Rewterz reports that North Korean actors behind the Contagious Interview campaign are using OtterCookie malware in fake job-offer attacks against software developers. The campaign has operated since at least late 2022 and previously distributed BeaverTail and InvisibleFerret by luring developers into running malicious coding tests or project files. OtterCookie is described as a newer payload, active in the wild around November 2024, delivered through loaders that retrieve JSON data and execute JavaScript from a cookie field, including via Node.js projects, npm packages, and more recent Electron or Qt-style applications. Once running, OtterCookie uses Socket.IO WebSocket communications to reach C2 infrastructure and supports shell commands for reconnaissance and theft of documents, photos, cryptocurrency wallet data, and clipboard contents. The report lists active IOCs including domains, an IP address, and hashes tied to the OtterCookie activity.