NTT analyzed OtterCandy, a Node.js RAT and information stealer used by WaterPlum Cluster B, also described as the BlockNovas cluster, in ClickFake Interview activity linked in the source to North Korea. The cluster previously used shared WaterPlum tooling such as BeaverTail, GolangGhost, and FrostyFerret, but began distributing OtterCandy across Windows, macOS, and Linux around July 2025. OtterCandy connects to C2 over Socket.IO, accepts remote commands, and is used to steal browser credentials, cryptocurrency wallets, and sensitive files from victim machines. The August 2025 v2 update added client_id-based victim tracking, expanded browser-extension and Chromium data theft, and cleanup logic for persistence artifacts, with listed infrastructure including 162[.]254.35.14, 74[.]119.194.205, 172[.]86.114.31, 139[.]60.163.206, 212[.]85.29.133, and 80[.]209.243.85.