IGMPI facebook OtterCandy: WaterPlum’s Cross‑Platform RAT Targets Job Seekers with Fake Blockchain Interviews
IGMPI Logo
Faculty of Cybersecurity Technology

(An Autonomous Body Recognized by Ministry of Commerce & Industry, Government of India)

Competency based placement focussed Education | Training | Research | Consultancy

ADMISSIONS NOTICE
18001031071 (Toll Free), +91 11 26512850
Regular | Part-time (Online Live Classes) Modes
OtterCandy: WaterPlum’s Cross‑Platform RAT Targets Job Seekers with Fake Blockchain Interviews

OtterCandy: WaterPlum’s Cross‑Platform RAT Targets Job Seekers with Fake Blockchain Interviews

North Korea-linked threat group WaterPlum (aka Famous Chollima/PurpleBravo) has deployed a sophisticated new malware strain called OtterCandy. This cross-platform RAT and information stealer merges features from previous malware families RATatouille and OtterCookie, enabling credential theft and system compromise. Part of the group’s ClickFake Interview campaign, the malware exploits fake blockchain and cryptocurrency job websites like BlockForgeX, tricking victims into downloading malicious software disguised as camera setup or driver updates. Detected by NTT Security, OtterCandy affects Windows, macOS, and Linux systems and has targeted victims in Japan and beyond. Built on Node.js, it communicates with C2 servers via Socket.IO and offers commands for file searches, exfiltration, and stealing browser and cryptocurrency wallet data. Its multi-layered persistence ensures continued operation, while an August 2025 update added anti-forensic functions through the ‘ss_del’ command, erasing registry entries, temporary files, and traces to conceal attacker activity.

16-10-2025

📰 Recent News