A sophisticated North Korean hacking operation, known as Contagious Interview or DeceptiveDevelopment, has evolved with the introduction of a new JavaScript malware called OtterCookie. The campaign, first identified by Palo Alto Networks Unit 42 in November 2023, targets job seekers through elaborate social engineering tactics.
The threat actors, tracked as CL-STA-0240 (also known as Famous Chollima and Tenacious Pungsan), pose as recruiters and distribute malware through fake videoconferencing apps and npm packages. Their arsenal includes malware variants such as BeaverTail, InvisibleFerret, and the newly discovered OtterCookie.
OtterCookie, implemented in September 2023, utilizes Socket.IO JavaScript library for command-and-control communications. The malware’s capabilities include executing shell commands for data theft, targeting files, clipboard content, and cryptocurrency wallet keys.
In a related development, South Korea’s Ministry of Foreign Affairs has imposed sanctions on 15 individuals and one organization linked to North Korea’s fraudulent IT worker scheme. The operation, connected to the Famous Chollima group, involves placing North Korean IT workers in Western companies to generate illegal income and facilitate data theft.
The sanctioned organization, Chosun Geumjeong Economic Information Technology Exchange Company, operates under the 313th General Bureau of North Korea’s Workers’ Party. These activities reportedly fund nuclear and missile development programs while posing significant threats to international cybersecurity.
Among those sanctioned, Kim Ryu Song faces U.S. Department of Justice charges for sanctions violations, wire fraud, money laundering, and identity theft through illegal employment in U.S. organizations.