NTT analyzed updated OtterCookie malware used by WaterPlum, also tracked as Famous Chollima or PurpleBravo, against financial, cryptocurrency, and FinTech targets. The malware evolved from a file grabber into v3 and v4 variants with Windows support, hardcoded file-collection logic for documents, images, and cryptocurrency data, virtual-environment checks, and clipboard theft using macOS or Windows native commands. The stealer modules collect Chrome passwords through DPAPI, copy browser Login Data, and target MetaMask, Brave, and macOS credential material, with differing code styles suggesting separate module authors. Reported infrastructure includes alchemy-api-v3[.]cloud, chainlink-api-v3[.]cloud, and moralis-api-v3[.]cloud.