OtterCandy
Intelligence Profile
OtterCandy is a JavaScript backdoor that uses the Socket.IO WebSocket protocol over port 5000 for command and control and exfiltrates data via HTTP on port 3011. It focuses on credential
theft from Chromium-based browsers (Chrome, Edge, Brave, Opera, Yandex) by decrypting SQLite login databases with Windows DPAPI, and it targets cryptocurrency wallets through both browser
extension identification and desktop wallet directory collection. The malware conducts recursive filesystem searches to gather .env files, seed phrases, blockchain configuration data, shell history, and cloud credentials for AWS, Azure, and GCP. It fingerprints victims by combining hostname and machine UUID to prevent duplicate records and includes a secondary payload system that downloads, prepares, and executes platform-specific follow-on malware.
Threat Analysis
OtterCandy is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.