Executive Summary

North Korean advanced persistent threat (APT) groups have significantly escalated their offensive cyber capabilities by merging the functionalities of BeaverTail and OtterCookie into a highly modular, advanced JavaScript malware suite. This new threat, observed in the "Contagious Interview" campaign, leverages sophisticated social engineering, supply chain attacks via malicious npm packages, and innovative command-and-control (C2) techniques utilizing blockchain infrastructure. The malware targets a broad spectrum of organizations and individuals, with a particular focus on technology, cryptocurrency, and software development sectors. The campaign demonstrates a marked evolution in both technical sophistication and operational tradecraft, posing a critical risk to organizations globally.

Threat Actor Profile

The primary actors behind this campaign are North Korean APT groups, including Famous Chollima (a Lazarus subgroup), CL-STA-0240, DeceptiveDevelopment, UNC5342, PurpleBravo, and Void Dokkaebi. These groups are known for their persistent targeting of the technology and financial sectors, often employing multi-stage social engineering tactics such as fake job interviews and developer recruitment schemes. Their operations are characterized by rapid adaptation, the use of open-source and supply chain attack vectors, and a willingness to experiment with novel C2 infrastructures, such as blockchain-based payload delivery (EtherHiding). The groups have demonstrated a global reach, with confirmed victims in over 62 countries, and have shown a particular interest in cryptocurrency theft, intellectual property exfiltration, and long-term access to development environments.

Technical Analysis of Malware/TTPs

The merged BeaverTail-OtterCookie malware suite is a modular JavaScript-based framework, distributed primarily through trojanized Node.js applications and malicious npm packages. The infection chain typically begins with a social engineering lure, such as a fake job offer, which convinces the target to install a seemingly legitimate Node.js application (e.g., "Chessfi" from Bitbucket). The application’s package.json file contains a malicious postinstall script that executes a JavaScript loader (index.js or file15.js), which in turn downloads and executes the final-stage malware.

The malware’s core modules include a keylogger and screenshotter (leveraging node-global-key-listener and screenshot-desktop npm packages), a clipboard monitor for harvesting sensitive data, and a browser/wallet stealer targeting Chrome and Brave extensions such as MetaMask, Phantom, TronLink, Suiet, Trust Wallet, and Rabby Wallet. The malware also deploys a remote shell using socket.io-client for real-time C2 communication, a file uploader that searches for files containing keywords like "metamask", "bitcoin", "backup", and "phrase", and establishes persistence by installing AnyDesk. Additionally, a Python-based backdoor (InvisibleFerret) is deployed for secondary access.

A notable innovation is the use of blockchain-based C2 (EtherHiding), where payloads are fetched from the BNB Smart Chain or Ethereum networks, providing a resilient and takedown-resistant infrastructure. The campaign also includes the distribution of malicious Visual Studio Code extensions and Qt-based artifacts, expanding the attack surface to development environments.

Exploitation in the Wild

The "Contagious Interview" campaign has been observed in active exploitation scenarios worldwide. In one documented case, a Sri Lankan organization was compromised after an employee, targeted via a fake job interview, installed a trojanized Node.js application. The malware has been distributed through over 338 malicious npm packages, such as node-nvm-ssh and rand-user-agent, some of which accumulated hundreds of downloads before removal. The campaign’s reach is global, with thousands of victims identified across 62 countries, and targets ranging from individual developers to large technology firms. The attackers have also experimented with malicious Visual Studio Code extensions, indicating a focus on compromising developer supply chains and integrated development environments (IDEs).

Victimology and Targeting

The primary targets of this campaign are organizations and individuals in the technology, cryptocurrency, and software development sectors. The attackers employ highly tailored social engineering tactics, often posing as recruiters or potential employers to lure developers and IT professionals. The use of supply chain attacks via npm packages and Visual Studio Code extensions enables the threat actors to compromise both individual endpoints and entire development pipelines. The campaign has affected victims in Sri Lanka, the United States, Europe, and Asia, with a particular emphasis on entities involved in blockchain and cryptocurrency operations. The attackers’ focus on browser wallet extensions and backup phrases suggests a strong financial motivation, in addition to traditional espionage objectives.

Mitigation and Countermeasures

Organizations should immediately audit all npm dependencies for suspicious or recently published packages, with particular attention to those with low download counts or unknown maintainers. Known malicious packages such as node-nvm-ssh and rand-user-agent should be blocked, and continuous monitoring for new suspicious packages is essential. Security teams should monitor for unexpected installations of AnyDesk, Python scripts, and npm packages like node-global-key-listener and screenshot-desktop. Development environments, especially Visual Studio Code, should be inspected for unauthorized extensions, and only extensions from the official marketplace should be permitted.

Network monitoring should be implemented to detect outbound connections to blockchain networks (BNB Smart Chain, Ethereum) and anomalous Socket.IO C2 traffic. User awareness training is critical, particularly for developers and IT staff, to recognize and report social engineering attempts such as fake job interviews. Endpoint detection and response (EDR) solutions should be configured to alert on the execution of suspicious JavaScript, Python scripts, and unauthorized remote access tools. Regular reviews of supply chain security policies and incident response plans are strongly recommended.

References

The following sources provide additional technical details and context for this advisory: The Hacker News: North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware (https://thehackernews.com/2025/10/north-korean-hackers-combine-beavertail.html), Cisco Talos: BeaverTail and OtterCookie evolve with a new Javascript module (https://blog.talosintelligence.com/beavertail-and-ottercookie/), GBHackers: North Korean Hackers Deploy BeaverTail–OtterCookie Combo for Keylogging Attacks (https://gbhackers.com/beavertail-ottercookie/), Socket: Contagious Interview npm malware campaign (https://socket.dev/blog/contagious-interview-malware-npm), NTT Security Holdings: OtterCandy Analysis (https://www.nttsecurity.com/), MITRE ATT&CK Techniques (https://attack.mitre.org/), CyberScoop: North Korean operatives spotted using evasive techniques (https://cyberscoop.com/north-korea-attackers-evasive-techniques-malware/), HackRead: NK's Famous Chollima Use BeaverTail and OtterCookie Malware (https://hackread.com/nk-famous-chollima-beavertail-ottercookie-malware/).

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their digital supply chains. Our platform leverages real-time intelligence, automated assessments, and deep analytics to provide actionable insights and enhance your organization’s security posture. For more information or to discuss how Rescana can help you strengthen your cyber resilience, we are happy to answer questions at ops@rescana.com.