The Reveal Platform
Intel Name: Beavertail and ottercookie evolve with a new javascript module
Date of Scan: October 17, 2025
Impact: High
Summary: A North Korea-aligned group, Famous Chollima, is using fake job offers to lure victims into installing malware. In a recent case, a trojanized Node.js app called Chessfi was distributed via the NPM package node-nvm-ssh. The group’s tools, BeaverTail and OtterCookie, have evolved by merging functionalities and adding a new JavaScript module for keylogging and taking screenshots. A malicious VS Code extension containing their code was also found, suggesting they may be experimenting with new malware delivery methods.
