OtterCandy Propose Change

Actor(s): WageMole

OtterCandy is a JavaScript backdoor that uses the Socket.IO WebSocket protocol over port 5000 for command and control and exfiltrates data via HTTP on port 3011. It focuses on credential
theft from Chromium-based browsers (Chrome, Edge, Brave, Opera, Yandex) by decrypting SQLite login databases with Windows DPAPI, and it targets cryptocurrency wallets through both browser
extension identification and desktop wallet directory collection. The malware conducts recursive filesystem searches to gather .env files, seed phrases, blockchain configuration data, shell history, and cloud credentials for AWS, Azure, and GCP. It fingerprints victims by combining hostname and machine UUID to prevent duplicate records and includes a secondary payload system that downloads, prepares, and executes platform-specific follow-on malware.

References

There is no Yara-Signature yet.