{ "id": "f3c1bf47-a5a8-4c18-9307-acbf7958ca2f", "created_at": "2026-04-06T00:18:43.344688Z", "updated_at": "2026-04-10T03:28:28.720053Z", "deleted_at": null, "sha1_hash": "f0534a2c0f717ab44a71cbf6afd612af5bfced71", "title": "OtterCookie, new malware used in Contagious Interview campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 768058, "plain_text": "OtterCookie, new malware used in Contagious Interview campaign\r\nBy NTTセキュリティ・ジャパン株式会社\r\nPublished: 2025-01-16 · Archived: 2026-04-05 23:34:22 UTC\r\nBy Masaya Motoda, Rintaro Koike, Ryu Hiyoshi\r\nPublished January 16, 2025 | Threat Intelligence\r\nhis article is English version of “Contagious Interviewが使用する新たなマルウェアOtterCookieについて”\r\ntranslated by Ryu Hiyoshi, NTTSH SOC analyst.\r\nThe original article was authored by our SOC analysts, Masaya Motoda and Rintaro Koike.\r\nIntroduction\r\nIt is said that Contagious Interview is an attack campaign related to North Korea and Palo Alto Networks\r\npublished report on them in November 2023 [1]. Unlike common targeted attacks supported by a nation,\r\nContagious Interview looks like to be motivated by money and its target is rather broader. Since our SOC\r\noccasionally observes security incidents by this campaign, Japanese organizations should pay close attention it.\r\nSince around November 2024, Our SOC observed the execution of unknown malware, neither BeaverTail nor\r\nInvisibleFerret, in Contagious Interview campaign. We named the newly observed malware OtterCookie and\r\nperformed detailed research. In this article, we'll introduce its execution flow and detail behavior.\r\nExecution Flow\r\nThough Contagious Interview campaign employs various initial attack vectors, most of them start with Node.js\r\nprojects or npm packages downloaded from GitHub or Bitbucket [2]. Recently, it is also reported that a file\r\nembedded in an application developed by Qt or Electron is also used as an initial attack vector. It suggests that the\r\nthreat actors of Contagious Interview keep seeking new attack methods.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-contagious-interview-ottercookie/\r\nPage 1 of 6\n\nLoader\r\nSome reports [3][4][5] introduce the loader that initiates OtterCookie. As introduced in these reports, it downloads\r\nJSON data from remote and executes its cookie property as JavaScript code.\r\nWe also observed another loader that simply downloads and executes JavaScript code. In this case, the server\r\nreturns HTTP status code 500 and JavaScript code executes the codes in \"catch\" block after transferring the\r\ncontrol to the block.\r\nThe loader launches BeaverTail in most cases, but it rarely launches OtterCookie. We also observed a case where\r\nit launches both OtterCookie and BeaverTail at the same time.\r\nOtterCookie\r\nIt was November 2024 that we started observing OtterCookie, but it could have been used since September 2024.\r\nThough there are little differences in the implementations between September version and November version, the\r\nfundamental functions are the same. We'd like to introduce the remarkable differences based on the analysis result\r\nof November version.\r\nIn November version, it uses Socket.IO to communicate with remote host and receive commands via socketServer\r\nfunction. We confirmed that is has functions to execute shell command (\"command\") or steal host information\r\n(\"whour\").\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-contagious-interview-ottercookie/\r\nPage 2 of 6\n\nWe closely observed the shell commands sent from a remote host, which were executed via \"command\". We\r\nconfirmed that the shell commands collected and sent keys related to cryptocurrency wallet included in\r\ndocuments, pictures or cryptocurrency-related files. We also observed that it checked the environment via \"ls\" or\r\n\"cat\" command.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-contagious-interview-ottercookie/\r\nPage 3 of 6\n\nIn September version, a function to steal keys related cryptocurrency wallet is already implemented. For example,\r\ncheckForSensitiveData function search Ethereum private keys using regular expression. In November version, it is\r\nrealized by executing shell commands sent from a remote host.\r\nAs shown below, in November version, it sends contents of local clipboard to a remote host using clipboardy\r\nlibrary. But it isn't implemented in September version.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-contagious-interview-ottercookie/\r\nPage 4 of 6\n\nSummary\r\nIn this article, we introduced OtterCookie, a new malware used in Contagious Interview campaign. Since the\r\nthreat actors of Contagious Interview keep seeking new attack methods actively and their attacks have already\r\nbeen observed in Japan, we should keep paying close attention on them.\r\nIoCs\r\nFile Hashes (SHA256)\r\nd19ac8533ab14d97f4150973ffa810e987dea853bb85edffb7c2fcef13ad2106\r\n7846a0a0aa90871f0503c430cc03488194ea7840196b3f7c9404e0a536dbb15e\r\n4e0034e2bd5a30db795b73991ab659bda6781af2a52297ad61cae8e14bf05f79\r\n32257fb11cc33e794fdfd0f952158a84b4475d46f531d4bee06746d15caf8236\r\nIP Address and Domain Names\r\n45[.]159.248.55\r\nzkservice[.]cloud\r\nw3capi[.]marketing\r\npayloadrpc[.]com\r\nReferences\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-contagious-interview-ottercookie/\r\nPage 5 of 6\n\n[1] Palo Alto Networks, \"Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear\r\nHallmarks of North Korean Threat Actors\", https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\n[2] マクニカ, \"北からのジョブオファー: ソフトウェア開発者を狙うContagious\r\nInterview\", https://security.macnica.co.jp/blog/2024/10/-contagious-interview.html\r\n[3] Phylum, \"North Korea Still Attacking Developers via npm\", https://blog.phylum.io/north-korea-still-attacking-developers-via-npm/\r\n[4] Group-IB, \"APT Lazarus: Eager Crypto Beavers, Video calls and Games\", https://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\n[5] Zscaler, \"From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the\r\nWest\", https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nSource: https://jp.security.ntt/insights_resources/tech_blog/en-contagious-interview-ottercookie/\r\nhttps://jp.security.ntt/insights_resources/tech_blog/en-contagious-interview-ottercookie/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://jp.security.ntt/insights_resources/tech_blog/en-contagious-interview-ottercookie/" ], "report_names": [ "en-contagious-interview-ottercookie" ], "threat_actors": [ { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434723, "ts_updated_at": 1775791708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f0534a2c0f717ab44a71cbf6afd612af5bfced71.pdf", "text": "https://archive.orkl.eu/f0534a2c0f717ab44a71cbf6afd612af5bfced71.txt", "img": "https://archive.orkl.eu/f0534a2c0f717ab44a71cbf6afd612af5bfced71.jpg" } }