North Korea–Linked WaterPlum Group Unleashes OtterCandy Malware in Japan and Beyond

Listen to this Post

Featured Image

Introduction

Cybersecurity experts have raised alarms over a significant escalation in North Korea–linked cyber activity, as the notorious WaterPlum group—particularly its Cluster B faction, also known as BlockNovas—has launched a sophisticated malware campaign targeting Japan and other regions. Using a new cross-platform tool dubbed OtterCandy, the group has expanded its capabilities far beyond previous attacks, blending social engineering, advanced data theft, and resilient malware architecture to compromise high-value targets.

Surge in Cluster B Activity

Researchers report that WaterPlum has been evolving its tactics for years, with earlier campaigns like Contagious Interview and initial ClickFake Interview attacks relying on the GolangGhost backdoor and macOS-specific FrostyFerret implant. Since July 2025, however, Cluster B has upgraded to OtterCandy—a Node.js–based RAT (Remote Access Trojan) and information stealer. This marks a pivotal shift toward cross-platform, modular malware capable of targeting Windows, macOS, and Linux environments.

OtterCandy combines features from previous tools RATatouille and OtterCookie, establishing a robust command-and-control channel via Socket.IO. The malware begins by sending system identifiers, initially only a username in version 1, and later adding a client_id in version 2 for better victim tracking.

Persistence is achieved through the DiggingBeaver loader, which plants registry entries or launch-agent files. OtterCandy also monitors for termination signals and respawns itself if interrupted. Version 2 introduces an ss_del command, allowing it to erase persistence files and associated artifacts, complicating forensic investigations.

Data exfiltration capabilities have also expanded. OtterCandy now harvests browser credentials, cryptocurrency wallets, and arbitrary user files. The malware’s browser stealer initially targeted four extensions; version 2 now targets seven, collecting full profiles including passwords, cookies, autofill data, and browsing history. Files are then compressed and transmitted to its C2 server.

Cluster B leverages social engineering through the ClickFake Interview campaign, exploiting job-seeking themes to entice victims into running the malware. The campaign underscores the group’s shift toward rapidly deployable, modular, language-agnostic malware capable of adapting across operating systems.

Security teams, especially in Japan, are advised to monitor Node.js processes from nonstandard paths, audit recent registry or launch-agent changes, and watch for anomalous Socket.IO traffic. Patching systems and removing leftover artifacts via ss_del routines are key defenses against v2 attacks.

The rise of OtterCandy signals a critical inflection point in DPRK-linked cyber operations, highlighting the importance of continuous monitoring, endpoint security enforcement, and supply chain vigilance to counter evolving threats.

What Undercode Say:

Cluster B’s deployment of OtterCandy represents a strategic evolution in North Korean cyber tactics. By shifting from macOS-limited implants to a cross-platform Node.js framework, the group gains agility and resilience, allowing simultaneous targeting of Windows, macOS, and Linux systems. This reflects a broader trend among nation-state actors: adopting modular malware architectures that can be quickly updated, patched, or reconfigured to bypass conventional detection.

The malware’s persistence mechanisms—combining DiggingBeaver and signal-triggered respawning—demonstrate operational sophistication. Attackers now account for endpoint remediation techniques, ensuring their payload survives basic security interventions. The introduction of ss_del also reveals a forensic countermeasure mindset, emphasizing stealth and artifact elimination.

OtterCandy’s data exfiltration capabilities, particularly its expanded browser extension targeting and comprehensive profile theft, suggest a focus on high-value corporate intelligence and cryptocurrency assets. By harvesting autofill data, cookies, and browsing history, attackers can reconstruct victim activity patterns, potentially enabling follow-on attacks such as identity theft, spear-phishing, and financial fraud.

The use of ClickFake Interview campaigns shows classic social engineering mastery, blending human psychology with technical sophistication. Job-seeking and recruitment lures are particularly effective in Japan, where corporate hierarchies and career-centric culture make targeted victims more susceptible.

From a defensive standpoint, organizations need to audit Node.js runtime activity from nonstandard directories and monitor Socket.IO-based communications, a protocol not commonly associated with enterprise applications. Early detection could prevent exfiltration of sensitive data and mitigate reputational and financial impact.

Cluster B’s activity highlights the intersection of nation-state resource sharing and independent development, showing that even small DPRK-affiliated factions are capable of independently evolving malware toolkits. This evolution also underscores the need for supply chain awareness, as malware can easily propagate through compromised vendors or recruitment channels.

The emergence of OtterCandy represents a paradigm shift in threat actor operations. Its cross-platform nature, modular design, and advanced data-stealing abilities suggest a long-term campaign rather than opportunistic attacks. Organizations must adopt proactive endpoint detection and network anomaly monitoring to stay ahead of these threats.

Looking forward, we expect OtterCandy to continue evolving, integrating AI-assisted evasion techniques and possibly expanding its social engineering vectors beyond recruitment scams. Its adaptability signals that traditional defenses may be insufficient without continuous threat intelligence integration and advanced behavioral analytics.

🔍 Fact Checker Results:

✅ Cluster B is North Korea–linked and operates under the WaterPlum umbrella.
✅ OtterCandy is a cross-platform Node.js RAT targeting multiple OS environments.
❌ Earlier versions of WaterPlum malware were not as sophisticated in exfiltrating complete browser profiles.

📊 Prediction:

OtterCandy is likely to expand its geographic reach, targeting Southeast Asia and European organizations linked to Japanese business interests. 🌏
The malware may adopt AI-driven evasion and credential harvesting, further complicating detection efforts. 🤖
Expect modular updates that allow rapid deployment against new operating systems or application environments, raising stakes for global cybersecurity defenses. ⚡

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon