HOMETHREATSOtterCandy
APT / THREAT GROUP

OtterCandy

4
aliases
Last seen:Mar 17, 2026

Intelligence Profile

OtterCandy is a JavaScript backdoor that uses the Socket.IO WebSocket protocol over port 5000 for command and control and exfiltrates data via HTTP on port 3011. It focuses on credential

theft from Chromium-based browsers (Chrome, Edge, Brave, Opera, Yandex) by decrypting SQLite login databases with Windows DPAPI, and it targets cryptocurrency wallets through both browser

extension identification and desktop wallet directory collection. The malware conducts recursive filesystem searches to gather .env files, seed phrases, blockchain configuration data, shell history, and cloud credentials for AWS, Azure, and GCP. It fingerprints victims by combining hostname and machine UUID to prevent duplicate records and includes a secondary payload system that downloads, prepares, and executes platform-specific follow-on malware.

Threat Analysis

OtterCandy is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases4

Also Known As

HardHatRATjs.ottercandyUNSEENMINKOtterCandy

External Intelligence

Malpedia: js.ottercandy

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.