OtterCookie: Analysis of New Lazarus Group Malware
Contents
Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X.
What looks like a simple freelance bug fix turns out to be a full-blown malware infection. OtterCookie, a new tool from the Lazarus Group APT, hides behind clean code and fake job offers, then silently steals credentials, crypto wallets, and more.
In this step-by-step technical analysis, Mauro Eldritch breaks down the full attack chain, supported by live insights from ANY.RUN’s Interactive Sandbox.
Overview of OtterCookie Malware
North Korean state-sponsored groups, most notably Lazarus, continue to target the financial and cryptocurrency sectors using a range of custom malware families. Previously observed campaigns included threats like InvisibleFerret and Beavertail, which were distributed through elaborate social engineering tactics such as fake developer interviews and staged business calls with executives.
A new addition to this toolkit is OtterCookie, a stealer malware that, much like its predecessors, …
What looks like a simple freelance bug fix turns out to be a full-blown malware infection. OtterCookie, a new tool from the Lazarus Group APT, hides behind clean code and fake job offers, then silently steals credentials, crypto wallets, and more.
In this step-by-step technical analysis, Mauro Eldritch breaks down the full attack chain, supported by live insights from ANY.RUN’s Interactive Sandbox.
Overview of OtterCookie Malware
North Korean state-sponsored groups, most notably Lazarus, continue to target the financial and cryptocurrency sectors using a range of custom malware families. Previously observed campaigns included threats like InvisibleFerret and Beavertail, which were distributed through elaborate social engineering tactics such as fake developer interviews and staged business calls with executives.
A new addition to this toolkit is OtterCookie, a stealer malware that, much like its predecessors, …
IoC
http://144.172.101.45:1224/
http://http://chainlink-api-v3.cloud/api/
http://chainlink-api-v3.cloud/api/
http://chainlink-api-v3.cloud
http://deobfuscate.io
http://chainlink-api-v3.cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e
https://bitbucket.org/0xhpenvynb/mvp_gamba/downloads/
135.181.123.177
144.172.101.45
071aff6941dc388516d8ca0215b757f9bee7584dea6c27c4c6993da192df1ab9
aa0d64c39680027d56a32ffd4ceb7870b05bdd497a3a7c902f23639cb3b43ba1
56e15ef3b5e5f169fc063f8d3e88288e
486f305bdd09a3ef6636e92c6a9e01689b8fa977ed7ffb898453c43d47b5386d
ec234419fc512baded05f7b29fefbf12f898a505f62c43d3481aed90fef33687
http://http://chainlink-api-v3.cloud/api/
http://chainlink-api-v3.cloud/api/
http://chainlink-api-v3.cloud
http://deobfuscate.io
http://chainlink-api-v3.cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e
https://bitbucket.org/0xhpenvynb/mvp_gamba/downloads/
135.181.123.177
144.172.101.45
071aff6941dc388516d8ca0215b757f9bee7584dea6c27c4c6993da192df1ab9
aa0d64c39680027d56a32ffd4ceb7870b05bdd497a3a7c902f23639cb3b43ba1
56e15ef3b5e5f169fc063f8d3e88288e
486f305bdd09a3ef6636e92c6a9e01689b8fa977ed7ffb898453c43d47b5386d
ec234419fc512baded05f7b29fefbf12f898a505f62c43d3481aed90fef33687