Hunting Lazarus Part VIII: OtterCookie
Contents
Hunting Lazarus Part VIII: OtterCookie
OtterCookie is a separate JavaScript / Node.js RAT running beside BeaverTail in the Contagious Interview operation. Its Socket.IO control plane maintains a live roster of connected developer workstations and broadcasts it on a thirty-second clock. Part VIII breaks down the protocol, the collection profile, the uid/userKey batch labels, the npm and Vercel delivery layer, and the operational shift from stored-data theft to live surveillance of developer machines.
The JavaScript RAT that turned developer compromise into live surveillance.
Every thirty seconds, the server spoke.
Not to us. Not intentionally.
It was broadcasting a roster: five live macOS machines, campaign numbers in the 900s, identifiers that looked like fingerprints until they did not. The server was not waiting for an operator to ask who was online. It was announcing who was online.
That was the first difference.
BeaverTail had stolen what developers had already saved.
OtterCookie was watching what they did next.
Executive Summary
- OtterCookie is …
OtterCookie is a separate JavaScript / Node.js RAT running beside BeaverTail in the Contagious Interview operation. Its Socket.IO control plane maintains a live roster of connected developer workstations and broadcasts it on a thirty-second clock. Part VIII breaks down the protocol, the collection profile, the uid/userKey batch labels, the npm and Vercel delivery layer, and the operational shift from stored-data theft to live surveillance of developer machines.
The JavaScript RAT that turned developer compromise into live surveillance.
Every thirty seconds, the server spoke.
Not to us. Not intentionally.
It was broadcasting a roster: five live macOS machines, campaign numbers in the 900s, identifiers that looked like fingerprints until they did not. The server was not waiting for an operator to ask who was online. It was announcing who was online.
That was the first difference.
BeaverTail had stolen what developers had already saved.
OtterCookie was watching what they did next.
Executive Summary
- OtterCookie is …
IoC
195.201.104.53
[email protected]
[email protected]