The OtterCookie Matryoshka

Introduction 

Over the past month, the cybersecurity community has published isolated reports detailing disparate attacks by the North Korean state-aligned threat group Shifty Corsair (also known as FAMOUS CHOLLIMA). While individual vendors have documented specific supply chain poisons or targeted spear-phishing campaigns, the Threat Fusion Cell (TFCTI) at BlueVoyant has synthesized these findings to reveal a much larger, coordinated offensive. 

Synthesizing recent OSINT data from Panther, Walmart Global Tech, ReversingLabs, and Microsoft with our own historical tracking of the Contagious Trader campaign, TFCTI assesses that Shifty Corsair has bifurcated its operations. The group is simultaneously executing a highly targeted "sniper" approach against senior developers and a broad "Lure & Trap" approach poisoning the Node.js package manager (npm) ecosystem with a highly evolved variant of the OtterCookie infostealer. 

Background and Threat Overview 

Shifty Corsair relies heavily on targeting the cryptocurrency sector to fund the North Korean regime. Previously, the group utilized social engineering - reaching out to developers with fake job interviews (Contagious Interview) to trick them into downloading trojanized applications. However, TFCTI tracking indicates their tactics have matured into a multi-pronged assault. 

TFCTI Assessment: The Bifurcated Strategy

The most critical finding from TFCTI's fused analysis is that Shifty Corsair is running parallel, complementary campaigns to maximize their success rate:

1. The Sniper (Social Engineering): As detailed by ReversingLabs and Microsoft, the actors continue to run targeted operations like Graphalgo, using real US LLCs and GitHub release artifacts to spear-phish specific high-value targets with fake coding tests. Additionally, as documented by Blackpoint Cyber, they utilize social engineering to lure victims into manually cloning trojanized open-source projects, such as a fake 3D chess game hosted on Bitbucket, where an intentional failure in a try/catch initialization block secretly fetches the payload.

2. Lure & Trap (Contagious Trader): Rather than purely poisoning the open-source supply chain to catch unwary developers, Shifty Corsair employs a heavily baited "broad net" approach. As documented by Panther, KMSec,[MW1] [JG2]  and StepSecurity, the threat actors use the promise of high-yield cryptocurrency trading bots to lure a broad audience of crypto-enthusiasts. The poisoned npm dependencies serve as a hidden trap, silently infecting victims as soon as the project's dependencies are automatically resolved. 

The Attack Breakdown: The npm Matryoshka Doll

Focusing on the "Lure & Trap" supply chain campaign, TFCTI has mapped a multi-stage execution chain designed specifically to evade manual code review and automated static analysis tools.

Phase 1: Initial Access via PostInstall Execution

The attack sequence begins when a victim inadvertently downloads a trojanized package. Shifty Corsair abuses the automated dependency resolution process via the package.json file by utilizing a malicious postinstall script. This silently executes the initial payload the moment the package is downloaded, requiring no further interaction from the developer.

Phase 2: Custom Obfuscation and Evolution

TFCTI's review reveals a clear evolution in OtterCookie's obfuscation tactics. In February, attacks via npm packages utilized the J2TEAM obfuscator. By March, this shifted to a constructor wrapper utilizing generator functions and control flow flattening. Most recently, Shifty Corsair deployed a custom Base91-like encoding scheme with per-function alphabet rotation. Because the alphabet rotates dynamically, the exact same encoded string produces entirely different outputs depending on the specific function scope. This effectively defeats static string extraction.

Phase 3: Targeted Theft and Dynamic Configuration

Upon execution, the malware initiates two attack chains:

- The Quick Theft: As detailed by StepSecurity and SafeDep, it targets id.json (Solana wallet keypairs), config.toml (Rust/Cargo configurations), and .env files, uploading them directly to a Vercel-hosted C2 server.

- Dynamic Scanning: Shifting away from static lists that burn payloads quickly, the malware dynamically fetches configuration files from the C2 server to recursively walk the filesystem for new target extensions.

Phase 4: Bridging the Frontend to the Backend (C2 and Persistence)

Combining Panther's tactical frontend data with Walmart Global Tech's backend DPRK infrastructure tracking, TFC analysts have mapped the assessed exfiltration route. The threat actors host their initial C2 infrastructure on Vercel (.vercel.app), specifically choosing subdomains that spoof Cloudflare services (e.g., cloudflarefirewall), and are also observed using Vercel app redirects associated with /api/ipcheck-encrypted/. We assess that abusing legitimate serverless infrastructure helps the actors blend malicious traffic with expected cloud service traffic before routing stolen Solana keys and environment variables to more permanent backend infrastructure. Finally, to attempt persistent access to compromised Linux machines, SafeDep reports the malware fetches an attacker-controlled public key from the C2 server, appends it to the user's ~/.ssh/authorized_keys file, and attempts to execute sudo ufw allow 22/tcp to open SSH access on the host firewall, which will fail unless passwordless sudo is enabled for the compromised user.

Finally, to attempt persistent access to compromised Linux machines, SafeDep reports the malware fetches an attacker-controlled public key from the C2 server, appends it to the user's ~/.ssh/authorized_keys file, and attempts to execute sudo ufw allow 22/tcp to punch a hole in the host firewall (which will fail unless passwordless sudo is enabled for the compromised user).

TFCTI Mitigation Guidance

Based on this holistic view of Shifty Corsair's operations, TFCTI recommends a defense-in-depth approach that addresses both the supply chain and social engineering vectors:

- Audit and Restrict Dependencies: Implement strict vetting for all open-source dependencies and block dependencies from untrusted maintainer accounts.

- Rethink SSH Security: Because the threat actor directly injects static public keys into ~/.ssh/authorized_keys and alters ufw firewall rules, relying solely on static SSH keys is insufficient. Enforce MFA for all SSH access to critical infrastructure and consider transitioning to short-lived, certificate-based authentication.

- Rotate Exposed Secrets: Immediately rotate any credentials, API keys, or cryptocurrency wallet seeds stored in exposed environment files (.env).

- Monitor File and Network Activity: Monitor for Node.js processes rapidly reading sensitive configuration files or making high-volume outbound HTTPS POST requests to unexpected Vercel domains.

Associated MITRE Techniques

• T1041 (Exfiltration Over C2 Channel)
• T1059.007 (Command and Scripting Interpreter: JavaScript/JScript)
• T1098.004 (Account Manipulation: SSH Authorized Keys)
• T1562.004 (Impair Defences: Disable or Modify System Firewall)
• T1195.001 (Compromise Software Dependencies and Development Tools)
• T1552.004 (Credentials in Files: Private Keys)
• T1552.001 (Credentials in Files)

Conclusion

The recent campaigns orchestrated by Shifty Corsair demonstrate the escalating threat of DPRK state-aligned cyber operations. By correlating disparate OSINT sources, TFCTI has revealed a threat actor capable of running simultaneous, highly effective supply chain and social engineering campaigns. Their rapid evolution, from static Obfuscator.io encoding to dynamically rotating custom obfuscation, and their abuse of Vercel-hosted C2 infrastructure, demonstrates a maturation in their operational capabilities. BlueVoyant's Threat Fusion Cell continues to actively monitor Shifty Corsair's evolving infrastructure and TTPs, providing our SOC and Threat Hunt teams with the fused intelligence needed to protect client environments.