Hunting Lazarus Part III: The Infrastructure That Was Too Perfect

2026-02-01 Red Asgard

https://redasgard.com/blog/hunting-lazarus-part3-infrastructure-too-perfect

Thumbnail for Hunting Lazarus Part III: The Infrastructure That Was Too Perfect

Red Asgard’s Contagious Interview follow-up identifies OtterCookie as a second malware family operating alongside BeaverTail/InvisibleFerret in the same campaign infrastructure. The payload from tetrismic.vercel.app used C2 172.86.105.40:5918 and supported endpoints for file exfiltration, screenshots, clipboard and keystroke theft, command polling, and victim registration. OtterCookie is described as more capable than BeaverTail, with system-wide keylogging, multi-monitor screenshot capture every five seconds, registry and scheduled-task persistence, broad VM detection, and targeting of 27 cryptocurrency wallet extensions. The researchers mapped roughly 17-20 servers with a recurring port pattern across hosting providers, including BeaverTail on port 1244 and OtterCookie on port 5918, suggesting standardized deployment. The report also cautions that failed exploitation attempts and other anomalies raise the possibility that the infrastructure could be honeypot or counter-intelligence activity rather than a straightforward live APT platform.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 147.124.213.232 2026-01-12 2026-02-26
IPv4 216.250.251.87 2026-01-12 2026-02-26
IPv4 45.59.163.55 2026-01-12 2026-02-26
IPv4 66.235.168.238 2026-01-12 2026-02-15
IPv4 172.86.105.40 2026-02-01 2026-02-03
IPv4 147.124.212.125 2026-01-12 2026-02-03
IPv4 144.172.104.117 2025-11-26 2026-02-03
IPv4 172.86.116.178 2025-10-21 2026-02-03
IPv4 86.106.85.234 2025-10-06 2026-02-03
IPv4 144.172.101.45 2025-06-03 2026-02-03
IPv4 147.124.214.129 2024-05-10 2026-02-03
HASH 4a3703430a2ec2ae30f362b29e994f77 2025-11-26 2026-02-01

Related Actors

Related Reports

2025-08-25 • 44% Match
#Lazarus #GolangGhost #T1059.003 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1071.001 #T1115 #T1083 #T1056.001 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1518.001 #T1566.001 #T1547.001 #T1059.001 #T1497.001 #T1219 #T1574.002 #T1562.001 #T1622 #T1027.002 #T1573.001 #T1190 #T1123 #T1132.002 #T1564.001 #T1548.002 #T1055.012 #T1027.007 #T1217 #T1106 #T1027.009 #T1036.003 #T1055.002 #T1036.007 #T1059.010 #T1136.001 #T1134.004 #T1614.001 #T1574.007 #T1098.007 #T1010 #T1071.004 #T1021.002 #T1021.006
Shares tags: Lazarus, T1113, T1115
2025-08-13 • 42% Match
#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004
Shares tags: Lazarus, T1056.001, T1027
« Back