"DriverMinUpdate.app" acts polite — but knows exactly where your MetaMask and seed phrase are hidden.
North Korea-linked cyber actors behind the Contagious Interview campaign continue to enhance their OtterCookie malware — a versatile cross-platform trojan designed to steal credentials from browsers, documents, and crypto wallets. According to Japan-based NTT Security Holdings, versions 3 and 4 of OtterCookie were identified in February and April 2025, signaling ongoing active development.
NTT tracks the threat group under the name WaterPlum, also known as CL-STA-0240, DeceptiveDevelopment, DEVPOPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan. First spotted in September 2024, the malware was distributed through npm packages with malicious JavaScript, fake GitHub and Bitbucket repositories, and bogus video call apps. Its primary goal: connect to a remote command-and-control (C2) server and execute instructions on the infected device.
OtterCookie v3 introduced a dedicated module for uploading files — including documents, images, text files, and crypto wallet data — a task previously handled via shell commands. Version 4 expands its capabilities further, adding two modules for extracting credentials from:
- Google Chrome browser,
- MetaMask extension in Chrome and Brave,
- iCloud Keychain.
One module decrypts Chrome-stored passwords, while the other extracts encrypted login credentials — suggesting that separate developers may be working on each component due to differences in their implementation.
The latest version also features virtual machine detection, checking for environments like VMware, VirtualBox, Microsoft Hyper-V, and QEMU, making analysis and debugging more difficult for researchers.
At the same time, other attack vectors have evolved. A Go-based infostealer for macOS is being distributed under the guise of a Realtek driver update named “WebCam.zip”. Victims are lured into installing "DriverMinUpdate.app", allegedly to fix webcam issues — but in reality, it steals the system password. This method mirrors previous ClickFake Interview tactics, where fake technical issues are used as a pretext to install malware during bogus job interviews.
According to Moonlock, the infostealer aims to establish a persistent control channel, gather system information, and exfiltrate sensitive data. Other malware apps in this campaign include ChromeUpdateAlert, ChromeUpdate, CameraAccess, and DriverEasy.
The operation also leverages a new malware framework: Tsunami-Framework, a .NET-based toolkit capable of browser and wallet data theft, keylogging, file collection, and rudimentary botnet operations. It is typically delivered as a second-stage payload by the InvisibleFerret Python backdoor.
Researchers have linked this entire infrastructure to the infamous Lazarus Group, a North Korean APT responsible for espionage and financially motivated cyberattacks. One of their latest major heists: the $1 billion theft from the Bybit platform, also attributed to Lazarus.
