DPRK Supply Chain & ClickFix Operations: OtterCookie, Vidar, and Chrome Extension Stealers

Date: 2026-04-15 Source: AlienVault OTX Live Pulse Feed Analyst: Principal Security Engineer, Security Arsenal

Threat Summary

Recent OTX pulses indicate a converging threat landscape where state-sponsored actors (specifically North Korea's FAMOUS CHOLLIMA) and opportunistic cybercriminals are aggressively targeting developer workflows and end-user browsers to harvest credentials and cryptographic keys.

The campaigns utilize a triad of attack vectors:

1. NPM Supply Chain Compromise: Malicious packages (sleek-pretty, OtterCookie variants) designed to infiltrate development environments, establishing SSH backdoors and exfiltrating API keys (specifically targeting Polymarket traders).
2. Social Engineering via AI Leaks: Exploitation of the "Claude Code" leak to distribute Vidar Stealer and GhostSocks through trojanized GitHub repositories.
3. Browser-Based Persistence: A massive ClickFix campaign force-installing malicious Chrome extensions and a network of 108 extensions linked to cloudapi[.]stream for session hijacking and banking theft.

The collective objective is widespread credential theft, ranging from Google OAuth tokens to high-value cryptocurrency wallet keys and SSH credentials.

Threat Actor / Malware Profile

FAMOUS CHOLLIMA (DPRK)

• Malware: OtterCookie, BeaverTail, InvisibleFerret, Koalemos, sleek-pretty.
• Distribution: Typosquatting and dependency confusion on the npm registry. Packages often mimic legitimate tools (e.g., big.js) or promise utility (e.g., sleek-pretty).
• Payload Behavior:
  • System Fingerprinting: Checks for Linux/Dev environments.
  • Persistence: Installs SSH backdoors by modifying authorized_keys.
  • Exfiltration: Targets Polymarket CLOB API keys and general environment variables (.env files).
  • C2: Communicates with infrastructure hosted on Vercel and custom domains (e.g., api.mywalletsss.store).

Vidar Stealer & GhostSocks

• Distribution: Trojanized GitHub repositories claiming to contain the leaked Anthropic Claude Code.
• Behavior: Vidar is a prolific infostealer targeting browser data, wallets, and 2FA sessions. GhostSocks acts as a proxy/Trojan.
• C2: Communicates over HTTPS to specific IP addresses (e.g., 147.45.197.92).

ClickFix (Brazilian Banking Fraud)

• Actor: ANTONIO EDUARDO FREDERICO.
• Technique: Fake browser update prompts (ClickFix) leading to a malicious Chrome extension installation.
• Mechanism: abuses Chrome Cloud Management enrollment tokens to force-install the "Banco Central do Brasil" extension without user interaction.
• Impact: Zero AV detection, unauthenticated C2暴露.

IOC Analysis

Indicator Types & Operationalization:

• IPv4 Addresses (e.g., 144.172.x.x, 147.45.197.92): Critical for network blocking. These represent the C2 infrastructure. SOC teams should immediately block these ranges at the firewall and proxy level.
• Domains (e.g., cloudapi.stream, mywalletsss.store): Used for C2 communication and payload delivery. Sinkhole these domains in DNS resolvers.
• File Hashes (MD5/SHA1/SHA256): Specific to the payloads (Vidar, GhostSocks, malicious Chrome extensions). EDR solutions should be configured to quarantine processes matching these hashes.
• URLs (e.g., http://xpie348.online/instalador/update.xml): Indicates the delivery mechanism for the ClickFix extension. Block these URLs and monitor for any inbound requests to them in web proxy logs.

Tooling:

• Use Cortex/Analyze or VirusTotal for file hash detonation.
• Use MISP or OpenCTI to correlate the cloudapi.stream domain across the 108 identified Chrome extensions.

Detection Engineering

Sigma Rules

title: Potential NPM Supply Chain Malware Execution
id: b8c123b4-5d6e-4f7a-9g10-1123456789ab
description: Detects execution of node.js processes originating from known suspicious packages or paths associated with OtterCookie/sleek-pretty campaigns.
status: experimental
date: 2026/04/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6b1c123b4-5d6e
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\node.exe'
            - '\npm.cmd'
        CommandLine|contains:
            - 'sleek-pretty'
            - 'ottercookie'
            - 'beavertail'
            - 'koalemos'
    condition: selection
falsepositives:
    - Legitimate developer usage of packages with similar names (unlikely for these specific obfuscated names)
level: high
tags:
    - attack.supply_chain
    - attack.execution
    - attack.credential_access
---
title: Suspicious Chrome Extension Force Install via Policy
id: c9d234e5-6e7f-5a8b-0h21-2234567890bc
description: Detects modifications to Chrome registry keys forcing extension installation, indicative of ClickFix or similar campaigns.
status: experimental
date: 2026/04/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6b1c123b4-5d6f
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'Software\Policies\Google\Chrome\ExtensionInstallForcelist'
    filter_legit:
        Details|contains: 'google.com' # Typical enterprise policy
    condition: selection and not filter_legit
falsepositives:
    - Administrative installation of internal corporate extensions
level: high
tags:
    - attack.persistence
    - attack.privilege_escalation
---
title: Infostealer C2 Communication to Known Malicious Domains
id: d0e345f6-7f8g-6b9c-1i32-3345678901cd
description: Detects network connections to domains associated with the Vidar, OtterCookie, and Cloudapi campaigns.
status: experimental
date: 2026/04/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6b1c123b4-5d6g
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'cloudapi.stream'
            - 'mywalletsss.store'
            - 'cargomanbd.com'
            - 'xpie348.online'
    condition: selection
falsepositives:
    - Rare, as these are specific to malicious infrastructure
level: critical
tags:
    - attack.c2
    - attack.exfiltration

KQL (Microsoft Sentinel)

// Hunt for connections to malicious C2 infrastructure and NPM process execution
let IOCs = dynamic(["cloudapi.stream", "mywalletsss.store", "144.172.", "147.45.197.92", "94.228.161.88", "xpie348.online"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (IOCs) or RemoteIP has_any (IOCs)
| extend DeviceInfo = Pack(DeviceName, OSPlatform)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort, ActionType
| union (
    DeviceProcessEvents 
    | where Timestamp > ago(7d)
    | where ProcessCommandLine has_any ("npm install", "node.exe") 
    | where ProcessCommandLine has_any ("sleek-pretty", "ottercookie", "beavertail")
    | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
)
| sort by Timestamp desc

PowerShell Hunt Script

# ClickFix & Chrome Extension Persistence Hunt
# Checks for Chrome ForceInstall policies and suspicious extension files

Write-Host "[*] Checking Chrome Extension Policies for Force-Install..." -ForegroundColor Cyan

$RegPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if (Test-Path $RegPath) {
    $Policies = Get-Item $RegPath
    Write-Host "[!] Force-Install Policy Found:" -ForegroundColor Red
    $Policies.Property | ForEach-Object {
        $Value = (Get-ItemProperty -Path $RegPath -Name $_).$_
        Write-Host "    ID: $_ - Path: $Value"
        # Check against known bad IDs or paths if available
        if ($Value -match "http" -and $Value -notmatch "google.com") {
            Write-Host "    [WARNING] Non-Google update URL detected. Possible ClickFix." -ForegroundColor Yellow
        }
    }
} else {
    Write-Host "[+] No Force-Install Policies detected." -ForegroundColor Green
}

Write-Host "[*] Checking for suspicious NPM package folders..." -ForegroundColor Cyan
$UserProfiles = Get-ChildItem "C:\Users\" -Directory
$SuspiciousPackages = @("sleek-pretty", "ottercookie", "beavertail")

foreach ($Profile in $UserProfiles) {
    $NodeModulesPath = Join-Path -Path $Profile.FullName -ChildPath "AppData\Roaming\npm\node_modules"
    if (Test-Path $NodeModulesPath) {
        Get-ChildItem $NodeModulesPath -Directory | Where-Object { $SuspiciousPackages -contains $_.Name } | ForEach-Object {
            Write-Host "[!] Suspicious NPM package found: $($_.FullName)" -ForegroundColor Red
        }
    }
}


---

Response Priorities

Immediate (0-24 hours)

1. Network Blocking: Block all IP ranges and domains listed in the IOC Analysis at the perimeter firewall and proxy servers.
2. Endpoint Isolation: Scan endpoints for the File Hashes provided (Vidar, GhostSocks, ClickFix extension). Isolate any positive hits.
3. Audit Chrome Extensions: Immediately query Google Admin Console for enterprise instances to identify any extensions installed from outside the Chrome Web Store or matching the IDs associated with cloudapi.stream.

24 Hours

1. Hunt for SSH Keys: On Linux servers and developer workstations, audit ~/.ssh/authorized_keys for unknown entries, potentially corresponding to the FAMOUS CHOLLIMA backdoor campaign.
2. Credential Rotation: Force reset of credentials for users who may have interacted with the "Claude Code" repositories or installed the suspicious NPM packages.
3. Review NPM Registries: Ensure internal development is not pulling from public registries without strict allow-listing or pinning of package versions (package-lock.).

1 Week

1. Architecture Hardening: Implement strict Code Signing policies. Windows systems should be configured to only run signed Chrome extensions.
2. Supply Chain Governance: Enforce Software Composition Analysis (SCA) tools within the CI/CD pipeline to detect typosquatting and malicious dependencies before build time.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub