a deobfuscating tool and an LLM to rename the variables and base64\r\ndecode encoded strings it is possible to analyse new samples with relative ease. However, the operational tempo of\r\ngroups attributed to Famous Chollima is high and the detection of completely new samples and code on VirusTotal\r\nremains unreliable, allowing threat actors enough time to successfully attack some victims. \r\nBeaverTail, OtterCookie and InvisibleFerret functional overlaps\r\nAll additional modules present in OtterCookie code correspond well to the functionality that is traditionally\r\nassociated with InvisibleFerret and its Python-based modules, as well as some parts of the BeaverTail code. This\r\nmove of the functionality to Javascript may allow the threat actors to remove the reliance on Python code,\r\neliminating the requirement for installation of full Python distributions on Windows. \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 16 of 20\n\nTable 3. Functional similarities between Famous Chollima tools. \r\nCoverage \r\nWays our customers can detect and block this threat are listed below.    \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.   \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.   \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.   \r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.   \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.   \r\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. \r\nSecure Access provides seamless transparent and secure access to the internet, cloud services or private\r\napplication no matter where your users work.  Please   \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 17 of 20\n\ncontact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure\r\nAccess.   \r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network.    \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.    \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.   \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.    \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.  \r\nSnort2 rules are available for this threat: 65336 \r\nThe following Snort3 rules are also available to detect the threat: 301315, 65336 \r\nClamAV detections are also available for this threat: Js.Infostealer.Ottercookie-10057842-0,\r\nJs.Malware.Ottercookie-10057860-0   \r\nIOCs\r\nIOCs for this research can also be found at our GitHub repository here.\r\nEarly OtterCookie \r\nf08e3ee84714cc5faefb7ac300485c879356922003d667587c58d594d875294e \r\nBeaverTail evolution: \r\n72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d \r\ncaad2f3d85e467629aa535e0081865d329c4cd7e6ff20a000ea07e62bf2e4394 \r\n8efa928aa896a5bb3715b8b0ed20881029b0a165a296334f6533fa9169b4463b \r\nMalicious npm package Aug 2025\r\n83c145aedfdf61feb02292a6eb5091ea78d8d0ffaebf41585c614723f36641d8 -test.list \r\nSimilar to our campaign \r\n77aec48003beeceb88e70bed138f535e1536f4bbbdff580528068ad6d184f379 \r\n0904eff1edeff4b6eb27f03e0ccc759d6aa8d4e1317a1e6f6586cdb84db4a731 \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 18 of 20\n\nd27c9f75c3f1665ee19642381a4dd6f2e4038540442cf50948b43f418730fd0a \r\n51ddd8f6ff30d76de45e06902c45c55163ddbec7d114ad89b21811ffedb71974 \r\nd89c45d65a825971d250d12bc7a449321e1977f194e52e4ca541e8a908712e47 \r\n6a9b4e8537bb97e337627b4dd1390bdb03dc66646704bd4b68739d499bd53063 \r\na6914ded72bdd21e2f76acde46bf92b385f9ec6f7e6b7fdb873f21438dfbff1d \r\nVSCode Extension\r\n9e65de386b40f185bf7c1d9b1380395e5ff606c2f8373c63204a52f8ddc01982 \r\ndff2a0fb344a0ad4b2c129712b2273fda46b5ea75713d23d65d5b03d0057f6dd - raw.js \r\nC2 URLs\r\nhxxp[://]23[.]227[.]202[.]244:1224/uploads \r\nhxxp[://]23[.]227[.]202[.]244:1224/pdown \r\nhxxp[://]23[.]227[.]202[.]244:1224/client/14/144 \r\nhxxp[://]23[.]227[.]202[.]244:1224/payload/14/144 \r\nhxxp[://]23[.]227[.]202[.]244:1224/brow/14/144 \r\nhxxp[://]23[.]227[.]202[.]244:1224/keys  \r\nhxxp[://]172[.]86[.]88[.]188:1418/socket[.]io/ \r\nhxxp[://]172[.]86[.]88[.]188:1476/upload \r\nhxxp[://]172[.]86[.]88[.]188/api/service/makelog \r\nhxxp[://]172[.]86[.]88[.]188/api/service/process/c841b6c4ac4d2e83f16cf7a8bfbec3d7 \r\nhxxp[://]138[.]201[.]50[.]5:5961/upload \r\nhxxp[://]135[.]181[.]123[.]177/api/service/makelog \r\nhxxp[://]144[.]172[.]96[.]35/api/service/makelog \r\nhxxp[://]144[.]172[.]112[.]50/api/service/makelog \r\nhxxp[://]172[.]86[.]73[.]46 \r\nhxxp[://]135[.]181[.]123[.]177 \r\nhxxp[://]172[.]86[.]113[.]12\r\nDownload URLs \r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 19 of 20\n\nhxxps[://]www[.]npmjs[.]com/package/node-nvm-ssh \r\nhxxps[://]bitbucket[.]org/dev-chess/chess-frontend[.]git \r\nSource: https://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nhttps://blog.talosintelligence.com/beavertail-and-ottercookie/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/beavertail-and-ottercookie/" ], "report_names": [ "beavertail-and-ottercookie" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434685, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f5218ca65a083c1460dd82c116c9f30485ec13d.pdf", "text": "https://archive.orkl.eu/2f5218ca65a083c1460dd82c116c9f30485ec13d.txt", "img": "https://archive.orkl.eu/2f5218ca65a083c1460dd82c116c9f30485ec13d.jpg" } }