Blackpoint SOC analyzed a North Korea-linked OtterCookie intrusion delivered through a trojanized Bitbucket repository posing as a 3D chess project. The loader deliberately triggers an initialization error, fetches JavaScript from serve-cookie[.]vercel[.]app, and executes the returned code to install a malicious Node-based client-app under a fake user-writable System32 path. Persistence is maintained through svchost.bat, svchost.ps1, and a WindowsUpdate Run key, while .sysupdater.dat provides obfuscated clipboard collection, screenshot capture, C2 logging, and command staging. The operators also deployed simple-keyboard-monitor.ps1 for keystroke capture, giving them continuous visibility into developer or financial-sector victim activity and a path to credential theft.