A North Korean threat actor, known to the cybersecurity community under monikers such as Famous Chollima and Void Dokkaebi, is actively enhancing its malware capabilities, with analysts from Cisco Talos recently observing a functional convergence between two of its key malicious programs. The shift involves the distinct functions of the BeaverTail and OtterCookie malware coming closer together, suggesting the group is streamlining its toolset. This ongoing evolution is set against the backdrop of the Contagious Interview campaign, an elaborate recruitment scam that has been active since late 2022. The operation’s core strategy involves impersonating legitimate hiring organizations and deceiving job seekers into downloading information-stealing malware during a supposed technical assessment or coding task, ultimately resulting in the theft of sensitive data and cryptocurrency.
The refinement of the threat actor’s capabilities comes as the group has also been implicated in a significant first: the use of a stealthy technique called EtherHiding to establish highly resilient command-and-control (C2) servers. This method leverages the BNB Smart Chain (BSC) or Ethereum blockchains to fetch next-stage payloads, effectively turning decentralized infrastructure into a difficult-to-disrupt C2 mechanism. Documented by Google Threat Intelligence Group (GTIG) and Mandiant, this is the first documented instance of a nation-state actor using EtherHiding, a technique previously limited to cybercrime groups. The Contagious Interview campaign itself has seen shifts, including the leveraging of ClickFix social engineering techniques for delivering various malware families such as GolangGhost and PylangGhost, but the malware strains known as BeaverTail, OtterCookie, and InvisibleFerret remain central to the attacks.
Historically, BeaverTail and OtterCookie have been separate but complementary tools. BeaverTail typically functions as an information stealer and downloader, while initial observations of OtterCookie, which first appeared in September 2024, showed it was primarily designed to contact a remote server and fetch commands to be executed on a compromised host. However, the latest activity shows their functions converging, with OtterCookie specifically being fitted with a new module for keylogging and taking screenshots, making it a more comprehensive tool. The activity concerning Cisco Talos specifically involved an organization in Sri Lanka, which is not thought to have been intentionally targeted, but rather was compromised after a user likely fell victim to a fake job offer.
The compromise of the Sri Lankan firm occurred after a user was instructed to install a trojanized Node.js application called Chessfi, which was hosted on Bitbucket, as part of the fraudulent interview process. The malicious software included a dependency via a package named “node-nvm-ssh,” which was briefly published to the official npm repository on August 20, 2025, by a user named “trailer.” Before being taken down by npm maintainers six days later, the package accumulated a total of 306 downloads. This specific package is part of a larger, coordinated effort, as it was one of 338 malicious Node.js libraries flagged earlier that week by software supply chain security company Socket as being connected to the overall Contagious Interview campaign infrastructure.
The mechanism of infection via the npm package is a critical part of the attack chain. Once the package is installed, the malicious behavior is triggered through a postinstall hook in its package.json file. This hook is configured to run a custom script called “skip,” which launches a JavaScript payload (“index.js”). This initial script, in turn, loads a second JavaScript file (“file15.js”) that is ultimately responsible for executing and deploying the final-stage malware onto the victim’s system, completing the final phase of the compromise after the initial social engineering success.
Reference:
