HOME >Security news

From Job Offers to Crypto Theft: Latest North Korean Hacker Campaigns Exposed

Amaan Rizwan
Crypto scam and Job thefts by North Korean hackers

The North Korean threat actor behind the Contagious Interview campaign has started combining features from two of its malware strains, showing ongoing refinement of its toolkit.

According to recent research from Cisco Talos, the hacking groupโ€™s newest campaigns have brought BeaverTail and OtterCookieโ€™s capabilities closer together, with OtterCookie now including a new module for keylogging and capturing screenshots.

North Korean Hackers Upped Their Game

Hackers are now using blockchains like BNB Smart Chain and Ethereum to secretly control their malware, making it much harder to shut down their attacks. This method, called EtherHiding, is used by North Korean hackers who pretend to be recruiters to trick job seekers into downloading malware during fake job tasks like stealing sensitive data and cryptocurrency.

Recently, they have updated their tricks to use new social engineering methods and a mix of old and new malware to improve their attacks.

Detected by Cisco Talos Group

Cisco Talos found suspicious activity involving a company based in Sri Lanka. The company wasnโ€™t specifically targeted, but one of its computers got infected, most likely because someone fell for a fake job offer and installed a malicious Node.js app called Chessfi from Bitbucket as part of a supposed interview task.

The malware uses a package called “node-nvm-ssh,” which was added to the official npm library by a user named “trailer” on August 20, 2025. This package was downloaded 306 times before it was removed just six days later.

It is one of many malicious Node libraries linked to the Contagious Interview scam. When installed, it runs a hidden script that starts the malware: it launches some JavaScript code, which then loads more code to carry out the attack.

The malware, called OtterCookie v5, has many dangerous features. It can look for browser profiles and extensions, steal info from browsers and crypto wallets, install AnyDesk for remote control, and download another backdoor program called InvisibleFerret.

OtterCookie also includes:

  • A remote shell module that sends your system info and clipboard contents to hackers, and allows them to send new commands to your computer.

  • A file upload module that searches your drives for files with certain names, like “bitcoin,” “backup,” or “metamask,” and uploads them to the attackers.

  • A module that steals data from crypto wallet extensions on Chrome and Brave browsers.

 

Amaan Rizwan
Amaan Rizwan
Anything and everything because titles should not define us. A non-fiction lover. Khalid Hosseini and Ruskin Bond fan. Aspiring to be better than yesterday.
spot_img

Read More

Suggested Post