Threat Actors Leveraging ClickFake Interview Attack to Deploy OtterCandy Malware

Cybercriminals associated with the North Korean threat group WaterPlum, also known as Famous Chollima or PurpleBravo, have escalated their activities with a sophisticated new malware strain called OtterCandy.

This cross-platform RAT and information stealer represents a dangerous evolution in the group’s capabilities, combining features from previously observed malware families RATatouille and OtterCookie to create a more potent weapon for credential theft and system compromise.

The malware emerges as part of WaterPlum’s ClickFake Interview campaign, a deceptive social engineering operation that masquerades as legitimate job recruitment processes in the blockchain and cryptocurrency sectors.

Attackers create convincing fake company websites, such as BlockForgeX, which present seemingly authentic job applications and interview processes to lure unsuspecting victims into downloading malicious software under the guise of camera setup instructions or driver updates.

NTT Security researchers identified OtterCandy as the latest addition to WaterPlum’s arsenal, noting its deployment across Windows, macOS, and Linux platforms since July 2025.

The malware’s impact extends beyond individual systems, as attacks have been observed targeting victims in Japan and other regions, demonstrating the threat group’s expanding global reach and ambitions.

Built using Node.js, OtterCandy establishes communication with command-and-control servers through Socket.IO connections, enabling threat actors to execute a comprehensive range of malicious activities remotely.

The malware’s command structure reveals its sophisticated design, implementing functions such as ‘imp’ for sweeping home directories, ‘pat’ for pattern-based file searches, and ‘upload’ for extracting system information, browser credentials, and cryptocurrency wallet data.

Advanced Persistence and Evasion Mechanisms

OtterCandy demonstrates remarkable resilience through its multi-layered persistence strategy that ensures continued operation even after detection attempts.

While the malware typically relies on the preceding DiggingBeaver component for initial persistence, it incorporates an independent backup mechanism that automatically restarts processes when interrupted.

This self-preservation feature utilizes JavaScript’s process event handling to monitor for SIGINT signals:-

function startChildProcess() {
    const_0x4777b5 = fork(path['join') (_dirname, 'decode.js'), [], {
        'detached': !![],
        'stdio': 'ignore'
    });
    _0x4777b5['unref']();
}

process['on']('SIGINT', () => {
    startChildProcess();
    process['exit']();
});

The malware’s August 2025 update introduced enhanced anti-forensic capabilities, including comprehensive trace deletion functions that remove registry entries, downloaded files, and temporary directories.

This cleanup mechanism operates through the ‘ss_del’ command, systematically erasing evidence of compromise while maintaining operational security for the threat actors’ ongoing campaigns.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.