{“lastseen”:”2025-10-16T12:05:36″,”description”:”* Cisco Talos has uncovered a new attack linked to _Famous Chollima_, a threat group aligned with North Korea (DPRK). This group is known for impersonating hiring organizations to target job seekers, tricking them into installing information-stealing malware to obtain cryptocurrency and user credentials.\\n * In this incident, although the organization was not directly targeted, one of its systems was compromised-likely because a user was deceived by a fake job offer and installed a trojanized Node.js application called \\”Chessfi.\\”\\n * The malicious software was distributed via a Node.js package named \\”node-nvm-ssh\\” on the official NPM repository.\\n * Famous Chollima often uses two malicious tools, BeaverTail and OtterCookie, which started as separate but complementary programs. Recent campaigns have seen their functions merging, and Talos has identified a new module for keylogging and taking screenshots.\\n * While searching for related threats, Talos also found a malicious VS Code extension containing BeaverTail and OtterCookie code. Although attribution to Famous Chollima is not certain, this suggests the group may be testing new methods for delivering their malware.\\n\\n\\n\\n## Introduction\\n\\n\\n\\nIn a _previous Cisco Talos blog post_, we described one side of the _Contagious Interview_ (Deceptive Development) campaigns, where the threat actor utilized fake employment websites, ClickFix social engineering techniques and payload variants of credential and cryptocurrency remote access trojans (RATs) known as GolangGhost and PylangGhost.\\n\\nTalos is actively monitoring other clusters of these campaigns, which are attributed to the threat actor group Famous Chollima, a subgroup of Lazarus, and aligned with the economic interests of DPRK. This post discusses some of the tactics, techniques and procedures (TTPs) and changes in tooling developed over time by another large cluster of Contagious Interview activities. These campaigns center around tools known as BeaverTail and OtterCookie.\\n\\nFamous Chollima frequently uses BeaverTail and OtterCookie, with many individual sub-clusters of activities installing _InvisibleFerret_, a Python based modular payload. Although BeaverTail and OtterCookie originated as separate-but-complementary entities, their functionality in some recent campaigns started to merge, along with the inclusion of new functional OtterCookie modules.\\n\\nTalos detected a Famous Chollima campaign in an organization headquartered in Sri Lanka. The organization was not deliberately targeted by the attackers, but it had one of the systems on the network infected. It is likely that a user fell for a fake job offer instructing them to install a trojanised Node.js application called Chessfi as a part of a fake job interview process.\\n\\nOnce Talos conducted the initial analysis, we realized that the tools used to conduct it had characteristics of BeaverTail and of OtterCookie, blurring the distinction between the two. The code also contained some additional functionality we have not previously encountered.\\n\\n## BeaverTail and OtterCookie combine\\n\\nThis blog focuses on OtterCookie modules and will not provide a deep dive into well-known BeaverTail and OtterCookie functionality. While some of these modules are already known, at least one was not previously documented. The examples we show are already deobfuscated, and with the help of an LLM, the function and variable names are replaced by names that correspond to their actual functionality.\\n\\n### Keylogging and screenshotting module\\n\\nTalos encountered a keylogging and screenshotting module in this campaign that has not been previously documented. We were able to find earlier OtterCookie samples containing the module that were uploaded to VirusTotal in April 2025.\\n\\nThe keylogging module uses the packages \\”node-global-key-listener\\” for keylogging, \\”screenshot-desktop\\” for taking desktop screenshots and \\”sharp\\” for converting the captured screenshots into web-friendly image formats.\\n\\nThe module configures the packages to listen for keystrokes and periodically takes a screenshot of the current desktop session to upload them to the OtterCookie command and control (C2) server.\\n\\nFigure 1. The keylogger listens for the keyboard and mouse key presses and saves them into a file.\\n\\nThe keystrokes are saved in the user’s temporary sub-folder windows-cache with the file name \\”1.tmp\\” and screenshots are saved in the same sub-folder with the file name \\”2.jpeg\\”. While the keylogger runs in a loop and flushes the buffer every second, a screenshot is taken every four seconds.\\n\\nTalos also discovered one instance of the module where the clipboard monitoring was included in the module code, extending its functionality to stealing clipboard content.\\n\\nThe keylogging data and the captured screenshots are uploaded to the OtterCookie C2 server at a specific TCP port 1478, using the URL \\”hxxp[:\/\/]172[.]86[.]88[.]188:1478\/upload\\”.\\n\\nFigure 2. Keystrokes saved as \\”1.tmp\\” and screenshots as \\”2.jpeg\\”, then uploaded to C2 server.\\n\\n### OtterCookie VS Code extension\\n\\nDuring the search for similar samples on VirusTotal, Talos discovered a recently-uploaded VS Code extension, which may attempt to run OtterCookie if installed in the victim’s editor environment. The extension is a fake employment onboarding helper, supposedly allowing the user to track and manage candidate tests.\\n\\nWhile Talos cannot attribute this VS Code extension to Famous Chollima with high confidence, this may indicate that the threat actor is experimenting with different delivery vectors. The extension could also be a result of experimentation from another actor, possibly even a researcher, who is not associated with Famous Chollima, as this stands out from their usual TTPs.\\n\\nFigure 3. VS Code extension configuration pretends to be Mercer Onboarding Helper but contains OtterCookie code.\\n\\n### Other OtterCookie modules\\n\\nThe OtterCookie section of code starts with the definition of a JSON object that contains configuration values such as unique campaign ID and C2 server IP address. The OtterCookie portion of the code constructs additional modules from strings, which are executed as child processes. In the attack we analyzed, we observed three modules, but we also found one additional module while hunting for similar samples in our repositories and on VirusTotal.\\n\\n**Remote shell module **\\n\\nThe first module is fundamental for OtterCookie and begins with the detection of the infected system platform and a virtual machine check, followed by reporting the collected user and host information to the OtterCookie C2 server.\\n\\nFigure 4. Main Ottercookie module starts with machine checking and includes virtual machines check.\\n\\nOnce the system information is submitted, the module installs the \\”socket.io-client\\” package, which is used to connect to a specific port on the OtterCookie C2 server to wait for the commands and execute them in a loop. socket.io-client first uses HTTP and then switches to WebSocket protocol to communicate with the server, which we observed listening on the TCP port 1418.\\n\\nFigure 5. socket.io-client package used for communication with C2 server.\\n\\nFinally, depending on the operating system, this module periodically checks the clipboard content using the commands \\”pbpaste\\” on macOS or \\”powershell Get-Clipboard\\” on Windows. It sends the clipboard content to the C2 server URL specifically used for logging OtterCookie activities at \\”hxxp[:\/\/]172[.]86[.]88[.]188\/api\/service\/makelog\\”.\\n\\n**File uploading module **\\n\\nThis module enumerates all drives and traverses the file system in order to find files to be uploaded to the OtterCookie C2 IP address at a specific port and URL (in this case, \\”hxxp[:\/\/]172[.]86[.]88[.]188:1476\/upload\\”).\\n\\nThis module contains a list of folder and file names to be excluded from the search, and another list with target file name extensions and file name search patterns to select files to be uploaded.\\n\\nFigure 6. The list of excluded folders and patterns for files uploaded to C2.\\n\\nThe \\”interesting\\” file list contains the following search patterns: \\n \\n\\”*.env*\\”, \\”*metamask*\\”, \\”*phantom*\\”, \\”*bitcoin*\\”, \\”*btc*\\”, \\”*Trust*\\”, \\”*phrase*\\”, \\”*secret*\\”, \\”*phase*\\”, \\”*credential\\”, \\”*profile*\\”, \\”*account*\\”, \\”*mnemonic*\\”, \\”*seed*\\”, \\”*recovery*\\”, \\”*backup*\\”, \\”*address*\\”, \\”*keypair*\\”, \\”*wallet*\\”, \\”*my*\\”, \\”*screenshot*\\”, \\”*.doc\\”, \\”*.docx\\”, \\”*.pdf\\”, \\”*.md\\”, \\”*.rtf\\”, \\”*.odt\\”, \\”*.xls\\”, \\”*.xlsx\\”, \\”*.txt\\”, \\”*.ini\\”, \\”*.secret\\”, \\”*.json\\”, \\”*.ts\\”, \\”*.js\\”, \\”*.csv\\”\\n\\n**Cryptocurrency extensions stealer module **\\n\\nWhile not present in the campaign Talos analyzed, this module was found while looking for similar files on VirusTotal. In addition to the targeting of cryptocurrency browser extensions by the BeaverTail code, this OtterCookie module targets extensions from a list that partially overlaps with the list of cryptocurrency wallet extensions from the BeaverTail part of the payload.\\n\\nTable 1. Cryptocurrency modules targeted by OtterCookie.\\n\\nThe cryptocurrency module targets Google Chrome and Brave browsers. If any extensions are found in any of the browser profiles, the extension files as well as the saved Login and Web data are uploaded to a C2 server URL. In the discovered sample Talos found, the uploading C2 URL was \\”hxxp[:\/\/]138[.]201[.]50[.]5:5961\/upload\\”.\\n\\n## OtterCookie evolution\\n\\nOtterCookie malware samples were _first observed_ by NTT Security Holdings around November 2024, leading to a blog article published in December 2024. However, it is believed that the malware has been in use since approximately September 2024. The motivation for using the name OtterCookie seems to come from the early samples that used content of HTTP response cookies to transfer the malicious code executed by the response handler. This remote code loading functionality evolved over time to include additional functionality.\\n\\nHowever, in April 2025, Talos started seeing additional modules included within the OtterCookie code and the usage of the C2 server, mostly for downloading a simple OtterCookie configuration and uploading stolen data.\\n\\nFigure 7. OtterCookie modules evolution timeline.\\n\\nOtterCookie evolved from the initial basic data-gathering capabilities to more modular design for data theft and remote command execution techniques. The modules are stored within OtterCookie strings and executed on the fly.\\n\\nThe earliest versions, corresponding to what NTT researchers _refer to as v1_, contain code for remote command execution (RCE) and use a socket.IO package to communicate with a C2 server. Over time, OtterCookie modules evolved by adding code to steal and upload files, with the end goal of stealing cryptocurrency wallets from a list of hardcoded browser extensions and saved browser credentials. Targeted browsers include Brave, Google Chrome, Opera and Mozilla Firefox.\\n\\nThe next iteration, referred to as v2, included a clipboard stealing code using the Clipboardy package to send clipboard contents to the remote server. This version also handles the loading of Javascript code from the server slightly differently. Instead of evaluating the returned header cookie as v1, the server generates an error which gets handled by the error handler on the client side. The error handler simply passes the error response data to the eval function, where it gets executed. The loader code is small and easy to miss, and along with the risk of false positive detections, this may be why the detection of the OtterCookie loaders on VirusTotal is not very successful.\\n\\nFigure 8. C2 server generates an error but the code is still executed by OtterCookie. Figure 9. OtterCookie loader error handler evaluates the response data.\\n\\nThe v3 variant, observed in February 2025, includes a function to send specific files (documents, image files and cryptocurrency-related files) to the C2 server. OtterCookie v4, observed since April 2025, includes a virtual environment detection code to help attackers discern logs from sandbox environments from those of actual infections, indicating a focus on evading analysis. The code also contains some anti-debugging and anti-logging functionality.\\n\\nThe v4 variant improves on the previous version’s code and updates the clipboard content-stealing method. It no longer uses the Clipboardy library and instead it uses standard macOS or Windows commands for retrieving clipboard content.\\n\\nIt is important to note that over time the difference between BeaverTail and OtterCookie became blurred and in some attacks their code was merged into a single tool. \\n\\n### OtterCookie v5\\n\\nThe campaign Talos observed in August 2025 uses the most recent version of OtterCookie, which we call v5, demonstrated by the addition of a keylogging module. The keylogging module contains code to capture screenshots, which are uploaded to the C2 server together with keyboard keystrokes.\\n\\nFigure 10. Node-nvm-ssh infection path.\\n\\nThe initial infection vector was a modified Chessfi application hosted on Bitbucket. ChessFi is a web3-based multiplayer chess platform where players can challenge each other and bet cryptocurrency on the outcome of their matches. The choice of a cryptocurrency-related application to lure victims is consistent with previous reporting of _Famous Chollima targeting_.\\n\\nThe first sign of the attack was the user installing the source code of the application. Based on the folder name of the project, we assess with moderate confidence that the victim was approached by the threat actor through the freelance marketplace site Fiverr, which is consistent with the previous reporting. While hunting for similar samples we have also discovered code repositories that were uploaded for the victim as attachments to Discord conversations.\\n\\nThe infection process started with the victim running Git to clone the repository:\\n\\nFigure 11. The initial infection vector.\\n\\nThe Development section of the application’s readme document gives instructions to developers on how to install and run the project. After cloning the repository, it states that the users should run npm install to install dependencies, which, in this campaign, also included a malicious npm package named \\”node-nvm-ssh\\”.\\n\\nFigure 12. Modified application installation steps.\\n\\nDuring the installation of dependencies, the malicious package is downloaded from the repository and installed. The npm installer parses the package.json file of the malicious package and finds instructions to run commands after the installation. This is executed by parsing the \\”postinstall\\” value of the JSON object named \\”scripts\\”. At the first glance, it seems like the postinstall scripts are there to run tests, transpile TypeScript files to Java script and possibly run other test scripts.\\n\\nFigure 13. Malicious package.json file contains the instruction that will cause the malicious code to run.\\n\\nHowever, the package.json module installation instruction \\”npm run skip\\” causes npm to call the command node test\/fixtures\/eval specified in the value \\”skip\\”. The default node.js loading conventions will try loading a number of file names if none of them are specifically mentioned, one of them being index.js.\\n\\nThe test\/fixtures\/eval\/index.js content contains code to spawn a child process using the file \\”test\/fixtures\/eval\/node_modules\/file15.js\\”.\\n\\nFigure 14. index.js spawning a child process to execute file15.js.\\n\\nEventually, file15.js loads the file test.list, which is the final payload. This somewhat complex process to reach the payload code makes it quite difficult for an unsuspecting software engineer to discover that the installation of the Chessfi application will eventually lead to execution of malicious code.\\n\\nFigure 15. file15.js reads and calls eval on the content of the file test.list.\\n\\nWith test.list we have finally reached the last piece of the puzzle of how the malicious code is run. The test.list file is over 100KB long and obfuscated using _Obfuscator.io_. Thankfully, the obfuscation in this case is not configured to make the analysis very difficult and with the help of the deobfuscator and an LLM, Talos was able to deobfuscate most of its functionality, revealing a combination of BeaverTail and OtterCookie.\\n\\n## Standard BeaverTail functionality\\n\\nThere seem to be two distinguishable parts in the code. The first is associated with BeaverTail, including enumeration of various browser profiles and extensions as well as the download of a Python distribution and Python client payload from the C2 server \\”23.227.202[.]244\\” using the common BeaverTail\/InvisibleFerret TCP port 1224. The second part of the code is associated with OtterCookie.\\n\\nThe BeaverTail portion starts with a function that disables the console logging, moving toward loading the required modules and calling functions in order to steal data from a list of browser extensions, cryptocurrency wallets and browser credentials storage.\\n\\nTable 2. Targeted BeaverTail cryptocurrency browser extensions.\\n\\n## BeaverTail evolution\\n\\nBeaverTail has been observed since at least May 2023, and originally was a relatively small downloader component, designed to be included with Node.js based Javascript applications. BeaverTail was also used in supply chain attacks affecting packages in the _NPM package repository_, which was extensively covered in the _previous research_ and it is outside of the scope of this post.\\n\\nFrom the beginning, BeaverTail supported Windows, Linux and macOS, taking advantage of the fact that Node.js applications can be run on different operating system platforms.\\n\\nFigure 16. Early BeaverTail OS platform check.\\n\\nThe other major functionalities within BeaverTail are the download of InvisibleFerret Python stealer payload modules and installation of a remote access module, typically an AnyDesk client, which would allow the attacker to take over the control of the infected machine remotely. Information stealing and remote access have remained recurring BeaverTail operational techniques over time.\\n\\nSoon after the initial samples were discovered in June 2023, BeaverTail started to use simple base64 encoding of strings and renaming of variables to make the detection and analysis more difficult. This also included a scheme used to encode the C2 URL as a shuffled string whose slices are base64 decoded individually and then concatenated in a correct order to generate the final URL.\\n\\nFigure 17. C2 URL encoding scheme used from early BeaverTail variants until the present.\\n\\nAlthough BeaverTail is typically written in Javascript, Talos has also discovered several Javascript C2 IP server addresses. These were shared with C++ compiled binary variants created _with the help of the Qt framework_.\\n\\nFigure 18. Qt based BeaverTail setting a Qthread parameters.\\n\\nFrom the early beginnings in mid-2023, to the last quarter of 2024. BeaverTail C2 URL patterns stabilized around the most commonly-used TCP ports 1224 and 1244, rather than the port 3306 used by early variants. It seems that the threat actors quickly realized that most Windows installations do not come with preinstalled Python interpreters as Linux distributions and macOS. To tackle this issue, they included code which installs a Python distribution, typically from the \\”\/pdown\\” URL path, required to run Python InvisibleFerret modules. This TTP remains until today.\\n\\nIn terms of detection evasion, Famous Chollima are using several methods to obfuscate code, most frequently utilzing different configurations of the free Javascript tool _Obfuscator.io_ which does make the analysis and especially detection of the malicious code more challenging.\\n\\nIn addition to obfuscating the Javascript code they also regularly use various modes of XOR-based obfuscation of downloaded modules. XORed Python InvisibleFerret modules start with a unique user based string assignment followed by a reversed base64 encoded string, which contains the final Python module’s code that can also be XORed for obfuscation.\\n\\nFigure 19. A typical InvisibleFerret self-decoding Python module.\\n\\nThankfully, by using the combination of a _deobfuscating tool_ and an LLM to rename the variables and base64 decode encoded strings it is possible to analyse new samples with relative ease. However, the operational tempo of groups attributed to Famous Chollima is high and the detection of completely new samples and code on VirusTotal remains unreliable, allowing threat actors enough time to successfully attack some victims.\\n\\n## BeaverTail, OtterCookie and InvisibleFerret functional overlaps\\n\\nAll additional modules present in OtterCookie code correspond well to the functionality that is traditionally associated with InvisibleFerret and its Python-based modules, as well as some parts of the BeaverTail code. This move of the functionality to Javascript may allow the threat actors to remove the reliance on Python code, eliminating the requirement for installation of full Python distributions on Windows.\\n\\nTable 3. Functional similarities between Famous Chollima tools.\\n\\n## Coverage\\n\\nWays our customers can detect and block this threat are listed below.\\n\\n\\n\\n _Cisco Secure Endpoint_ (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free _here._\\n\\n _Cisco Secure Email_ (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free _here_.\\n\\n _Cisco Secure Firewall_ (formerly Next-Generation Firewall and Firepower NGFW) appliances such as _Threat Defense Virtual_, _Adaptive Security Appliance_ and _Meraki MX_ can detect malicious activity associated with this threat.\\n\\n _Cisco Secure Network\/Cloud Analytics_ (Stealthwatch\/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.\\n\\n _Cisco Secure Malware Analytics_ (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.\\n\\n _Cisco Secure Access_ is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please\\n\\ncontact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.\\n\\n _Umbrella_, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.\\n\\n _Cisco Secure Web Appliance_ (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.\\n\\nAdditional protections with context to your specific environment and threat data are available from the _Firewall Management Center_.\\n\\n _Cisco Duo_ provides multi-factor authentication for users to ensure only those authorized are accessing your network.\\n\\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on _Snort.org_.\\n\\nSnort2 rules are available for this threat: 65336\\n\\nThe following Snort3 rules are also available to detect the threat: 301315, 65336\\n\\nClamAV detections are also available for this threat: Js.Infostealer.Ottercookie-10057842-0, Js.Malware.Ottercookie-10057860-0\\n\\n## IOCs\\n\\nIOCs for this research can also be found at our GitHub repository here.\\n\\n**Early OtterCookie **\\n\\nf08e3ee84714cc5faefb7ac300485c879356922003d667587c58d594d875294e\\n\\n**BeaverTail evolution: **\\n\\n72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d\\n\\ncaad2f3d85e467629aa535e0081865d329c4cd7e6ff20a000ea07e62bf2e4394\\n\\n8efa928aa896a5bb3715b8b0ed20881029b0a165a296334f6533fa9169b4463b\\n\\n**Malicious npm package Aug 2025**\\n\\n83c145aedfdf61feb02292a6eb5091ea78d8d0ffaebf41585c614723f36641d8 -test.list\\n\\n**Similar to our campaign **\\n\\n77aec48003beeceb88e70bed138f535e1536f4bbbdff580528068ad6d184f379\\n\\n0904eff1edeff4b6eb27f03e0ccc759d6aa8d4e1317a1e6f6586cdb84db4a731\\n\\nd27c9f75c3f1665ee19642381a4dd6f2e4038540442cf50948b43f418730fd0a\\n\\n51ddd8f6ff30d76de45e06902c45c55163ddbec7d114ad89b21811ffedb71974\\n\\nd89c45d65a825971d250d12bc7a449321e1977f194e52e4ca541e8a908712e47\\n\\n6a9b4e8537bb97e337627b4dd1390bdb03dc66646704bd4b68739d499bd53063\\n\\na6914ded72bdd21e2f76acde46bf92b385f9ec6f7e6b7fdb873f21438dfbff1d\\n\\n**VSCode Extension**\\n\\n9e65de386b40f185bf7c1d9b1380395e5ff606c2f8373c63204a52f8ddc01982\\n\\ndff2a0fb344a0ad4b2c129712b2273fda46b5ea75713d23d65d5b03d0057f6dd – raw.js\\n\\n**C2 URLs** \\nhxxp[:\/\/]23[.]227[.]202[.]244:1224\/uploads\\n\\nhxxp[:\/\/]23[.]227[.]202[.]244:1224\/pdown\\n\\nhxxp[:\/\/]23[.]227[.]202[.]244:1224\/client\/14\/144\\n\\nhxxp[:\/\/]23[.]227[.]202[.]244:1224\/payload\/14\/144\\n\\nhxxp[:\/\/]23[.]227[.]202[.]244:1224\/brow\/14\/144\\n\\nhxxp[:\/\/]23[.]227[.]202[.]244:1224\/keys\\n\\nhxxp[:\/\/]172[.]86[.]88[.]188:1418\/socket[.]io\/\\n\\nhxxp[:\/\/]172[.]86[.]88[.]188:1476\/upload\\n\\nhxxp[:\/\/]172[.]86[.]88[.]188\/api\/service\/makelog\\n\\nhxxp[:\/\/]172[.]86[.]88[.]188\/api\/service\/process\/c841b6c4ac4d2e83f16cf7a8bfbec3d7\\n\\nhxxp[:\/\/]138[.]201[.]50[.]5:5961\/upload\\n\\nhxxp[:\/\/]135[.]181[.]123[.]177\/api\/service\/makelog\\n\\nhxxp[:\/\/]144[.]172[.]96[.]35\/api\/service\/makelog\\n\\nhxxp[:\/\/]144[.]172[.]112[.]50\/api\/service\/makelog\\n\\nhxxp[:\/\/]172[.]86[.]73[.]46\\n\\nhxxp[:\/\/]135[.]181[.]123[.]177\\n\\nhxxp[:\/\/]172[.]86[.]113[.]12\\n\\n**Download URLs **\\n\\nhxxps[:\/\/]www[.]npmjs[.]com\/package\/node-nvm-ssh\\n\\nhxxps[:\/\/]bitbucket[.]org\/dev-chess\/chess-frontend[.]git”,”published”:”2025-10-16T10:00:49″,”modified”:”2025-10-16T10:00:49″,”type”:”talosblog”,”title”:”BeaverTail and OtterCookie evolve with a new Javascript module”,”source”:””,”references”:””,”id”:”TALOSBLOG:E55F18D08EBE85322FC1D33E1FA863BD”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/beavertail-and-ottercookie\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-16T12:05:36″,”description”:”* Cisco Talos has uncovered a new attack linked to _Famous Chollima_, a threat group aligned with North Korea (DPRK). This group is known for…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-22051","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n