A North Korean state-sponsored threat actor, known for its connection to the “Contagious Interview” campaign, has been observed actively refining its cyber attack toolset. According to new research from Cisco Talos, the hacking group is merging the functionalities of two of its signature malware programs, BeaverTail and OtterCookie. This strategic enhancement indicates a persistent effort by the actor to improve its malicious software and streamline its operations for greater impact.

Upgraded Malware: BeaverTail and OtterCookie Converge

In recent campaigns analyzed by Cisco Talos, the functions of BeaverTail and OtterCookie are converging more than ever. This evolution points to a deliberate consolidation of the group’s offensive tools. The report highlights a significant upgrade to the OtterCookie malware, which has been fitted with a new module for advanced surveillance. This new component gives the malware the ability to perform keylogging, capturing every keystroke a victim makes, and to take screenshots of the infected machine’s screen. These additions substantially increase the group’s capacity for intelligence gathering and data exfiltration from compromised targets.

Attribution and Evasion via Blockchain

The activity is attributed to a well-known threat cluster tracked by the cybersecurity community under a wide range of monikers, including CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, and Void Dokkaebi. The group’s technical sophistication is further underscored by findings from the Google Threat Intelligence Group (GTIG) and Mandiant. They revealed the actor’s use of a stealthy technique called EtherHiding. This method leverages the BNB Smart Chain to fetch next-stage payloads, allowing the attackers to obscure their command-and-control infrastructure and evade traditional security measures.