21.09.2025
6 min
602
BeaverTail and OtterCookie are a new generation of malware that combine keylogging, data theft, and remote device control via Node.js modules. The article shows how attackers use fake job offers, trojanized npm packages, and VS Code extensions to infect developers’ computers.
This article examines some of the tactics, methods, and procedures (TTPs) and tool changes that have been developed over time by another large cluster of activities, Contagious Interview. These campaigns are centered around the BeaverTail and OtterCookie tools.
The Famous Chollima group frequently deploys BeaverTail and OtterCookie, with many of the individual subclusters deploying InvisibleFerret, a modular Python-based payload. Initially, BeaverTail and OtterCookie were separate but complementary entities. Over time, their functionality began to merge into a single framework, augmented by new OtterCookie modules.
One such campaign was observed at an organization headquartered in Sri Lanka. It was not the target of a deliberate attack, but one of its systems on the network was infected. The user was likely the victim of a fake job offer, in which they were asked to install a Node.js Trojan called Chessfi as part of a rigged interview process.
After detailed analysis, it was found that the tools used in this campaign had characteristics of BeaverTail and OtterCookie, blurring the line between them. The discovered code also contained a number of new features that were not previously seen.
This blog focuses on the OtterCookie modules and will not provide a deep dive into the known features of BeaverTail and OtterCookie. While some of these modules are already known, at least one has not been previously documented. The examples provided have been deobfuscated, and the names of functions and variables have been replaced with those that correspond to their real functionality using LLM.
A keylogging and screenshot module was discovered in this campaign that was previously undocumented. Preliminary OtterCookie samples with this module were uploaded to VirusTotal in April 2025.
The keylogger module uses the packages “node-global-key-listener” for the keylogger, “screenshot-desktop” for taking desktop screenshots, and “sharp” for converting the captured screenshots to web-friendly image formats.
The module configures packets to listen for keystrokes and periodically takes a screenshot of the current desktop session to upload to the OtterCookie command-and-control (C2) server.
Keystrokes are stored in the user’s temporary subfolder windows-cache with the filename “1.tmp”, and screenshots are stored in the same subfolder with the filename “2.jpeg”. Although the keylogger runs in a loop and clears the buffer every second, a screenshot is taken every four seconds.
One instance of the module was also discovered where clipboard monitoring was included in the module’s code, extending its functionality to stealing clipboard contents.
The keylog data and captured screenshots are uploaded to the OtterCookie C2 server via a specific TCP port 1478, using the URL “hxxp[://]172[.]86[.]88[.]188:1478/upload”.
A recent VS Code extension was discovered during a VirusTotal search for similar samples, which can launch OtterCookie when installed in a victim’s editor environment. The extension is a fake customization assistant that supposedly allows the user to track and manage candidate tests.
While its connection to Famous Chollima has not been definitively established, it could indicate that the attackers are experimenting with new delivery vectors. However, it is possible that the extension is the result of testing by another actor or researcher unrelated to the group.
The OtterCookie code section starts by defining a JSON object that contains configuration values such as a unique campaign ID and the IP address of the C2 server. The OtterCookie code section creates additional modules from strings that run as child processes. Three main modules were identified during the attack analysis, and one additional module was identified during a search for similar samples in repositories and on VirusTotal.
The first module is fundamental to OtterCookie and starts by detecting the infected system platform and inspecting the virtual machine, after which the collected user and host information is sent to the OtterCookie C2 server.
After sending system information, the module installs the socket.io-client package, which connects to the specified port on the OtterCookie C2 server and waits in a loop for commands to execute. The connection is initially over HTTP, then switches to the WebSocket protocol; TCP port 1418 is detected listening.
Finally, depending on the operating system, this module periodically checks the clipboard contents using the “pbpaste” command on macOS or “powershell Get-Clipboard” on Windows. It sends the clipboard contents to the C2 server URL specifically used to log OtterCookie activity at “hxxp[://]172[.]86[.]88[.]188/api/service/makelog”.
This module enumerates all drives and scans the file system to find files to upload to the OtterCookie C2 IP address at a specific port and URL (in this case “hxxp[://]172[.]86[.]88[.]188:1476/upload”).
This module contains a list of folder and file names to exclude from the search, as well as another list with the target file name extensions and file name search patterns to select files to upload.
The list of “interesting” files contains the following search patterns:
"*.env*", "*metamask*", "*phantom*", "*bitcoin*", "*btc*", "*Trust*", "*phrase*", "*secret*", "*phase*", "*credential", "*profile*", "*account*", "*mnemonic*", "*seed*", "*recovery*", "*backup*", "*address*", "*keypair*", "*wallet*", "*my*", "screenshot*", "*.doc", "*.docx", "*.pdf", "*.md", "*.rtf", "*.odt", "*.xls", "*.xlsx", "*.txt", "*.ini", "*.secret", "*.json", "*.ts", "*.js", "*.csv"
Although this module was not present in the current campaign, it was detected when searching for similar files on VirusTotal. In addition to BeaverTail’s code attack on cryptocurrency browser extensions, the OtterCookie module also targets extensions from a list that overlaps with the list of crypto wallets in the BeaverTail payload.
The cryptocurrency module targets Google Chrome and Brave browsers. If any extensions are detected in any of the browser profiles, the extension files, as well as saved logins and websites are uploaded to the C2 server URL. In the detected sample, the C2 server upload URL was found to be “hxxp[://]138[.]201[.]50[.]5:5961/upload”.
OtterCookie malware samples were first discovered by NTT Security Holdings around November 2024, leading to a blog post in December 2024. However, the malware is believed to have been in use since around September 2024. The motivation for using the name OtterCookie likely comes from early samples that used the contents of HTTP response cookies to transmit malicious code executed by the response handler. This remote code execution feature has evolved over time, adding additional features.
In April 2025, additional modules were observed in the OtterCookie code and the use of a C2 server, primarily to download the basic OtterCookie configuration and transmit stolen data.
OtterCookie has evolved from its initial basic data collection capabilities to a more modular design for data theft and remote command execution techniques. Modules are stored in OtterCookie strings and are executed on the fly.
The earliest versions, which NTT researchers call v1, contain code for remote command execution (RCE) and use the socket.IO package to communicate with the C2 server. Over time, OtterCookie modules have evolved to include code for stealing and downloading files, with the ultimate goal of stealing cryptocurrency wallets from a list of hard-coded browser extensions and saved browser credentials. Targeted browsers include Brave, Google Chrome, Opera, and Mozilla Firefox.
The next iteration, dubbed v2, included clipboard stealing code using the Clipboardy package to send clipboard contents to a remote server. This version also handles downloading Javascript code from the server slightly differently. Instead of evaluating the returned header cookie as v1, the server generates an error that is handled by a client-side error handler. The error handler simply passes the error response data to the eval function, where it is executed. The loader code is small and easy to miss, and together with the risk of false positives, this can be a reason why OtterCookie loaders fail to be detected on VirusTotal.
The v3 variant, observed in February 2025, includes a feature to send certain files (documents, image files, and cryptocurrency-related files) to a C2 server. OtterCookie v4, observed since April 2025, includes virtual environment detection code that helps attackers distinguish between sandbox logs and actual infection logs, indicating a focus on evading analysis. The code also includes some debugging and logging protection features.
The v4 variant improves on the previous version’s code and updates the method for stealing clipboard contents. It no longer uses the Clipboardy library, but instead uses standard macOS or Windows commands to obtain clipboard contents.
It is important to note that over time, the distinction between BeaverTail and OtterCookie has blurred, and in some attacks their code has been combined into a single tool.
In August 2025, a campaign was detected using the latest version of OtterCookie (v5): a keylogger module is added to the composition, which takes screenshots and sends them along with keystrokes to the C2 server.
The initial vector of infection was a modified Chessfi application hosted on Bitbucket. ChessFi is a web3-based multiplayer chess platform where players can compete against each other and place bets in cryptocurrency on the outcome of their matches. The choice of a cryptocurrency-related application to lure victims is consistent with previous reports of an attack on Famous Chollima.
The first sign of the attack was the user installing the application’s source code. Based on the name of the project folder, it is highly likely that the attacker contacted the victim via the freelance marketplace platform Fiverr, which is consistent with previously reported cases. Analysis of similar samples also found code repositories that were shared with the victim as attachments in Discord chats.
The infection process began with the victim launching Git to clone the repository:
The “Development” section of the app’s readme provides instructions for developers on how to install and run the project. After cloning the repository, it states that users should run npm install to install dependencies, which in this campaign also included a malicious npm package called “node-nvm-ssh.”
During dependency installation, the malicious package is downloaded from the repository and installed. The npm installer parses the malicious package’s package.json file and finds instructions to execute commands after installation. This is done by parsing the “postinstall” value of a JSON object named “scripts”. At first glance, it seems that the post-install scripts are intended to run tests, translate TypeScript files into Java scripts, and possibly run other test scripts.
However, the package.json module installation instruction “npm run skip” causes npm to call the node test/fixtures/eval command specified by the “skip” value. Standard node.js loading rules will attempt to load multiple filenames if none are specifically mentioned, one of which is index.js.
The contents of test/fixtures/eval/index.js contain code to create a child process using the file “test/fixtures/eval/node_modules/file15.js”.
Finally, file15.js loads the file test.list, which is the final payload. This somewhat complicated process of obtaining the payload code makes it much more difficult for an unsuspecting software developer to detect that installing Chessfi will eventually lead to the execution of malicious code.
The test.list file provided the final piece of the puzzle about the execution of malicious code: the file is over 100 KB long and has been obfuscated using Obfuscator.io. Fortunately, the obfuscation was not set up to make analysis difficult; using the deobfuscator and LLM, most of the functions were deobfuscated and the combination of BeaverTail and OtterCookie was detected.
There appear to be two distinct parts to the code. The first is related to BeaverTail, including enumerating various profiles and browser extensions, and downloading the Python distribution and Python client payload from the C2 server “23.227.202[.]244” using the shared TCP port 1224 for BeaverTail/InvisibleFerret. The second part of the code is related to OtterCookie.
The BeaverTail part starts with a function that disables console logging, proceeds to load the necessary modules, and calls functions to steal data from the browser’s list of extensions, cryptocurrency wallets, and browser credential storage.
BeaverTail has been around since at least May 2023, and was originally a relatively small loader component designed to be included in Node.js-based Javascript applications. BeaverTail has also been used in supply chain attacks affecting packages in the NPM package repository, which was covered in detail in a previous study and is beyond the scope of this post.
From its inception, BeaverTail supported Windows, Linux, and macOS, taking advantage of the fact that Node.js applications can run on a variety of operating system platforms.
Other key features of BeaverTail include downloading the InvisibleFerret Python code hijacker modules and installing a remote access module, typically the AnyDesk client, which allows the attacker to remotely take control of the infected machine. Information theft and remote access have remained common BeaverTail operating methods for a long time.
Shortly after the first samples were discovered in June 2023, BeaverTail began using simple base64 encoding of strings and variable renaming to make detection and analysis more difficult. This also included a scheme used to encode the C2 URL as a scrambled string, the fragments of which were decoded separately in base64 and then combined in the correct order to generate the final URL.
While BeaverTail is typically written in Javascript, Talos also discovered several IP addresses of Javascript C2 servers. These were shared by variants of C++-compiled binaries built using the Qt framework.
From its inception in mid-2023 to the last quarter of 2024, BeaverTail C2 URL patterns stabilized around the most commonly used TCP ports 1224 and 1244, rather than port 3306, which was used by early variants. It appears that the attackers quickly realized that most Windows installations do not come with Python interpreters pre-installed, like Linux and macOS distributions. To address this issue, they included code that installs a Python distribution, typically from the “/pdown” URL path required to run InvisibleFerret’s Python modules. This TTP remains in place to this day.
In terms of avoiding detection, Famous Chollima uses several methods of code obfuscation, most often using different configurations of the free Javascript tool Obfuscator.io, making it difficult to analyze and especially detect the malicious code.
In addition to obfuscating Javascript code, they also regularly use various XOR-based obfuscation modes for loaded modules. InvisibleFerret’s XOR-based Python modules start with a unique string assigned to the user, followed by a reverse base64-encoded string containing the final Python module code, which can also be obfuscated using XOR.
Fortunately, using a combination of a deobfuscation tool and LLM to rename variables and decode base64-encoded strings, it is relatively easy to analyze new samples. However, the pace of work by the groups attributed to Famous Chollima is high, and the detection of completely new samples and code on VirusTotal remains unreliable, giving attackers enough time to successfully attack some victims.
All of the additional modules present in the OtterCookie code correspond well to the functionality traditionally associated with InvisibleFerret and its Python-based modules, as well as some parts of the BeaverTail code. This porting of functionality to Javascript could allow attackers to get rid of the dependency on Python code, eliminating the need to install full Python distributions on Windows.
The BeaverTail and OtterCookie attacks show that attackers have moved to modular, cross-platform tools: they steal credentials and cryptoassets, capture keystrokes and screenshots, and can also execute remote commands—often via trojanized npm packages or infected extensions. This makes detection difficult and increases the risk for developers and DevOps environments; the main defense is to be careful with software sources, isolate dev environments, and constantly monitor process behavior.
