{ "id": "34f2b608-e3d8-472d-a850-c46f42f05acf", "created_at": "2026-04-06T03:37:01.094432Z", "updated_at": "2026-04-10T13:11:39.018189Z", "deleted_at": null, "sha1_hash": "900a702df040e7456aedf4a61a16a2f298de71f1", "title": "New 'OtterCookie' malware used to backdoor devs in fake job offers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2304246, "plain_text": "New 'OtterCookie' malware used to backdoor devs in fake job offers\r\nBy Bill Toulas\r\nPublished: 2024-12-26 · Archived: 2026-04-06 03:09:35 UTC\r\nNorth Korean threat actors are using new malware called OtterCookie in the Contagious Interview campaign that is targeting\r\nsoftware developers.\r\nContagious Interview has been active since at least December 2022, according to researchers at cybersecurity company Palo\r\nAlto Networks. The campaign targets software developers with fake job offers to deliver malware such as BeaverTail and\r\nInvisibleFerret.\r\nA report from NTT Security Japan notes that the Contagious Interview operation is now using a new piece of malware called\r\nOtterCookie, which was likely introduced in September and with a new variant appearing in the wild in November.\r\nhttps://www.bleepingcomputer.com/news/security/new-ottercookie-malware-used-to-backdoor-devs-in-fake-job-offers/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-ottercookie-malware-used-to-backdoor-devs-in-fake-job-offers/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nOtterCookie attack chain\r\nJust like in the attacks documented by Palo Alto Networks' Unit42 researchers, OtterCookie is delivered via a loader that\r\nfetches JSON data and executes the ‘cookie’ property as JavaScript code.\r\nNTT says that, even though BeaverTail remains the most common payload, OtterCookie has been seen in some cases either\r\ndeployed alongside BeaverTail or on its own.\r\nThe loader infects targets through Node.js projects or npm packages downloaded from GitHub or Bitbucket. However, files\r\nbuilt as Qt or Electron applications were also used recently.\r\nOverview of the latest Contagious Interview attacks\r\nSource: NTT Japan\r\nOnce active on the target device, OtterCookie establishes secure communications with its command and control (C2)\r\ninfrastructure using the Socket.IO WebSocket tool, and awaits for commands.\r\nThe researchers observed shell commands that perform data theft (e.g. collecting cryptocurrency wallet keys, documents,\r\nimages, and other valuable information).\r\n“The September version of OtterCookie already included a built-in functionality to steal keys related to cryptocurrency\r\nwallets,” NTT explains.\r\n“For example, the checkForSensitiveData function used regular expressions to check for Ethereum private keys,” the\r\nresearchers note, adding that this was changed with the November variant of the malware where this is achieved through\r\nremote shell commands.\r\nhttps://www.bleepingcomputer.com/news/security/new-ottercookie-malware-used-to-backdoor-devs-in-fake-job-offers/\r\nPage 3 of 5\n\nTargeting cryptocurrency information\r\nSource: NTT Japan\r\nThe latest version of OtterCookie can also exfiltrate clipboard data to the threat actors, which may contain sensitive\r\ninformation.\r\nCommands typically used for reconnaissance, like ‘ls’ and ‘cat’, were also detected, indicating the attacker’s intention to\r\nexplore the environment and stage it for deeper infiltration or lateral movement.\r\nThe appearance of new malware and the diversification of the infection methods indicate that the threat actors behind the\r\nContagious Interview campaign experiment with new tactics.\r\nSoftware developers should try to verify information about a potential employer and be wary of running code on personal or\r\nwork computers as part of a job offer that require coding tests.\r\nhttps://www.bleepingcomputer.com/news/security/new-ottercookie-malware-used-to-backdoor-devs-in-fake-job-offers/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-ottercookie-malware-used-to-backdoor-devs-in-fake-job-offers/\r\nhttps://www.bleepingcomputer.com/news/security/new-ottercookie-malware-used-to-backdoor-devs-in-fake-job-offers/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-ottercookie-malware-used-to-backdoor-devs-in-fake-job-offers/" ], "report_names": [ "new-ottercookie-malware-used-to-backdoor-devs-in-fake-job-offers" ], "threat_actors": [ { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446621, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/900a702df040e7456aedf4a61a16a2f298de71f1.pdf", "text": "https://archive.orkl.eu/900a702df040e7456aedf4a61a16a2f298de71f1.txt", "img": "https://archive.orkl.eu/900a702df040e7456aedf4a61a16a2f298de71f1.jpg" } }