BeaverTail and OtterCookie evolve with a new Javascript module
2025-10-16 • Cisco Talos •
https://blog.talosintelligence.com/beavertail-and-ottercookie/
Cisco Talos linked a new intrusion to Famous Chollima, a DPRK-aligned subgroup of Lazarus that uses fake hiring activity to compromise job seekers and steal credentials and cryptocurrency. A system in a Sri Lanka-headquartered organization was likely infected after a user installed a trojanized Node.js application called Chessfi, distributed through the npm package node-nvm-ssh. Talos found BeaverTail and OtterCookie functionality merging in recent tooling, including a previously undocumented OtterCookie module for keylogging, desktop screenshots, and in one sample clipboard theft. The malware used socket.io-based C2, remote shell capability, file upload modules, cryptocurrency wallet and browser-extension theft, and observed infrastructure including 172.86.88.188 and 138.201.50.5. Talos also found a malicious VS Code extension containing BeaverTail and OtterCookie code, though it did not attribute that extension to Famous Chollima with high confidence.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 23.227.202.244 | 2025-10-10 | 2026-01-21 |
| HASH | caad2f3d85e467629aa535e0081865d… | 2025-10-16 | 2025-10-24 |
| HASH | 83c145aedfdf61feb02292a6eb5091e… | 2025-10-16 | 2025-10-24 |
| HASH | 9e65de386b40f185bf7c1d9b1380395… | 2025-10-16 | 2025-10-16 |
| HASH | d89c45d65a825971d250d12bc7a4493… | 2025-10-16 | 2025-10-16 |
| HASH | dff2a0fb344a0ad4b2c129712b2273f… | 2025-10-16 | 2025-10-16 |
| HASH | 77aec48003beeceb88e70bed138f535… | 2025-10-16 | 2025-10-16 |
| HASH | 6a9b4e8537bb97e337627b4dd1390bd… | 2025-10-16 | 2025-10-16 |
| HASH | a6914ded72bdd21e2f76acde46bf92b… | 2025-10-16 | 2025-10-16 |
| HASH | c841b6c4ac4d2e83f16cf7a8bfbec3d7 | 2025-10-16 | 2025-10-16 |
| HASH | 51ddd8f6ff30d76de45e06902c45c55… | 2025-10-16 | 2025-10-16 |
| HASH | d27c9f75c3f1665ee19642381a4dd6f… | 2025-10-16 | 2025-10-16 |
| HASH | 8efa928aa896a5bb3715b8b0ed20881… | 2025-10-16 | 2025-10-16 |
| HASH | 0904eff1edeff4b6eb27f03e0ccc759… | 2025-10-16 | 2025-10-16 |
| IPv4 | 172.86.113.12 | 2025-10-16 | 2025-10-16 |
| IPv4 | 144.172.112.50 | 2025-10-16 | 2025-10-16 |
| IPv4 | 172.86.88.188 | 2025-10-16 | 2025-10-16 |
| IPv4 | 172.86.73.46 | 2025-10-16 | 2025-10-16 |
| IPv4 | 138.201.50.5 | 2025-10-10 | 2025-10-16 |
| IPv4 | 144.172.96.35 | 2025-05-30 | 2025-10-16 |
| IPv4 | 135.181.123.177 | 2025-04-11 | 2025-10-16 |
| HASH | f08e3ee84714cc5faefb7ac300485c8… | 2025-03-17 | 2025-10-16 |
| HASH | 72ebfe69c69d2dd173bb92013ab44d8… | 2023-11-21 | 2025-10-16 |