Cyber threat infographic: Fake job interview page with malware download arrows to OtterCandy icons (RAT, stealer); protective shields for monitoring and whitelisting, with "Avoid Suspicious Downloads" warning banner over a digital network.

WaterPlum's Cluster B, a North Korean-linked group, uses ClickFake Interview campaigns to deliver OtterCandy, a Node.js-based RAT and stealer, disguised as job applications. Victims download malicious apps, enabling the malware to steal credentials, crypto wallets, and documents via Socket.IO C2, with persistence through DiggingBeaver and self-resurrection.

Cyber threat infographic: Fake job interview page with malware download arrows to OtterCandy icons (RAT, stealer); protective shields for monitoring and whitelisting, with "Avoid Suspicious Downloads" warning banner over a digital network.Cyber threat infographic: Fake job interview page with malware download arrows to OtterCandy icons (RAT, stealer); protective shields for monitoring and whitelisting, with "Avoid Suspicious Downloads" warning banner over a digital network.

August 2025 updates (v2) added client_ids for tracking, expanded theft targets, and improved trace deletion, complicating detection and forensics. This evolution shows Cluster B's sophistication in blending with legitimate tools.

Cyber threat infographic: Fake job interview page with malware download arrows to OtterCandy icons (RAT, stealer); protective shields for monitoring and whitelisting, with "Avoid Suspicious Downloads" warning banner over a digital network.Cyber threat infographic: Fake job interview page with malware download arrows to OtterCandy icons (RAT, stealer); protective shields for monitoring and whitelisting, with "Avoid Suspicious Downloads" warning banner over a digital network.

Protect yourself:

Monitor Node.js anomalies, use behavioral analysis, enforce whitelisting, and audit extensions. Share intelligence and patch frameworks to defend against these escalating threats from state-sponsored actors.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, FraudProtector.net