The Beaver and the Otter Merge: Inside North Korea’s JavaScript Fake Interviews Threat

For months, a peculiar recruitment campaign has lured developers into a trap of code and deception. Behind this façade of opportunity lies a sophisticated cyber-espionage operation: Contagious Interview, a North Korean campaign that fused two malware species — BeaverTail and OtterCookie — into one advanced, modular JavaScript threat.

The merged variant, tracked as OtterCookie v5 / OtterCandy, expanded the capabilities of both: keylogging, screenshot capture, clipboard theft, wallet and credential exfiltration, and remote access. What began as a fake job offer has become one of the most elaborate JavaScript-based malware evolutions ever observed.

Phase 1 — The Recruitment Trap 

The operation began not with brute force but with persuasion.

North Korean cybercriminals disguised themselves as recruiters for reputable companies, approaching job seekers and developers through legitimate-looking job boards and messaging platforms. Applicants were invited to complete “technical tests” that required installing Node.js applications or npm packages — software supposedly tied to the hiring process.

In reality, these files were trojanized, serving as the first stage of infection.

Among the tools distributed were the Chessfi app hosted on Bitbucket and the malicious node-nvm-ssh package on npm. Once installed, postinstall hooks launched JavaScript loaders (index.js → file15.js) that silently merged the traits of BeaverTail and OtterCookie.

This social-engineering vector proved remarkably effective: even seasoned developers trusted what appeared to be a standard coding assessment. One confirmed infection occurred within a Sri Lankan technology firm, illustrating how quickly the fake interview campaign could leap beyond its intended targets.

Phase 2 — The Infection and Data Harvest 

Once executed, the trojanized packages initiated a full-scale breach.

The merged malware stole browser credentials, access tokens, and cryptocurrency wallet data from extensions such as MetaMask, Phantom, and TronLink. It also logged keystrokes, captured screenshots, monitored clipboard activity, and established persistence through AnyDesk remote-access installation.

Every stolen artifact — from passwords to clipboard text — was exfiltrated to a Socket.IO-based command-and-control (C2) server. The loader used legitimate npm components like node-global-key-listener and screenshot-desktop to hide within ordinary developer workflows, making behavioral detection extremely difficult.

Some variants dropped secondary payloads such as the Python backdoor InvisibleFerret, while others experimented with Qt-based artifacts or malicious Visual Studio Code extensions, signaling an active effort to diversify persistence and delivery methods.

By combining the data-theft abilities of BeaverTail with OtterCookie’s remote-execution modules, the attackers created a single framework capable of conducting reconnaissance, espionage, and long-term system control — all disguised within legitimate developer tools.

Phase 3 — The Evolution of a Modular Beast 

The progression to OtterCookie v5 (OtterCandy) marked a new evolutionary step.

Originally, BeaverTail acted mainly as an information stealer while OtterCookie handled command execution. The new version merged both roles, introducing a modular architecture that could dynamically load keylogging, screenshot, and clipboard-monitoring modules on demand.

The use of JavaScript and npm infrastructure gave North Korean operators a key advantage: the ability to infiltrate global developer ecosystems under the guise of open-source dependencies.

Cisco Talos researchers noted that this blurred the distinction between the two malware families to the point of irrelevance — a single, adaptable codebase now served as a multipurpose weapon for espionage and theft.

This evolution demonstrates how nation-state threat groups are increasingly exploiting the software supply chain, targeting the very environments where trust is implicit and defenses are weak.

Phase 4 — Containment and Countermeasures 

The Contagious Interview campaign continues to adapt, but defenders are not powerless.

Organizations — especially those in software development, blockchain, and fintech — should adopt immediate measures to detect, contain, and prevent similar infections:

• Never run code from unsolicited interviews or recruitment challenges.

• Audit npm projects for malicious dependencies such as node-nvm-ssh and review any suspicious postinstall scripts.

• Restrict installation privileges to verified developers only.

• Monitor for AnyDesk and Socket.IO anomalies indicating C2 persistence.

• Deploy EDR solutions capable of flagging keylogging, clipboard monitoring, or screenshot activity.

• Rotate all exposed credentials and tokens, and harden supply-chain controls with dependency scanning and package integrity verification.

These steps not only mitigate the OtterCookie/BeaverTail threat but also reinforce broader resilience against the growing trend of fake-interview-based infiltration tactics.

The tale of the beaver and the otter is more than a metaphor — it’s a warning.

By merging their tools, North Korean cybercriminals transformed a social-engineering lure into a modular cyber-weapon capable of infecting developers across the world. The “recruitment” façade turned trust itself into the exploit, using open-source ecosystems as both bait and vector.

As the digital job market continues to expand, defenders must remember that not every offer leads to opportunity — some lead straight into the burrow.

Continuous verification, supply-chain vigilance, and skepticism toward unsolicited coding tasks are now essential shields against this evolving plague of deceptive recruitment.

The Hacker News

https://thehackernews.com/2025/10/north-korean-hackers-combine-beavertail.html?m=1