Researchers at Cisco Talos have uncovered a classy marketing campaign by the Well-known Chollima subgroup of Lazarus, whereby attackers deploy blended JavaScript instruments—BeaverTail and OtterCookie—to hold out stealthy keylogging, screenshot seize, and knowledge exfiltration.
This cluster of exercise, a part of the broader “Contagious Interview” operation, has developed considerably since first famous, blurring strains between beforehand distinct toolsets and revealing new modules for credential theft and surveillance.
In a latest incident, Talos noticed an an infection at a Sri Lankan group that fell sufferer after a person accepted a faux job supply. The person put in a trojanized Node.js venture named ChessFi, touted as a web3-based chess platform with cryptocurrency betting options.
As a substitute of a reliable growth setting, the npm dependencies included a malicious bundle, node-nvm-ssh, which triggered a sequence of postinstall scripts in the end executing a extremely obfuscated payload.
This payload merged BeaverTail’s browser-profile enumeration and Python-stealer downloader with OtterCookie’s JavaScript-based modules, together with novel keylogging capabilities.
Keylogging and Screenshot Module Unveiled
Talos found a beforehand undocumented OtterCookie module that concurrently logs keystrokes and captures periodic screenshots.
Utilizing the Node.js packages “node-global-key-listener” for keystroke occasions, “screenshot-desktop” for picture seize, and “sharp” for format conversion, the module writes keystrokes to “1.tmp” and screenshots to “2.jpeg” in a short lived folder.
Keystrokes flush to disk each second whereas screenshots are taken each 4 seconds. In some variants, clipboard monitoring was additionally built-in, permitting attackers to reap copied textual content.
The stolen knowledge and pictures add to the OtterCookie C2 server at TCP port 1478 through an “/add” endpoint, facilitating real-time surveillance with out elevating apparent alerts.
Additional evaluation revealed different OtterCookie options: a distant shell module that detects host platforms, verifies digital environments, gathers system info, and maintains a WebSocket-based command loop over socket.io-client on port 1418; a file add module that traverses drives, filters out system folders, and exfiltrates paperwork, scripts, and pockets recordsdata; and a hidden cryptocurrency extension stealer concentrating on Chrome and Courageous profiles.
Remarkably, researchers additionally discovered a malicious VS Code extension masquerading as an “Onboarding Helper,” which embedded OtterCookie code to contaminate builders straight inside their editor setting.
Whereas attribution to Well-known Chollima stays tentative for the extension, it underscores the risk actor’s experimentation with numerous vectors.
BeaverTail, first seen in mid-2023 as a light-weight downloader for Python-based InvisibleFerret stealer modules, has lengthy facilitated credential harvesting and distant entry installations.
Over time, it adopted code obfuscation through Obfuscator.io, shuffled base64 C2 URL schemes, and even Qt-compiled C++ variants.
In the meantime, OtterCookie’s preliminary loader—utilizing HTTP response cookies to fetch JavaScript code—developed by way of 5 variations, every including modules for clipboard stealing, file theft, sandbox evasion, and now keylogging and screenshotting in model 5, noticed in August 2025.
Within the latest ChessFi assault, BeaverTail’s browser-extension concentrating on and Python downloader performance seamlessly merged with OtterCookie’s JavaScript modules, eliminating the necessity for a full Python runtime on Home windows hosts.
Mitigations
Organizations can defend towards these blended threats by imposing software whitelisting, monitoring surprising npm dependencies, and leveraging endpoint safety options that examine each JavaScript and Python executables.
The loader code is small and straightforward to overlook, and together with the danger of false optimistic detections, this can be why the detection of the OtterCookie loaders on VirusTotal isn’t very profitable.
Cisco Safe Endpoint can block execution of malicious scripts, whereas Safe Electronic mail and Safe Firewall home equipment can forestall supply of phishing lures and C2 site visitors.
Moreover, community analytics instruments reminiscent of Stealthwatch can alert on uncommon connections to identified BeaverTail and OtterCookie C2 ports (1224, 1244, 1418, 1478).
Common audits of developer environments and strict code-review processes will additional scale back the danger posed by trojanized open-source initiatives.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most popular Supply in Google.
