NTT's SOC identified OtterCookie as malware used in the North Korea-linked Contagious Interview campaign, with activity observed around November 2024 and possible use since September. The campaign commonly starts from Node.js projects, npm packages or files embedded in Qt or Electron applications, reflecting continued experimentation with developer-focused lures. The November OtterCookie variant uses Socket.IO to communicate with a remote host, supports shell-command execution through a command function and host profiling through whour, and can send local clipboard contents with the clipboardy library. Analysts observed commands that searched documents, pictures and cryptocurrency-related files for wallet keys, making the malware relevant to DPRK crypto-theft tracking.