Full Report
The North Korean threat actors behind the Contagious Interview campaign have been observed using updated versions of a cross-platform malware called OtterCookie with capabilities to steal credentials from web browsers and other files. NTT Security Holdings, which detailed the new findings, said the attackers have "actively and continuously" updated the malware, introducing versions v3 and v4 in
Analysis Summary
# Threat Actor: WaterPlum (Associated with Lazarus Group)
## Attribution & Identity
* **Primary Tracking Name:** WaterPlum
* **Associated Campaign:** Contagious Interview
* **Known Aliases/Identifiers:** CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, PurpleBravo, Tenacious Pungsan.
* **Attribution:** North Korean threat actors, believed to be a cluster within the broader **Lazarus Group**.
## Activity Summary
The threat actors are "actively and continuously" updating their cross-platform malware, OtterCookie, as part of the evolving **Contagious Interview** campaign. This activity cluster focuses heavily on social engineering, targeting individuals through job application and interview processes (e.g., using "ClickFix-style lures" for bogus online assessments to exploit non-existent audio/video issues). Recent activities include:
* Deployment of OtterCookie versions v3 (February 2025) and v4 (April 2025).
* Distribution of a Go-based information stealer disguised as a Realtek driver update ("WebCam.zip") leading to the deployment of the macOS application "DriverMinUpdate.app."
* Use of the Tsunami-Framework, delivered as a follow-up payload to the InvisibleFerret Python backdoor.
## Tactics, Techniques & Procedures
* **Initial Access/Delivery:** Malicious npm packages, trojanized GitHub/Bitbucket repositories, bogus videoconferencing applications, and delivery under the guise of software updates (e.g., Realtek driver update).
* **Evasion:** OtterCookie v4 incorporates anti-analysis capabilities to detect execution within virtual machine (VM) environments (Broadcom VMware, Oracle VirtualBox, Microsoft, QEMU).
* **Credential & Data Theft:** Harvesting credentials from web browsers, cryptocurrency wallet recovery phrases, and specific browser extensions (MetaMask).
* **Defense Evasion (Human Layer):** Impersonating job candidates to infiltrate organizations, sometimes outsourcing the work to North Korean nationals operating from external locations (laptop farms).
* **Remote Access:** Establishing a persistent Command and Control (C2) channel and executing remote commands.
* **System Profiling/Reconnaissance:** Gathering system information post-infection.
## Targeting
* **Sectors:** Not explicitly listed, but the distribution method (via job interviews) suggests targeting technology firms, defense contractors, and organizations hiring for technical roles. The overall Lazarus Group motivation points towards financial gain and espionage.
* **Geography:** Not explicitly listed, but linked to North Korean state interests and observed use of UK/US government warnings concerning their infiltration tactics.
* **Victims:** A crypto platform (Bybit) was mentioned in relation to the broader Lazarus Group. One incident involved an attacker attempting to infiltrate Kraken during an interview process.
## Tools & Infrastructure
* **Malware Families Used:**
* OtterCookie (Cross-platform malware; versions v2, v3, v4 observed).
* Tsunami-Framework (.NET-based modular malware).
* InvisibleFerret (Python backdoor).
* DriverMinUpdate.app (macOS application used to harvest system passwords).
* **Infrastructure:** Communicates with external servers for command execution and exfiltration. (No specific URLs or IPs were provided in the text block).
## Implications
This actor cluster demonstrates a high level of operational tradecraft through continuous malware refinement (OtterCookie v4) and sophisticated social engineering adapted to the hiring landscape. Their objectives are multifaceted, encompassing **financial gain** (crypto-related theft) and **espionage** (data exfiltration), aligning with Lazarus Group mandates to advance North Korea's strategic goals and generate revenue outside sanctions. The use of distinct development styles within OtterCookie v4 modules suggests coordinated development efforts within the threat group.
## Mitigations
* Establish enhanced identity verification procedures as a mandatory part of the interview process, including real-time contextual questioning about claimed locations/identities.
* Regularly update HR staff and recruiters on current North Korean social engineering tactics, particularly those involving fake job applications or technical assessments.
* Monitor for traditional insider threat activity, suspicious usage of legitimate tools, and impossible travel alerts associated with newly onboarded personnel.
* Implement robust endpoint detection and response (EDR) capable of detecting known malware characteristics and common anti-VM checks.
* Apply strong application control to prevent the execution of downloaded binaries posing as legitimate drivers or updates.