Overview
- Cisco Talos reports the malware families are converging, with OtterCookie v5 adding a keylogger and rapid desktop screenshots that are uploaded to command servers.
- Google Threat Intelligence Group says UNC5342 is using EtherHiding to pull updates and payloads from BNB Smart Chain or Ethereum, turning public blockchains into decentralized command-and-control.
- An intrusion linked to this activity was detected at an organization headquartered in Sri Lanka after a user followed a fake job offer.
- A trojanized Node.js app named Chessfi pulled a malicious npm package, “node-nvm-ssh,” whose postinstall hook launched JavaScript loaders that deployed BeaverTail/OtterCookie code.
- Indicators of compromise were released, and researchers highlight a focus on stealing credentials and data from browser cryptocurrency wallets such as MetaMask, Trust Wallet and Binance Chain Wallet.