CyberSecurity news

FlagThis - #northkorea

@securityonline.info //
The North Korean threat actor WaterPlum, also known as Famous Chollima or PurpleBravo, is behind the latest iteration of the OtterCookie malware, version 4. This cross-platform malware is designed to target financial institutions, cryptocurrency platforms, and FinTech companies across the globe. OtterCookie's evolution demonstrates a significant advancement in its capabilities, posing an increased threat level. The malware is often deployed through the "Contagious Interview" campaign, which uses fake job offers to entice victims into opening malicious payloads.

OtterCookie v4 boasts enhanced credential theft capabilities, with modules specifically designed to steal credentials from Google Chrome, MetaMask, and iCloud Keychain. One module decrypts and extracts passwords from Chrome using the Windows Data Protection API (DPAPI), while another targets the MetaMask extension in browsers like Chrome and Brave, as well as iCloud Keychain, to harvest sensitive data. These stolen credentials are then stored in a local database before being exfiltrated. These advancements represent a significant leap from earlier versions of OtterCookie which primarily functioned as a file grabber.

A key feature of OtterCookie v4 is its ability to detect virtual machine environments, including VMware, VirtualBox, Microsoft Hyper-V, and QEMU. This allows the malware to evade analysis and detection by security researchers and automated sandbox environments. The malware's cross-platform functionality allows it to operate across Windows, macOS, and Linux, significantly broadening its potential impact. Researchers first exposed OtterCookie in December 2024, and the malware has rapidly evolved since then, with version 3 appearing in February 2025 and version 4 in April 2025.

Recommended read:
References :
  • MeatMutts: OtterCookie v4 Adds VM Detection and Chrome, MetaMask Credential Theft Capabilities
  • Anonymous ???????? :af:: Security’s Masaya Motoda & Rintaro Koike detail the key differences between the OtterCookie malware variants used by WaterPlum (Famous Chollima/PurpleBravo) in November 2024 and in February and April 2025, highlighting their chronological evolution.
  • securityonline.info: WaterPlum’s OtterCookie Malware Upgrades to v4 with Credential Theft and Sandbox Detection Features
  • Anonymous ???????? :af:: NTT Security - OtterCookie Malware variants by WaterPlum
  • Anonymous ???????? :af:: Security’s Masaya Motoda & Rintaro Koike detail the key differences between the OtterCookie malware variants used by WaterPlum (Famous Chollima/PurpleBravo) in November 2024 and in February and April 2025, highlighting their chronological evolution.
  • securityonline.info: Information on new malware OtterCookie

@www.silentpush.com //
References: gbhackers.com , iHLS ,
North Korean operatives have infiltrated hundreds of Fortune 500 companies, posing a significant threat to IT infrastructure and sensitive data. Security experts revealed at the RSAC 2025 Conference that the infiltration extends across virtually every major corporation, with many Fortune 500 companies unknowingly employing North Korean technical workers. This alarming trend raises serious concerns about potential security breaches and data theft. The experts said that dozens of experts and law enforcement at RSA said the campaign is now out of control, impacting thousands of companies.

Even tech giant Google has detected North Korean technical workers in their talent pipeline as job candidates and applicants, although they have not been hired to date. "If you're not seeing this, it's because you're not detecting it, not because it's not happening to you," warned Iain Mulholland, senior director of security engineering at Google Cloud, emphasizing the universality of the threat. Insider risk management firm DTEX corroborated these findings, reporting that 7% of its customer base-representing a cross-section of the Fortune 2000-has been infiltrated by North Korean operatives working as full-time employees with privileged access.

The North Korean IT worker scam has expanded beyond the tech and crypto industries and is now a threat to all companies. One cybersecurity expert even found evidence that a U.S. political campaign in Oregon hired a North Korean IT worker to build its website. Initially, the workers primarily focused on legitimate employment to generate funds for the regime in Pyongyang, but experts are now seeing a tactical shift toward extortion, which has been observed.

Recommended read:
References :
  • gbhackers.com: North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers
  • iHLS: North Korean Hackers Set Up Fake U.S. Businesses to Target Cryptocurrency Developers
  • www.cysecurity.news: Threat analysts at Silent Push, a U.S. cybersecurity firm, told Reuters that North Korean cyber spies established two companies in the U.S., Blocknovas LLC and Softglide LLC, using fictitious personas and addresses to infect developers in the cryptocurrency industry with malicious software, in violation of Treasury sanctions.

@cyberscoop.com //
North Korean operatives have infiltrated hundreds of Fortune 500 companies, posing a significant and growing threat to IT infrastructure and sensitive data. Security leaders at Mandiant and Google Cloud have indicated that nearly every major company has either hired or received applications from North Korean nationals working on behalf of the regime. These individuals primarily aim to earn salaries that are then sent back to Pyongyang, contributing to the country's revenue stream. Cybersecurity experts warn that this issue is more pervasive than previously understood, with organizations often unaware of the extent of the infiltration.

Hundreds of Fortune 500 organizations have unknowingly hired these North Korean IT workers, and nearly every CISO interviewed has admitted to hiring at least one, if not several, of these individuals. Google has also detected North Korean technical workers within its talent pipeline, though the company states that none have been hired to date. The risk of North Korean nationals working for large organizations has become so prevalent that security professionals now assume it is happening unless actively detected. Security analysts continue to raise alarms and highlight the expansive ecosystem of tools, infrastructure, and specialized talent North Korea has developed to support this illicit activity.

The FBI and cybersecurity experts are actively working to identify and remove these remote workers. According to Adam Meyers, Head of Country Adversary Operations at CrowdStrike, there have been over 90 incidents in the past 90 days, resulting in millions of dollars flowing to the North Korean regime through high-paying developer jobs. Microsoft is tracking thousands of personas and identities used by these North Korean IT workers, indicating a high-volume operation. Uncovering one North Korean IT worker scam often leads to the discovery of many others, as demonstrated by CrowdStrike's investigation that revealed 30 victim organizations.

Recommended read:
References :
  • blog.knowbe4.com: Hundreds of Fortune 500 companies have hired North Korean operatives.
  • Threats | CyberScoop: North Korean operatives have infiltrated hundreds of Fortune 500 companies
  • PCMag UK security: North Koreans Still Working Hard to Take Your IT Job: 'Any Organization Is a Target'
  • cyberscoop.com: North Korean operatives have infiltrated hundreds of Fortune 500 companies
  • WIRED: For years, North Korea has been secretly placing young IT workers inside Western companies. With AI, their schemes are now more devious—and effective—than ever.
  • gbhackers.com: Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives
  • www.scworld.com: Widespread Fortune 500 firm infiltration conducted by North Koreans

@www.silentpush.com //
North Korean hackers, identified as the Contagious Interview APT group, are running a sophisticated malware campaign targeting individuals seeking employment in the cryptocurrency sector. Silent Push threat analysts have uncovered the operation, revealing that the group, also known as Famous Chollima and a subgroup of Lazarus, is using three front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to spread malicious software. These companies are being used to lure unsuspecting job applicants into downloading malware through fake job interview opportunities, marking an evolution in the group's cyber espionage and financial gain tactics.

The campaign involves the distribution of three distinct malware strains: BeaverTail, InvisibleFerret, and OtterCookie. Job seekers are enticed with postings on various online platforms, including CryptoJobsList, CryptoTask, and Upwork. Once an application is submitted, the hackers send what appear to be legitimate interview-related files containing the malware. The attackers are also using AI-generated images to create employee profiles for these front companies, specifically using Remaker AI to fabricate realistic personas, enhancing the credibility of their fraudulent operations and making it harder for job seekers to differentiate between genuine and malicious opportunities.

The use of these front companies and AI-generated profiles signifies a new escalation in the tactics employed by Contagious Interview. The malware, once installed, allows hackers to remotely access infected computers and steal sensitive data. The campaign leverages legitimate platforms like GitHub and various job boards to further enhance its deceptive nature. Silent Push's analysis has successfully traced the malware back to specific websites and internet addresses used by the hackers, including lianxinxiao[.]com, and uncovered a hidden online dashboard monitoring suspected BeaverTail websites, providing valuable insights into the operational infrastructure of this North Korean APT group.

Recommended read:
References :
  • hackread.com: North Korean Hackers Use Fake Crypto Firms in Job Malware Scam
  • The Hacker News: North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures
  • www.silentpush.com: Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie
  • Anonymous ???????? :af:: Threat analysts have uncovered that North Korea's Contagious Interview APT group is using three front companies to distribute malware strains BeaverTail, InvisibleFerret, and OtterCookie through fake cryptocurrency job offers.
  • www.silentpush.com: North Korean APT registers three cryptocurrency companies to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • cyberpress.org: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • bsky.app: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • www.scworld.com: North Korean cyberespionage facilitated by bogus US firms, crackdown underway
  • Virus Bulletin: Silent Push researchers have uncovered three cryptocurrency companies that are actually fronts for the North Korean APT group Contagious Interview. BeaverTail, InvisibleFerret & OtterCookie are being spread from this infrastructure to unsuspecting cryptocurrency job applicants.
  • www.scworld.com: New Lazarus campaign hits South Korea BleepingComputer reports that at least half a dozen South Korean organizations in the finance, telecommunications, IT, and software industries have been compromised by North Korean hacking collective Lazarus Group
  • Cyber Security News: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
  • PCMag UK security: Okta finds evidence that North Koreans are using a variety of AI services to upgrade their chances of fraudulently securing remote work so they can line their country's coffers or steal secrets.
  • malware.news: North Korean Group Creates Fake Crypto Firms in Job Complex Scam
  • www.bitdegree.org: North Korean hackers use AI and fake job offers within cryptocurrency companies to distribute malware to unsuspecting job seekers
  • cyberpress.org: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
  • malware.news: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
  • securityonline.info: Threat analysts at Silent Push have uncovered a new campaign orchestrated by the North Korean state-sponsored APT group,
  • securityonline.info: Threat actors are using fake companies in the cryptocurrency consulting industry to spread malware to unsuspecting job applicants.
  • Cybernews: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • gbhackers.com: North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers

@unit42.paloaltonetworks.com //
North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.

The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications.

GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team.

Recommended read:
References :
  • Virus Bulletin: VirusBulletin reports on Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) campaign targeting cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges.
  • unit42.paloaltonetworks.com: Unit 42 reports that North Korean state-sponsored group Slow Pisces (Jade Sleet) targeted crypto developers with a social engineering campaign that included malicious coding challenges.
  • securityonline.info: Slow Pisces Targets Crypto Developers with Deceptive Coding Challenges
  • The Hacker News: Crypto Developers Targeted by Python Malware Disguised as Coding Challenges
  • Unit 42: Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
  • Security Risk Advisors: Slow Pisces Targets Crypto Developers With “Coding Challenges†That Deliver New RN Loader and RN Stealer Malware
  • www.itpro.com: Hackers are duping developers with malware-laden coding challenges
  • cyberpress.org: Slow Pisces Hackers Target Developers with Malicious Python Coding Tests
  • gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
  • gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
  • sra.io: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.
  • Security Risk Advisors: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.

Ddos@Daily CyberSecurity //
North Korean Lazarus APT group has expanded its malicious activities within the npm ecosystem, deploying eleven new packages designed to deliver the BeaverTail malware and a new remote access trojan (RAT) loader. These malicious packages have been downloaded over 5,600 times before their removal, posing a significant risk to developer systems. The threat actors are utilizing previously identified aliases, as well as newly created accounts, to distribute these packages.

The campaign, dubbed "Contagious Interview," aims to compromise developer systems, steal sensitive credentials or financial assets, and maintain access to compromised environments. To evade detection, the attackers are employing hexadecimal string encoding and other obfuscation techniques. Some of the packages, such as "events-utils" and "icloud-cod," are linked to Bitbucket repositories, while others use command-and-control (C2) addresses previously associated with Lazarus Group campaigns, indicating the scale and coordination of this operation.

Cybersecurity researchers are urging developers to be vigilant and carefully review all dependencies before installing them. The North Korean threat actors continue to create new npm accounts and deploy malicious code across platforms like the npm registry, GitHub, and Bitbucket, demonstrating their persistence and showing no signs of slowing down. This campaign highlights the increasing sophistication of supply chain attacks and the need for robust security measures to protect against such threats.

Recommended read:
References :
  • Security Risk Advisors: Socket Research Team's report
  • The Hacker News: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages
  • ciso2ciso.com: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages – Source:thehackernews.com
  • Talkback Resources: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages [net] [mal]
  • securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
  • securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
  • www.scworld.com: Malicious npm packages, BeaverTail malware leveraged in new North Korean attacks
  • Cyber Security News: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages.
  • cyberpress.org: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages. Utilizing sophisticated hexadecimal encoding to camouflage their code and evade detection systems, the group aims to compromise developer systems, steal sensitive credentials, and maintain persistent access to targeted environments.
  • Chris Wysopal: Infosec.Exchange post on new supply chain NPM package malware attacks found.