Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique
2025-07-30 • Gbhackers •
https://gbhackers.com/lazarus-group-malware-with-ottercookie/
The Lazarus Group’s Contagious Interview campaign is described as evolving its payload delivery for BeaverTail, InvisibleFerret, and OtterCookie across multiple malicious projects. The analyzed code uses external requests, URL-splitting, Vercel-hosted lure content, axios-based communication, eval-style execution paths, and try/catch error handling to retrieve and run payloads while frustrating static detection. Infrastructure and artifacts cited include fashdefi[.]store on port 6168, bujey[.]store, cdn-static-server[.]vercel[.]app, chainlink-api-v3[.]cloud, a Bitbucket repository, and project/package names tied to malicious delivery. The findings matter because the delivery logic is changing quickly while preserving the campaign’s basic modus operandi, creating pressure on defenses that rely mainly on direct code signatures or pattern matching.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | chainlink-api-v3.cloud | 2025-04-11 | 2026-02-19 |
| IPv4 | 107.189.24.80 | 2025-07-30 | 2026-01-21 |
| IPv4 | 144.172.96.35 | 2025-05-30 | 2025-10-16 |
| IPv4 | 135.181.123.177 | 2025-04-11 | 2025-10-16 |
| URL | http://fashdefi.store:6168/defy… | 2025-07-30 | 2025-10-10 |
| DOMAIN | fashdefi.store | 2025-07-30 | 2025-10-10 |
| HASH | 41ee7ddb2be173686dc3a73a49b4e93… | 2025-07-30 | 2025-07-30 |
| URL | http://bujey.store:6168/defy/v7 | 2025-07-30 | 2025-07-30 |
| URL | https://cdn-static-server.verce… | 2025-07-30 | 2025-07-30 |
| DOMAIN | bujey.store | 2025-07-30 | 2025-07-30 |
| HASH | 56e15ef3b5e5f169fc063f8d3e88288e | 2025-04-11 | 2025-07-30 |
| URL | http://chainlink-api-v3.cloud/a… | 2025-04-11 | 2025-07-30 |