Hunting Lazarus Part VII: The Server That Was Not Just FTP
Contents
Hunting Lazarus Part VII: The Server That Was Not Just FTP
The Hetzner host at 195.201.104.53 was known as the BeaverTail FTP exfiltration sink. A scan of its non-standard ports found six Express.js services on the same machine, two of them OtterCookie command-and-control nodes – one live broadcasting macOS victim state, one silent predecessor still listening – plus a Linux deployment leaking a Windows development path on every request. One host. Multiple campaigns. Multiple malware families. Shared substrate.
This is Part VII of the "Hunting Lazarus" series. The earlier installments documented the Contagious Interview campaign run by Lazarus Group – the DPRK-linked APT – which targets cryptocurrency and Web3 developers with fake job interviews, fabricated company identities, and malicious code repositories. Part VI described an operation that ran its own pipeline across its own machines and harvested its own people in the process. This installment names one of the machines that pipeline …
The Hetzner host at 195.201.104.53 was known as the BeaverTail FTP exfiltration sink. A scan of its non-standard ports found six Express.js services on the same machine, two of them OtterCookie command-and-control nodes – one live broadcasting macOS victim state, one silent predecessor still listening – plus a Linux deployment leaking a Windows development path on every request. One host. Multiple campaigns. Multiple malware families. Shared substrate.
This is Part VII of the "Hunting Lazarus" series. The earlier installments documented the Contagious Interview campaign run by Lazarus Group – the DPRK-linked APT – which targets cryptocurrency and Web3 developers with fake job interviews, fabricated company identities, and malicious code repositories. Part VI described an operation that ran its own pipeline across its own machines and harvested its own people in the process. This installment names one of the machines that pipeline …
IoC
195.201.104.53