Threat Research

BeaverTail and OtterCookie evolve with a new Javascript module

Talos
BeaverTail and OtterCookie evolve with a new Javascript module

Cisco Talos uncovered a campaign linked to the Famous Chollima cluster that delivered merged BeaverTail and OtterCookie tooling via a trojanized Node.js package (ā€œnode-nvm-sshā€) and a modified Chessfi repository, resulting in keylogging, screenshotting, credential and cryptocurrency theft. The report details new OtterCookie modules (keylogger, screenshotter, clipboard theft), C2 infrastructure, delivery vectors including a malicious NPM package and a VS Code extension, and multiple file and network IOCs. #OtterCookie #BeaverTail

Keypoints

  • Famous Chollima-linked actors distributed combined BeaverTail and OtterCookie malware through a trojanized Node.js package (ā€œnode-nvm-sshā€) and a modified Chessfi repository cloned from Bitbucket.
  • Talos identified a new OtterCookie keylogging and screenshotting module that saves keystrokes to ā€œ1.tmpā€ and screenshots to ā€œ2.jpegā€ and uploads them to a C2 at TCP port 1478.
  • OtterCookie and BeaverTail functionality has converged over multiple versions (v1ā€“v5), adding modular data theft, clipboard stealing, virtual environment checks, and anti-analysis features.
  • Additional delivery experimentation was observed: a malicious VS Code extension masquerading as ā€œMercer Onboarding Helperā€ containing OtterCookie code was found on VirusTotal.
  • OtterCookie modules include a remote shell (socket.io client over port 1418), file enumeration and upload (targeting crypto-related filenames and extensions), and a dedicated cryptocurrency extensions stealer that targets browser profiles and uploads extension files and credential stores.
  • BeaverTail continues to download and deploy InvisibleFerret Python stealers and remote access tools (commonly via C2 at 23.227.202.244 on ports like 1224), using obfuscation (Obfuscator.io, base64/XOR) to evade detection.
  • Talos published multiple IOCs (file hashes, C2 URLs, download URLs) and recommended detection/prevention controls and specific Snort/ClamAV signatures to block the campaign.

MITRE Techniques

  • [T1543] Create or Modify System Process ā€“ Postinstall npm ā€œscriptsā€ value triggers execution of malicious code during package installation: ā€œā€¦npm run skipā€¦ node test/fixtures/evalā€¦ā€
  • [T1190] Exploit Public-Facing Application ā€“ Supply chain compromise via malicious NPM package ā€œnode-nvm-sshā€ on npmjs and modified Bitbucket repository used to deliver payload: ā€œā€¦malicious npm package named ā€˜node-nvm-sshā€™ā€¦ modified Chessfi application hosted on Bitbucketā€¦ā€
  • [T1090] Proxy ā€“ Use of socket.io-client to communicate with C2, using HTTP then WebSocket on TCP port 1418: ā€œā€¦socket.io-client package used for communication with C2 serverā€¦ listening on the TCP port 1418.ā€
  • [T1056] Input Capture ā€“ Keylogging and clipboard theft via Node packages (ā€œnode-global-key-listenerā€, clipboard monitoring) capturing keystrokes and clipboard and saving to files ā€œ1.tmpā€ and ā€œ2.jpegā€: ā€œā€¦keylogger listens for the keyboardā€¦ saved in the userā€™s temporary sub-folder windows-cache with the file name ā€˜1.tmpā€™ā€¦ clipboard monitoringā€¦ includedā€¦ā€
  • [T1113] Screen Capture ā€“ Periodic desktop screenshots saved as ā€œ2.jpegā€ and uploaded to C2 every four seconds: ā€œā€¦screenshot is taken every four secondsā€¦ screenshots are saved in the same sub-folder with the file name ā€˜2.jpegā€™ā€¦ uploaded to the OtterCookie C2 serverā€¦:1478/uploadā€¦ā€
  • [T1071] Application Layer Protocol ā€“ Exfiltration and C2 over HTTP/HTTPS and custom ports (e.g., 1224, 1476, 1478, 5961) for uploading stolen data: ā€œā€¦hxxp[://]172[.]86[.]88[.]188:1476/uploadā€¦ hxxp[://]23[.]227[.]202[.]244:1224/uploadsā€¦ hxxp[://]138[.]201[.]50[.]5:5961/uploadā€¦ā€
  • [T1083] File and Directory Discovery ā€“ File enumeration and targeted upload module that traverses drives and filters by name patterns and extensions to find sensitive files: ā€œā€¦enumerates all drives and traverses the file systemā€¦ list of target file name extensions and file name search patternsā€¦ā€
  • [T1115] Clipboard Data ā€“ Clipboard theft using OS-native commands (ā€œpbpasteā€, ā€œpowershell Get-Clipboardā€) to collect clipboard contents and send to C2: ā€œā€¦checks the clipboard content using the commands ā€˜pbpasteā€™ on macOS or ā€˜powershell Get-Clipboardā€™ on Windowsā€¦ sends the clipboard content to the C2 server URLā€¦/makelogā€.
  • [T1566] Phishing ā€“ Social engineering via fake job offers and deceptive development/interview lures (fake onboarding helper VS Code extension, Fiverr/Discord recruitment) used to convince victims to install malicious code: ā€œā€¦user was deceived by a fake job offerā€¦ likely approachedā€¦ through the freelance marketplace site Fiverrā€¦ Discord conversationsā€¦ā€
  • [T1027] Obfuscated Files or Information ā€“ Use of Obfuscator.io, base64 slicing and XOR schemes to hide C2 URLs and payloads: ā€œā€¦obfuscating the Javascript codeā€¦ using different configurations of the free Javascript tool Obfuscator.ioā€¦ encode the C2 URL as a shuffled string whose slices are base64 decodedā€¦ XOR-based obfuscationā€¦ā€
  • [T1218] System Binary Proxy Execution ā€“ Use of npm postinstall to run node child processes and eval of deobfuscated payload (test.list -> eval): ā€œā€¦file15.js reads and calls eval on the content of the file test.listā€¦ index.js spawning a child process to execute file15.jsā€¦ā€

Indicators of Compromise

  • [File Hash] early OtterCookie sample ā€“ f08e3ee84714cc5faefb7ac300485c879356922003d667587c58d594d875294e
  • [File Hash] malicious npm package (test.list) ā€“ 83c145aedfdf61feb02292a6eb5091ea78d8d0ffaebf41585c614723f36641d8 (Aug 2025)
  • [File Hash] BeaverTail evolution examples ā€“ 72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d, caad2f3d85e467629aa535e0081865d329c4cd7e6ff20a000ea07e62bf2e4394 (representative)
  • [File Hash] VS Code extension artifacts ā€“ 9e65de386b40f185bf7c1d9b1380395e5ff606c2f8373c63204a52f8ddc01982, dff2a0fb344a0ad4b2c129712b2273fda46b5ea75713d23d65d5b03d0057f6dd (raw.js)
  • [Domain/IP] C2 infrastructure ā€“ 23.227.202.244 (C2/pdown/uploads on port 1224), 172.86.88.188 (socket.io on :1418, upload :1476, makelog), and 138.201.50.5:5961 (extension upload) ā€” used for payload distribution and data exfiltration
  • [URL] Download/repository locations ā€“ hxxps://www[.]npmjs[.]com/package/node-nvm-ssh (malicious npm package), hxxps://bitbucket[.]org/dev-chess/chess-frontend[.]git (compromised Chessfi source)
  • [Filename/Artifacts] local artifacts and saved data ā€“ Keystroke and screenshot files saved to user temp subfolder ā€œwindows-cacheā€ as ā€œ1.tmpā€ and ā€œ2.jpegā€; test.list (deobfuscated payload); file15.js and index.js used in postinstall execution chain

Read more: https://blog.talosintelligence.com/beavertail-and-ottercookie/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint