In a concerning development, cybercriminals linked to the North Korean threat group WaterPlum—also known as Famous Chollima or PurpleBravo—have intensified their cyber espionage activities by deploying a sophisticated new malware strain named OtterCandy. This cross-platform Remote Access Trojan (RAT) and information stealer signifies a significant advancement in the group’s capabilities, amalgamating features from previously identified malware families, RATatouille and OtterCookie, to create a more potent tool for credential theft and system compromise.
The ClickFake Interview Campaign
The deployment of OtterCandy is intricately tied to WaterPlum’s ClickFake Interview campaign—a deceptive social engineering operation that impersonates legitimate job recruitment processes within the blockchain and cryptocurrency sectors. Attackers craft convincing fake company websites, such as BlockForgeX, which present seemingly authentic job applications and interview procedures. Unsuspecting victims are lured into downloading malicious software under the guise of camera setup instructions or driver updates, thereby initiating the infection chain.
Technical Analysis of OtterCandy
NTT Security researchers have identified OtterCandy as the latest addition to WaterPlum’s arsenal, noting its deployment across Windows, macOS, and Linux platforms since July 2025. The malware’s impact extends beyond individual systems, with attacks observed targeting victims in Japan and other regions, demonstrating the threat group’s expanding global reach and ambitions.
Built using Node.js, OtterCandy establishes communication with command-and-control (C2) servers through Socket.IO connections, enabling threat actors to execute a comprehensive range of malicious activities remotely. The malware’s command structure reveals its sophisticated design, implementing functions such as ‘imp’ for sweeping home directories, ‘pat’ for pattern-based file searches, and ‘upload’ for extracting system information, browser credentials, and cryptocurrency wallet data.
Advanced Persistence and Evasion Mechanisms
OtterCandy demonstrates remarkable resilience through its multi-layered persistence strategy that ensures continued operation even after detection attempts. While the malware typically relies on the preceding DiggingBeaver component for initial persistence, it incorporates an independent backup mechanism that automatically restarts processes when interrupted. This self-preservation feature utilizes JavaScript’s process event handling to monitor for SIGINT signals:
“`javascript
function startChildProcess() {
const _0x4777b5 = fork(path[‘join’](_dirname, ‘decode.js’), [], {
‘detached’: true,
‘stdio’: ‘ignore’
});
_0x4777b5[‘unref’]();
}
process[‘on’](‘SIGINT’, () => {
startChildProcess();
process[‘exit’]();
});
“`
The malware’s August 2025 update introduced enhanced anti-forensic capabilities, including comprehensive trace deletion functions that remove registry entries, downloaded files, and temporary directories. This cleanup mechanism operates through the ‘ss_del’ command, systematically erasing evidence of compromise while maintaining operational security for the threat actors’ ongoing campaigns.
Implications and Recommendations
The emergence of OtterCandy underscores the evolving sophistication of state-sponsored cyber threats, particularly those emanating from North Korea. By leveraging social engineering tactics that exploit the trust inherent in job recruitment processes, WaterPlum effectively bypasses traditional security measures, making detection and prevention more challenging.
To mitigate the risks associated with such advanced threats, organizations and individuals are advised to:
1. Exercise Caution with Unsolicited Job Offers: Be wary of unexpected job offers, especially those requiring the download of software or the provision of sensitive information.
2. Verify Company Credentials: Conduct thorough research to confirm the legitimacy of the company and the job offer. Look for official websites, contact information, and reviews.
3. Implement Robust Security Measures: Utilize comprehensive endpoint detection and response (EDR) solutions capable of identifying and mitigating sophisticated malware threats.
4. Educate Employees: Provide regular training on recognizing and responding to social engineering attacks, emphasizing the importance of vigilance in digital communications.
5. Monitor Network Activity: Regularly review network logs for unusual activity, such as unexpected connections to external servers or the execution of unfamiliar processes.
By adopting these proactive measures, individuals and organizations can enhance their resilience against the increasingly sophisticated tactics employed by threat actors like WaterPlum.
