Malware
OtterCandy
aka HardHatRAT · UNSEENMINK
OtterCandy is a JavaScript backdoor that uses the Socket.IO WebSocket protocol over port 5000 for command and control and exfiltrates data via HTTP on port 3011.
OtterCandy, also known as HardHatRAT, UNSEENMINK, is a JavaScript malware family operated by WageMole.
Background
OtterCandy is a JavaScript backdoor that relies on the Socket.IO WebSocket protocol over port 5000 for command and control and ships stolen data out via HTTP on port 3011. It is geared toward credential theft from Chromium-based browsers (Chrome, Edge, Brave, Opera, Yandex), which it accomplishes by decrypting SQLite login databases with Windows DPAPI, and it goes after cryptocurrency wallets both by spotting browser extensions and by collecting desktop wallet directories. The malware walks the filesystem recursively to scoop up .env files, seed phrases, blockchain configuration data, shell history, and cloud credentials for AWS, Azure, and GCP. To avoid duplicate entries it fingerprints each victim using a combination of hostname and machine UUID, and it features a secondary payload mechanism that downloads, prepares, and runs platform-specific follow-on malware.
Source: Malpedia (Fraunhofer FKIE).