If an email offering your dream job suddenly lands in your inbox; with great pay, flexible hours, and a file attachment, pause before clicking. It might not be your big break. It might be OtterCookie, a deceptive new malware strain linked to North Korea's growing cyber playbook.
This latest campaign is part of a larger social engineering effort by a known threat group associated with North Korea, infamous for malware families like BeaverTail and InvisibleFerret. Now, they've added OtterCookie, an infostealer with a deceptively cute name but very real consequences.
What Is OtterCookie?
Discovered in late 2024, OtterCookie has already gone through several iterations, each more advanced than the last. Versions 3 and 4, released in February and April 2025, marked significant upgrades in capability and stealth.
OtterCookie is delivered through a campaign known as “Contagious Interview”, where targets, often in the fintech, cryptocurrency, and broader financial industries are lured with fake job offers. These phishing attempts are designed to look legitimate, but once a user opens the attached file, the malware silently installs itself and gets to work.
What’s New in OtterCookie?
Version 3 (Feb 2025) introduced:
- A modular structure separating core functions and file uploading
- Scanning for documents, images, and crypto-related files
- File exfiltration tailored for Windows environments
- Hardcoded logic instead of remote command execution
Version 4 (Apr 2025) expanded on this with:
- New stealers targeting browser credentials and crypto wallets (e.g., MetaMask, Brave)
- Decryption of stored passwords using Windows DPAPI
- Enhanced evasion techniques, including sandbox detection
- Stealthier operations by removing third-party tools in favor of native commands
In short, OtterCookie is now capable of extracting credentials, crypto assets, and sensitive files with alarming efficiency. And rather than decrypting stolen data immediately, it sends it off to be processed elsewhere—typical of advanced persistent threat (APT) operations.
Who’s Behind It?
The group behind OtterCookie is known by several names—WaterPlum, Famous Chollima, or PurpleBravo. They’re a North Korea-linked APT group known for highly targeted campaigns against:
- Cryptocurrency exchanges
- Fintech startups
- Global financial institutions
This isn’t opportunistic cybercrime—it’s calculated, state-backed cyber espionage and financial theft.
How to Stay Safe
As attackers become more strategic, using real job listings and AI-polished lures, the responsibility falls on all of us to stay alert. Here’s how you can protect yourself:
- Be skeptical of unsolicited job offers, especially those with attachments or links
- Never open unfamiliar file attachments—scan them with antivirus software
- Watch for misleading file names like
.mp4.exeor.pdf.scr - Avoid storing sensitive credentials in your browser; use a password manager instead
- Enable two-factor authentication (2FA) and use hardware wallets for crypto security
- Keep your software and operating systems up to date
Final Thought
OtterCookie is just the latest example of how well-funded threat actors continue to develop social engineering with sophisticated malware to exploit trust and target high-value data.
If a job offer looks too good to be true, it probably is. Don’t let your curiosity or ambition compromise your digital security. In today’s landscape, your credentials, crypto, and career are all targets.
Stay cautious. Stay updated. And always treat your digital privacy like your paycheck depends on it—because it does.
.png)
.png)