Researchers at Cisco Talos have uncovered a classy marketing campaign by the Well-known Chollima subgroup of Lazarus, whereby attackers deploy blended JavaScript instruments—BeaverTail and OtterCookie—to hold out stealthy keylogging, screenshot seize, and information exfiltration.
This cluster of exercise, a part of the broader “Contagious Interview” operation, has advanced considerably since first famous, blurring traces between beforehand distinct toolsets and revealing new modules for credential theft and surveillance.
In a current incident, Talos noticed an an infection at a Sri Lankan group that fell sufferer after a consumer accepted a faux job supply. The consumer put in a trojanized Node.js mission named ChessFi, touted as a web3-based chess platform with cryptocurrency betting options.
As an alternative of a legit growth setting, the npm dependencies included a malicious bundle, node-nvm-ssh, which triggered a series of postinstall scripts finally executing a extremely obfuscated payload.
This payload merged BeaverTail’s browser-profile enumeration and Python-stealer downloader with OtterCookie’s JavaScript-based modules, together with novel keylogging capabilities.
Keylogging and Screenshot Module Unveiled
Talos found a beforehand undocumented OtterCookie module that concurrently logs keystrokes and captures periodic screenshots.
Utilizing the Node.js packages “node-global-key-listener” for keystroke occasions, “screenshot-desktop” for picture seize, and “sharp” for format conversion, the module writes keystrokes to “1.tmp” and screenshots to “2.jpeg” in a brief folder.
Keystrokes flush to disk each second whereas screenshots are taken each 4 seconds. In some variants, clipboard monitoring was additionally built-in, permitting attackers to reap copied textual content.
The stolen information and pictures add to the OtterCookie C2 server at TCP port 1478 by way of an “/add” endpoint, facilitating real-time surveillance with out elevating apparent alerts.
Additional evaluation revealed different OtterCookie options: a distant shell module that detects host platforms, verifies digital environments, gathers system data, and maintains a WebSocket-based command loop over socket.io-client on port 1418; a file add module that traverses drives, filters out system folders, and exfiltrates paperwork, scripts, and pockets information; and a hidden cryptocurrency extension stealer focusing on Chrome and Courageous profiles.
Remarkably, researchers additionally discovered a malicious VS Code extension masquerading as an “Onboarding Helper,” which embedded OtterCookie code to contaminate builders straight inside their editor setting.
Whereas attribution to Well-known Chollima stays tentative for the extension, it underscores the menace actor’s experimentation with various vectors.
BeaverTail, first seen in mid-2023 as a light-weight downloader for Python-based InvisibleFerret stealer modules, has lengthy facilitated credential harvesting and distant entry installations.
Over time, it adopted code obfuscation by way of Obfuscator.io, shuffled base64 C2 URL schemes, and even Qt-compiled C++ variants.
In the meantime, OtterCookie’s preliminary loader—utilizing HTTP response cookies to fetch JavaScript code—advanced by 5 variations, every including modules for clipboard stealing, file theft, sandbox evasion, and now keylogging and screenshotting in model 5, noticed in August 2025.
Within the current ChessFi assault, BeaverTail’s browser-extension focusing on and Python downloader performance seamlessly merged with OtterCookie’s JavaScript modules, eliminating the necessity for a full Python runtime on Home windows hosts.
Mitigations
Organizations can defend towards these blended threats by implementing utility whitelisting, monitoring surprising npm dependencies, and leveraging endpoint safety options that examine each JavaScript and Python executables.
The loader code is small and simple to overlook, and together with the danger of false optimistic detections, this can be why the detection of the OtterCookie loaders on VirusTotal will not be very profitable.
Cisco Safe Endpoint can block execution of malicious scripts, whereas Safe E-mail and Safe Firewall home equipment can forestall supply of phishing lures and C2 visitors.
Moreover, community analytics instruments resembling Stealthwatch can alert on uncommon connections to recognized BeaverTail and OtterCookie C2 ports (1224, 1244, 1418, 1478).
Common audits of developer environments and strict code-review processes will additional cut back the danger posed by trojanized open-source initiatives.
Observe us on Google Information, LinkedIn, and X to Get Prompt Updates and Set GBH as a Most popular Supply in Google.
