North Korea’s OtterCookie Malware Adds New Features for All Major OSes

A sophisticated malware strain known as OtterCookie, attributed to the North Korean hacking group WaterPlum (also referred to as Famous Chollima or PurpleBravo), has undergone significant enhancements, significantly improving its cross-platform functionality and credential theft techniques.

Initially identified in September 2024, OtterCookie has evolved rapidly, with its latest version in April 2025. Cybersecurity researchers have tracked its development across four distinct versions, highlighting WaterPlum’s ongoing campaign targeting financial institutions, cryptocurrency platforms, and FinTech companies globally.

WaterPlum first introduced OtterCookie during the “Contagious Interview” campaign in 2023. This marked a shift from their use of BeaverTail malware and signaled a broader change in tactics and tooling.

According to NTT Security, which has been closely monitoring WaterPlum’s operations, the group consistently updates OtterCookie roughly every two to three months. As of May 2025, both versions, V3 and V4, remain active in the wild.

Cross-Platform Targeting

One of the most significant advancements in the latest OtterCookie versions is its enhanced cross-platform support. The malware now includes specialized modules tailored for Windows, macOS, and Linux, marking a substantial step forward from typical malware strains that usually target only one operating system.

Credential Theft Upgrades

OtterCookie v4’s most notable improvement is its advanced credential-stealing capabilities:

• One Stealer module extracts decrypted passwords from Google Chrome using the Windows Data Protection API (DPAPI), storing the credentials temporarily in a local file (\AppData\Local\1.db) for exfiltration.
  
• A second module collects encrypted credentials from Google Chrome, Brave, and the MetaMask cryptocurrency wallet extension without decrypting them locally. According to NTT researchers, this design divergence suggests the involvement of multiple developers.
  

The malware also extends its reach to macOS, targeting the Keychain to extract sensitive data, reinforcing its multi-platform threat profile.

OtterCookie v4 incorporates improved sandbox detection to avoid analysis in virtual environments. It also refines its clipboard monitoring tactics by leveraging native OS commands rather than third-party libraries, making it harder for security tools to detect.