HOMETHREATSOtterCandy
MALWARE FAMILY

OtterCandy

Internal ID: js.ottercandy
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

OtterCandy is a JavaScript backdoor that uses the Socket.IO WebSocket protocol over port 5000 for command and control and exfiltrates data via HTTP on port 3011. It focuses on credential

theft from Chromium-based browsers (Chrome, Edge, Brave, Opera, Yandex) by decrypting SQLite login databases with Windows DPAPI, and it targets cryptocurrency wallets through both browser

extension identification and desktop wallet directory collection. The malware conducts recursive filesystem searches to gather .env files, seed phrases, blockchain configuration data, shell history, and cloud credentials for AWS, Azure, and GCP. It fingerprints victims by combining hostname and machine UUID to prevent duplicate records and includes a secondary payload system that downloads, prepares, and executes platform-specific follow-on malware.

Threat Analysis

OtterCandy is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

js.ottercandy

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.