Famous Chollima Uses Fake Job Offers to Spread Malware

Cyber Security News by CyberSum.net

Published on October 17, 2025 at 09:00 AM

5 sources

Cisco Talos has exposed a malware campaign by Famous Chollima, a threat group aligned with the Lazarus APT. The campaign uses fake job offers to infect developers with BeaverTail and OtterCookie malware, which now include keylogging and cryptocurrency wallet stealing capabilities. The infection chain begins with a trojanized Node.js project called Chessfi, leading to the execution of a combined malware payload. The campaign targets cryptocurrency browser extensions and evolves to blend espionage with financial crime, aligning with the focus on cryptocurrency theft to evade sanctions.

Also Read

GlassWorm Malware Targets Developers via OpenVSX and VS Code

A new supply-chain attack is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces with self-spreading malware called GlassWorm. The malware, installed an estimated 35,800 times, hides its malicious code using invisible characters and spreads using stolen account information. It uses the Solana blockchain for command-and-control, making takedown difficult, with Google Calendar as a backup option. The malware steals credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from 49 extensions. It also deploys a SOCKS proxy and installs VNC clients for invisible remote access. The final payload, called ZOMBI, turns infected systems into nodes for cybercriminal activities.

By Cyber Security News by CyberSum.netOctober 20, 2025 at 09:00 PM