CyberSecurity news
FlagThis
Head MeatMutt@MeatMutts
//
The North Korean threat actor WaterPlum, also known as Famous Chollima or PurpleBravo, is behind the latest iteration of the OtterCookie malware, version 4. This cross-platform malware is designed to target financial institutions, cryptocurrency platforms, and FinTech companies across the globe. OtterCookie's evolution demonstrates a significant advancement in its capabilities, posing an increased threat level. The malware is often deployed through the "Contagious Interview" campaign, which uses fake job offers to entice victims into opening malicious payloads.
OtterCookie v4 boasts enhanced credential theft capabilities, with modules specifically designed to steal credentials from Google Chrome, MetaMask, and iCloud Keychain. One module decrypts and extracts passwords from Chrome using the Windows Data Protection API (DPAPI), while another targets the MetaMask extension in browsers like Chrome and Brave, as well as iCloud Keychain, to harvest sensitive data. These stolen credentials are then stored in a local database before being exfiltrated. These advancements represent a significant leap from earlier versions of OtterCookie which primarily functioned as a file grabber.
A key feature of OtterCookie v4 is its ability to detect virtual machine environments, including VMware, VirtualBox, Microsoft Hyper-V, and QEMU. This allows the malware to evade analysis and detection by security researchers and automated sandbox environments. The malware's cross-platform functionality allows it to operate across Windows, macOS, and Linux, significantly broadening its potential impact. Researchers first exposed OtterCookie in December 2024, and the malware has rapidly evolved since then, with version 3 appearing in February 2025 and version 4 in April 2025.
ImgSrc: blogger.googleu
References :
OtterCookie v4 boasts enhanced credential theft capabilities, with modules specifically designed to steal credentials from Google Chrome, MetaMask, and iCloud Keychain. One module decrypts and extracts passwords from Chrome using the Windows Data Protection API (DPAPI), while another targets the MetaMask extension in browsers like Chrome and Brave, as well as iCloud Keychain, to harvest sensitive data. These stolen credentials are then stored in a local database before being exfiltrated. These advancements represent a significant leap from earlier versions of OtterCookie which primarily functioned as a file grabber.
A key feature of OtterCookie v4 is its ability to detect virtual machine environments, including VMware, VirtualBox, Microsoft Hyper-V, and QEMU. This allows the malware to evade analysis and detection by security researchers and automated sandbox environments. The malware's cross-platform functionality allows it to operate across Windows, macOS, and Linux, significantly broadening its potential impact. Researchers first exposed OtterCookie in December 2024, and the malware has rapidly evolved since then, with version 3 appearing in February 2025 and version 4 in April 2025.
ImgSrc: blogger.googleu
Share:
References :
- MeatMutts: OtterCookie v4 Adds VM Detection and Chrome, MetaMask Credential Theft Capabilities
- Anonymous ???????? :af:: Security’s Masaya Motoda & Rintaro Koike detail the key differences between the OtterCookie malware variants used by WaterPlum (Famous Chollima/PurpleBravo) in November 2024 and in February and April 2025, highlighting their chronological evolution.
- securityonline.info: WaterPlum’s OtterCookie Malware Upgrades to v4 with Credential Theft and Sandbox Detection Features
- Anonymous ???????? :af:: NTT Security - OtterCookie Malware variants by WaterPlum
Classification:
- HashTags: #OtterCookie #NorthKorea #Malware
- Company: North Korean
- Target: Financial institutions, cryptocurrency platforms
- Attacker: WaterPlum
- Product: Chrome
- Feature: Credential Theft
- Malware: OtterCookie
- Type: Malware
- Severity: Major