VERY IMPORTANT

WaterPlum, a North Korean-associated attack group, has been using a new malware called OtterCandy in their ClickFake Interview campaign. OtterCandy, implemented in Node.js, combines features of RATatouille and OtterCookie. It targets Windows, macOS, and Linux systems, stealing browser credentials, cryptocurrency wallets, and confidential files. The malware communicates with C2 servers via Socket.IO and has persistence mechanisms. An August 2025 update (v2) enhanced user identification, expanded theft targets, and added trace deletion capabilities. OtterCandy's evolution and its use in ongoing campaigns highlight the need for continued vigilance against WaterPlum's activities.