BeaverTail and OtterCookie Evolve with a New JavaScript Module

    Friday, October 17, 2025 In: Threat Research Print

    Date: 10/17/2025

    Severity: High

    Summary

    A North Korea-aligned group, Famous Chollima, is using fake job offers to lure victims into installing malware. In a recent case, a trojanized Node.js app called Chessfi was distributed via the NPM package node-nvm-ssh. The group’s tools, BeaverTail and OtterCookie, have evolved by merging functionalities and adding a new JavaScript module for keylogging and taking screenshots. A malicious VS Code extension containing their code was also found, suggesting they may be experimenting with new malware delivery methods.

    Indicators of Compromise (IOC) List

    URLs/Domains

    http://23.227.202.244:1224/uploads

    http://23.227.202.244:1224/pdown

    http://23.227.202.244:1224/client/14/144

    http://23.227.202.244:1224/payload/14/144

    http://23.227.202.244:1224/brow/14/144

    http://23.227.202.244:1224/keys

    http://172.86.88.188:1418/socket.io/

    http://172.86.88.188:1476/upload

    http://172.86.88.188/api/service/makelog

    http://172.86.88.188/api/service/process/c841b6c4ac4d2e83f16cf7a8bfbec3d7

    http://138.201.50.5:5961/upload

    http://135.181.123.177/api/service/makelog

    http://144.172.96.35/api/service/makelog

    http://144.172.112.50/api/service/makelog

    http://172.86.73.46

    http://135.181.123.177

    http://172.86.113.12

    https://www.npmjs.com/package/node-nvm-ssh

    https://bitbucket.org/dev-chess/chess-frontend.git

    Hash

    f08e3ee84714cc5faefb7ac300485c879356922003d667587c58d594d875294e

    72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d

    caad2f3d85e467629aa535e0081865d329c4cd7e6ff20a000ea07e62bf2e4394

    8efa928aa896a5bb3715b8b0ed20881029b0a165a296334f6533fa9169b4463b

    77aec48003beeceb88e70bed138f535e1536f4bbbdff580528068ad6d184f379

    0904eff1edeff4b6eb27f03e0ccc759d6aa8d4e1317a1e6f6586cdb84db4a731

    d27c9f75c3f1665ee19642381a4dd6f2e4038540442cf50948b43f418730fd0a

    51ddd8f6ff30d76de45e06902c45c55163ddbec7d114ad89b21811ffedb71974

    d89c45d65a825971d250d12bc7a449321e1977f194e52e4ca541e8a908712e47

    6a9b4e8537bb97e337627b4dd1390bdb03dc66646704bd4b68739d499bd53063

    a6914ded72bdd21e2f76acde46bf92b385f9ec6f7e6b7fdb873f21438dfbff1d

    9e65de386b40f185bf7c1d9b1380395e5ff606c2f8373c63204a52f8ddc01982

    dff2a0fb344a0ad4b2c129712b2273fda46b5ea75713d23d65d5b03d0057f6dd

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://144.172.112.50/api/service/makelog" or siteurl like "http://144.172.112.50/api/service/makelog" or url like "http://144.172.112.50/api/service/makelog" or domainname like "https://bitbucket.org/dev-chess/chess-frontend.git" or siteurl like "https://bitbucket.org/dev-chess/chess-frontend.git" or url like "https://bitbucket.org/dev-chess/chess-frontend.git" or domainname like "http://172.86.88.188/api/service/makelog" or siteurl like "http://172.86.88.188/api/service/makelog" or url like "http://172.86.88.188/api/service/makelog" or domainname like "http://23.227.202.244:1224/pdown" or siteurl like "http://23.227.202.244:1224/pdown" or url like "http://23.227.202.244:1224/pdown" or domainname like "http://172.86.88.188:1476/upload" or siteurl like "http://172.86.88.188:1476/upload" or url like "http://172.86.88.188:1476/upload" or domainname like "http://23.227.202.244:1224/payload/14/144" or siteurl like "http://23.227.202.244:1224/payload/14/144" or url like "http://23.227.202.244:1224/payload/14/144" or domainname like "http://172.86.88.188/api/service/process/c841b6c4ac4d2e83f16cf7a8bfbec3d7" or siteurl like "http://172.86.88.188/api/service/process/c841b6c4ac4d2e83f16cf7a8bfbec3d7" or url like "http://172.86.88.188/api/service/process/c841b6c4ac4d2e83f16cf7a8bfbec3d7" or domainname like "http://23.227.202.244:1224/client/14/144" or siteurl like "http://23.227.202.244:1224/client/14/144" or url like "http://23.227.202.244:1224/client/14/144" or domainname like "http://144.172.96.35/api/service/makelog" or siteurl like "http://144.172.96.35/api/service/makelog" or url like "http://144.172.96.35/api/service/makelog" or domainname like "http://135.181.123.177" or siteurl like "http://135.181.123.177" or url like "http://135.181.123.177" or domainname like "http://172.86.88.188:1418/socket.io/" or siteurl like "http://172.86.88.188:1418/socket.io/" or url like "http://172.86.88.188:1418/socket.io/" or domainname like "http://23.227.202.244:1224/brow/14/144" or siteurl like "http://23.227.202.244:1224/brow/14/144" or url like "http://23.227.202.244:1224/brow/14/144" or domainname like "http://172.86.73.46" or siteurl like "http://172.86.73.46" or url like "http://172.86.73.46" or domainname like "http://23.227.202.244:1224/uploads" or siteurl like "http://23.227.202.244:1224/uploads" or url like "http://23.227.202.244:1224/uploads" or domainname like "http://23.227.202.244:1224/keys" or siteurl like "http://23.227.202.244:1224/keys" or url like "http://23.227.202.244:1224/keys" or domainname like "http://138.201.50.5:5961/upload" or siteurl like "http://138.201.50.5:5961/upload" or url like "http://138.201.50.5:5961/upload" or domainname like "http://135.181.123.177/api/service/makelog" or siteurl like "http://135.181.123.177/api/service/makelog" or url like "http://135.181.123.177/api/service/makelog" or domainname like "http://172.86.113.12" or siteurl like "http://172.86.113.12" or url like "http://172.86.113.12" or domainname like "https://www.npmjs.com/package/node-nvm-ssh" or siteurl like "https://www.npmjs.com/package/node-nvm-ssh" or url like "https://www.npmjs.com/package/node-nvm-ssh"

    Detection Query 2 :

    sha256hash IN ("8efa928aa896a5bb3715b8b0ed20881029b0a165a296334f6533fa9169b4463b","0904eff1edeff4b6eb27f03e0ccc759d6aa8d4e1317a1e6f6586cdb84db4a731","72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d","a6914ded72bdd21e2f76acde46bf92b385f9ec6f7e6b7fdb873f21438dfbff1d","caad2f3d85e467629aa535e0081865d329c4cd7e6ff20a000ea07e62bf2e4394","6a9b4e8537bb97e337627b4dd1390bdb03dc66646704bd4b68739d499bd53063","f08e3ee84714cc5faefb7ac300485c879356922003d667587c58d594d875294e","d89c45d65a825971d250d12bc7a449321e1977f194e52e4ca541e8a908712e47","9e65de386b40f185bf7c1d9b1380395e5ff606c2f8373c63204a52f8ddc01982","d27c9f75c3f1665ee19642381a4dd6f2e4038540442cf50948b43f418730fd0a","77aec48003beeceb88e70bed138f535e1536f4bbbdff580528068ad6d184f379","51ddd8f6ff30d76de45e06902c45c55163ddbec7d114ad89b21811ffedb71974","dff2a0fb344a0ad4b2c129712b2273fda46b5ea75713d23d65d5b03d0057f6dd")
     

    Reference:

    https://blog.talosintelligence.com/beavertail-and-ottercookie/ 


    Tags

    MalwareThreat ActorFamous ChollimaNorth KoreaTrojanChessfiNode Package Manager (NPM)BeaverTailOtterCookieKeylogger

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.