NTT analyzed OtterCandy, a Node.js RAT and information stealer used by WaterPlum Cluster B, commonly referred to as the BlockNovas cluster, in the ClickFake Interview campaign. The group is described as associated with North Korea and has used WaterPlum tooling such as BeaverTail, GolangGhost, and FrostyFerret while also developing its own malware. Since around July 2025, Cluster B has distributed OtterCandy for Windows, macOS, and Linux to steal browser credentials, cryptocurrency wallets, and confidential files through Socket.IO-based C2 commands. An August 2025 update added client_id victim tracking, expanded browser-extension and Chromium data theft, and added trace-deletion logic for registry keys, files, and directories. The report provides six C2 IP addresses tied to the activity: 162[.]254.35.14, 74[.]119.194.205, 172[.]86.114.31, 139[.]60.163.206, 212[.]85.29.133, and 80[.]209.243.85.