Insights, news, education and announcements from PolySwarm

Famous Chollima Evolves Its Arsenal, Merging BeaverTail and OtterCookie

Written by The Hivemind | Oct 24, 2025 5:15:09 PM

Verticals Targeted: Not specified
Regions Targeted: Sri Lanka
Related Families: BeaverTail, OtterCookie, InvisibleFerret

Executive Summary

Famous Chollima, a DPRK-aligned threat group, has evolved its arsenal, with BeaverTail and OtterCookie increasingly merging functionalities to steal credentials and cryptocurrency via deceptive job offers. A recent campaign involved a trojanized Node.js application distributed through a malicious NPM package, highlighting the group's adaptation in delivery methods. 

Key Takeaways

  • In the campaign, Famous Chollima deploys merged BeaverTail and OtterCookie variants in fake job interviews, incorporating new modules for keylogging and screenshot capture. 
  • A malicious NPM package "node-nvm-ssh" embedded in a cryptocurrency-themed chess app serves as the infection vector, executing obfuscated JavaScript payloads.
  • OtterCookie has evolved through five versions since late 2024, adding capabilities like remote shell access, file exfiltration, and cryptocurrency wallet targeting.
  • Functional overlaps between BeaverTail, OtterCookie, and InvisibleFerret suggest a shift toward JavaScript-based tooling to reduce Python dependencies on Windows systems.

The Activity

Famous Chollima, a subgroup of the DPRK-aligned Lazarus collective, continues to refine its arsenal in the Contagious Interview campaigns, blending BeaverTail and OtterCookie into more unified infostealers. These operations prey on job seekers by posing as recruiters, luring victims into installing tainted software under the guise of interview related tasks. Cisco Talos reported on this activity.

In one observed incident, an organization in Sri Lanka suffered an incidental compromise when a user cloned a Bitbucket repository for "Chessfi," a web3 chess platform with cryptocurrency betting features. The repository's dependencies pulled in the malicious "node-nvm-ssh" package from NPM, triggering post-install scripts that spawned child processes to execute obfuscated JavaScript from embedded files like "test.list."

This payload reveals a convergence of BeaverTail and OtterCookie codebases. BeaverTail handles browser profile enumeration, targeting extensions for wallets such as MetaMask, Phantom, and Solflare across Chrome, Brave, Edge, and other browsers. It also downloads Python-based InvisibleFerret modules from C2 servers over ports like 1224, installing Python distributions on Windows to enable execution. OtterCookie complements this with modular extensions: a remote shell using socket.io-client for command execution and system fingerprinting; a file uploader scanning drives for documents, credentials, and crypto-related files while excluding specific paths; and a cryptocurrency extension stealer overlapping with BeaverTail's list.

A novel OtterCookie module, first seen in April 2025, adds keylogging and screenshot capabilities, buffering data in temp files before exfiltration to C2 endpoints. Clipboard monitoring appears in variants, using OS-native commands like "pbpaste" on macOS or PowerShell on Windows. Cisco Talos researchers also uncovered a suspicious VS Code extension mimicking an onboarding tool, embedding similar code. Although attribution remains tentative, it signals potential experimentation with editor-based delivery.

OtterCookie's progression spans from basic RCE in v1 from late 2024 to v5 in August 2025, incorporating anti-analysis tricks like environment checks and error-handler eval for code loading. Early versions relied on HTTP cookies for payloads, evolving to modular strings executed on-the-fly. BeaverTail, active since mid-2023, has similarly adapted with base64 shuffling for C2 URLs and cross-platform support, often bundled in supply-chain attacks.

Who is Famous Chollima?

Famous Chollima, also known as Wagemole, Nickel Tapestry, Purple Bravo, Tenacious Pungsan, Void Dokkaebi, Storm-1877, and UNC5267 is a North Korea nexus threat actor active since at least 2018. Their activities primarily focus on financial gain and espionage to support the DPRK regime. The group is assessed to be affiliated with North Korea’s Reconnaissance General Bureau, a key intelligence service.

Famous Chollima employs sophisticated social engineering, posing as legitimate remote IT workers to infiltrate organizations. They create fraudulent identities, falsify resumes, and use generative AI to craft convincing profiles, securing roles at small to mid-sized businesses via platforms like Upwork and LinkedIn. Once embedded, they deploy custom malware, such as BeaverTail and InvisibleFerret, to steal credentials and sensitive data. The group leverages fake job recruitment campaigns, delivering malicious Python-based RATs like PylangGhost to target cryptocurrency and blockchain sectors. They establish persistence through registry modifications and use RC4-encrypted HTTP for command-and-control communication.

Famous Chollima targets cryptocurrency, blockchain, and technology sectors, with a notable focus on India and Western countries, including the US, Germany, and Ukraine. Their operations fund North Korea’s regime through illicitly earned salaries and stolen assets, evading international sanctions. The group’s infrastructure often relies on anonymization networks to conceal their activities.

IOCs

PolySwarm has multiple samples associated with this activity.

 

caad2f3d85e467629aa535e0081865d329c4cd7e6ff20a000ea07e62bf2e4394 

83c145aedfdf61feb02292a6eb5091ea78d8d0ffaebf41585c614723f36641d8 

 

You can use the following CLI command to search for all Famous Chollima samples in our portal:

$ polyswarm link list -t FamousChollima

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post