{ "id": "524cc13b-6ac8-4fb2-9d9b-4a39c72ce603", "created_at": "2026-04-06T00:12:23.054493Z", "updated_at": "2026-04-10T03:36:17.19911Z", "deleted_at": null, "sha1_hash": "69ddf995ea7ac1898f92fd3050c643a9fdd48fbe", "title": "Additional Features of OtterCookie Malware Used by WaterPlum", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2303205, "plain_text": "Additional Features of OtterCookie Malware Used by WaterPlum\r\nBy NTTセキュリティ・ジャパン株式会社\r\nPublished: 2025-05-08 · Archived: 2026-04-05 18:56:19 UTC\r\nBy Masaya Motoda, Rintaro Koike\r\nPublished May 8, 2025 | Threat Intelligence\r\nThis article is English version of “WaterPlumが使用するマルウェアOtterCookieの機能追加”.\r\nThe original article is authored by NSJ SOC analyst Masaya Motoda and Rintaro Koike.\r\nIntroduction\r\nWaterPlum (also called as Famous Chollima or PurpleBravo) is reportedly a North Korea-linked attack group that\r\ntargeting financial institutions, cryptocurrency operators and FinTech companies worldwide. They have been\r\nusing malware called BeaverTail or InvisibleFerret in Contagious Interview campaign since around 2023, they\r\nstarted using new malware since September 2024. We named it \"OtterCookie\" and published a blog article in\r\nDecember 2024.\r\nOtterCookie, new malware used in Contagious Interview campaign\r\nAttacks using the OtterCookie continued after the blog article was published. We confirmed the updates on them\r\nin February and April 2025. In this article, we introduce the distinctive difference observed in the new version. In\r\naccordance with the observed date, we allocated versions (from v1 to v4) for convenience.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-waterplum-ottercookie/\r\nPage 1 of 6\n\nThe following chart summarizes the functions implemented and target OS for each version. v1 has only File\r\nGrabber function, but v4 has many functions as a result of repeated updates.\r\nThe timeline of version transition is as follows. The migration to v4 is ongoing and both v3 and v4 are in use as of\r\nwriting this article.\r\nOtterCookie v3\r\nOtterCookie v3 observed in February 2025 has two modules, Main module that has legacy OtterCookie functions\r\nand Upload module that communicates with C2 server.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-waterplum-ottercookie/\r\nPage 2 of 6\n\nWindows environment support is added by the Upload module. The following code sends files whose extensions\r\nare included in the array \"searchKey\" to a remote server.\r\nOther than Windows environment, it collects document files, image files and files related to cryptocurrency and\r\nsends them to a remote server. This function was realized by receiving shell command from remote until v2, but\r\nthe following code is hardcoded in v3.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-waterplum-ottercookie/\r\nPage 3 of 6\n\nOtterCookie v4\r\nIn OtterCookie v4, which has been observed since April 2025, two new Stealer modules have been added, and\r\nsome new features have been added to the Main module.\r\nVirtual environment detection function was added to existing environment check function implemented in Main\r\nmodule. We assume that the attackers intended to discern the logs for sandbox environment and that of actual\r\ninfection.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-waterplum-ottercookie/\r\nPage 4 of 6\n\nRegarding to the function stealing the contents of clipboard, it no longer uses clipboardy library as seen in v3 and\r\nuse MacOS or Windows standard commands.\r\nThe Stealer module run at first steals passwords and usernames stored in Google Chrome. As shown in the figure\r\nbelow, it uses DPAPI that decrypts Login Data for Google Chrome. It stores Login Data in \"\\AppData\\Local\\1.db\"\r\nunder home directory for further operation.\r\nAnother Stealer module steals files related to MetaMask, Google Chrome and Brave browser credentials, and\r\nMacOS credentials without decrypting.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-waterplum-ottercookie/\r\nPage 5 of 6\n\nt seems odd that the former Stealer module steals Google Chrome Login Data after decrypting it, but the latter\r\nsteals encrypted Login Data. This difference in data procession or coding style implies that these modules were\r\ndeveloped by different developers.\r\nSummary\r\nIn this article, we introduced OtterCookie v3 and v4 used by WaterPlum. They keep updating OtterCookie actively\r\nand continuously. Since their attacks are observed in Japan, we must pay close attention on their activities.\r\nOur SOC analysts Motoda and Koike will be speaking at SINCON2025 in Singapore on May 22~23, 2025, titled\r\n“Anti Confiture: An Otter Has A Sweet Tooth”. They will introduce attack flow, functionality, and infrastructure\r\ninformation related to OtterCookie. We look forward to seeing you there.\r\nConference 2025 | SINCON | Infosec In the City\r\nIoCs\r\nIP Address and Domain Names\r\nalchemy-api-v3[.]cloud\r\nchainlink-api-v3[.]cloud\r\nmoralis-api-v3[.]cloud\r\nmodilus[.]io\r\n116[.]202.208.125\r\n65[.]108.122.31\r\n194[.]164.234.151\r\n135[.]181.123.177\r\n188[.]116.26.84\r\n65[.]21.23.63\r\n95[.]216.227.188\r\nSource: https://jp.security.ntt/insights_resources/tech_blog/en-waterplum-ottercookie/\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-waterplum-ottercookie/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://jp.security.ntt/insights_resources/tech_blog/en-waterplum-ottercookie/" ], "report_names": [ "en-waterplum-ottercookie" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434343, "ts_updated_at": 1775792177, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/69ddf995ea7ac1898f92fd3050c643a9fdd48fbe.pdf", "text": "https://archive.orkl.eu/69ddf995ea7ac1898f92fd3050c643a9fdd48fbe.txt", "img": "https://archive.orkl.eu/69ddf995ea7ac1898f92fd3050c643a9fdd48fbe.jpg" } }