{"id":13999,"date":"2025-06-03T08:25:08","date_gmt":"2025-06-03T08:25:08","guid":{"rendered":"\/cybersecurity-blog\/?p=13999"},"modified":"2025-06-03T10:56:58","modified_gmt":"2025-06-03T10:56:58","slug":"ottercookie-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/","title":{"rendered":"OtterCookie: Analysis of Lazarus Group Malware Targeting Finance and Tech Professionals"},"content":{"rendered":"\n<p><em>Editor\u2019s note:<\/em><strong><em>&nbsp;The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can&nbsp;<\/em><\/strong><a href=\"https:\/\/x.com\/MauroEldritch\" target=\"_blank\" rel=\"noreferrer noopener\"><strong><em>find Mauro on X<\/em><\/strong><\/a><strong><em>.<\/em><\/strong>&nbsp;<\/p>\n\n\n\n<p>What looks like a simple freelance bug fix turns out to be a full-blown malware infection. OtterCookie, a new tool from the Lazarus Group <a href=\"https:\/\/any.run\/cybersecurity-blog\/track-advanced-persistent-threats\/\" target=\"_blank\" rel=\"noreferrer noopener\">APT<\/a>, hides behind clean code and fake job offers, then silently steals credentials, <a href=\"https:\/\/any.run\/cybersecurity-blog\/crypto-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">crypto wallets<\/a>, and more.&nbsp;&nbsp;<\/p>\n\n\n\n<p>In this step-by-step technical analysis, <a href=\"https:\/\/any.run\/cybersecurity-blog\/authors\/mauro-eldritch\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mauro Eldritch<\/a> breaks down the full attack chain, supported by live insights from ANY.RUN\u2019s <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ottercookie&amp;utm_term=030625&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overview of OtterCookie Malware&nbsp;<\/h2>\n\n\n\n<p>North Korean state-sponsored groups, most notably Lazarus, continue to target the financial and cryptocurrency sectors using a range of custom malware families. Previously observed campaigns included threats like <a href=\"https:\/\/any.run\/cybersecurity-blog\/invisibleferret-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">InvisibleFerret and Beavertail<\/a>, which were distributed through elaborate social engineering tactics such as fake developer interviews and staged business calls with executives.&nbsp;<\/p>\n\n\n\n<p>A new addition to this toolkit is <strong>OtterCookie<\/strong>, a <a href=\"https:\/\/any.run\/malware-trends\/stealer\/\" target=\"_blank\" rel=\"noreferrer noopener\">stealer malware<\/a> that, much like its predecessors, isn\u2019t spread through random means like pirated software or infected USB drives. Instead, it is part of a broader, coordinated campaign targeting professionals in the tech, financial, and crypto industries. By staging fake interviews, threat actors deliver malware disguised either as coding challenges (or their dependencies) or video call software, in a campaign now known as Contagious Interview or DevPopper.&nbsp;<\/p>\n\n\n\n<p>OtterCookie, written in heavily obfuscated <a href=\"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/\" target=\"_blank\" rel=\"noreferrer noopener\">JavaScript<\/a>, was uncovered during a recent investigation conducted with the Bitso Quetzal Team. Notably, the delivery method used in this case stands out for its creativity and level of deception.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"833\" height=\"800\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/1.jpg\" alt=\"\" class=\"wp-image-14004\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/1.jpg 833w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/1-300x288.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/1-768x738.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/1-370x355.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/1-270x259.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/1-740x711.jpg 740w\" sizes=\"(max-width: 833px) 100vw, 833px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 1: Obfuscated code. Lazarus loves Deobfuscator.io<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OtterCookie is a new stealer malware<\/strong> linked to North Korean APT Lazarus, delivered through fake job offers.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Payload is fetched from an external API<\/strong> and executed using a require() call\u2014no local implant needed.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Targets include browser credentials, macOS keychains, and crypto wallets<\/strong> like Solana and Exodus.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data is exfiltrated via port 1224 to a U.S.-based C2 server<\/strong>, following patterns seen in Beavertail and InvisibleFerret.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ANY.RUN detects OtterCookie early, before deobfuscation<\/strong>, and maps its behavior in the <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-ttps-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">ATT&amp;CK Matrix<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OtterCookie eventually deploys InvisibleFerret<\/strong>, continuing Lazarus\u2019s modular, multi-stage approach.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Social Engineering Delivery: The &#8220;Job Offer&#8221; Trap&nbsp;<\/h2>\n\n\n\n<p>As part of the <em>Contagious Interview<\/em> campaign, one observed variation involved a new form of social engineering distributed through LinkedIn. Instead of requesting participation in a coding challenge or scheduling a business call, as seen in previous campaigns, the attacker proposed freelance contract work. The task was simple: resolve a minor visual bug in the frontend of a decentralized application (DApp).&nbsp;<\/p>\n\n\n\n<p>The sender claimed their development team was unavailable due to vacation and shared access to a Bitbucket repository containing Node.js code.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"608\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/2-3-1024x608.jpg\" alt=\"\" class=\"wp-image-14009\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/2-3-1024x608.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/2-3-300x178.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/2-3-768x456.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/2-3-1536x912.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/2-3-2048x1215.jpg 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/2-3-370x220.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/2-3-270x160.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/2-3-740x439.jpg 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 2: Bitbucket repo<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Surprisingly, the repository appeared entirely clean. No implants, no hidden payloads, and none of the suspicious NPM dependencies commonly associated with earlier malware like Beavertail. This wasn\u2019t an example of FUD (Fully Undetectable) malware bypassing antivirus detection, it was genuinely clean. The kind of clean that instills confidence and lowers suspicion.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"166\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/3-1024x166.jpg\" alt=\"\" class=\"wp-image-14010\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/3-1024x166.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/3-300x49.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/3-768x124.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/3-1536x249.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/3-2048x332.jpg 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/3-370x60.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/3-270x44.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/3-740x120.jpg 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 3: VirusTotal<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">A Closer Look at OtterCookie Malware<\/h2>\n\n\n\n<p>The code simulates a NodeJS web service and frontend based on Express, with two interesting functions. First, there\u2019s an error section that looks hastily written, with a particularly odd error message.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"833\" height=\"642\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/4.jpg\" alt=\"\" class=\"wp-image-14013\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/4.jpg 833w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/4-300x231.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/4-768x592.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/4-370x285.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/4-270x208.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/4-740x570.jpg 740w\" sizes=\"(max-width: 833px) 100vw, 833px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 4: Badly written Error<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Next, there\u2019s a notable try\/catch block in the code. For context, a try\/catch block is a common programming construct that allows an application to attempt an operation. If the operation fails, due to either a specific error or a general exception, the catch block executes to handle the failure without crashing the application.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"918\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/5-1-1024x918.jpg\" alt=\"\" class=\"wp-image-14016\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/5-1-1024x918.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/5-1-300x269.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/5-1-768x688.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/5-1-1536x1377.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/5-1-370x332.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/5-1-270x242.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/5-1-335x300.jpg 335w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/5-1-740x663.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/5-1.jpg 1900w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 5: Try\/Catch block<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Execution Through Controlled Failure&nbsp;<\/h2>\n\n\n\n<p>This particular implementation is one of the most creative ways of deploying malware seen recently. The app\u2019s initialization sequence is wrapped in a try\/catch block. When an error is triggered, it fetches a response from an external API that appears to provide contextual error information, and then\u2026 executes it.&nbsp;<\/p>\n\n\n\n<p>You read it right &#8211; it uses a require() statement to execute whatever response comes back from the external API.&nbsp;<\/p>\n\n\n\n<p>The first thought that comes to mind: <em>\u201cDoes that mean the system gets infected if&nbsp;the app fails?\u201d<\/em>&nbsp;<\/p>\n\n\n\n<p>And yes, that\u2019s exactly the point! The failure is intentional and triggered during the app\u2019s bootstrap phase. It kicks in, catches the error, prints it to the console, and pretends it just handled the issue gracefully\u2014like everything\u2019s fine now and ready to go. In the background, it already fetched \u201cthe error\u201d and is executing it.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Interactive Sandbox Analysis with ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s take a closer look at how this plays out in ANY.RUN\u2019s interactive sandbox&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/53ff914c-7b67-481a-a4ea-68a275dcdf7f\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ottercookie&amp;utm_term=030625&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\"><em>View analysis session<\/em><\/a><em><\/em>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"639\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/6-1-1024x639.jpg\" alt=\"\" class=\"wp-image-14019\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/6-1-1024x639.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/6-1-300x187.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/6-1-768x479.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/6-1-1536x959.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/6-1-370x231.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/6-1-270x169.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/6-1-740x462.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/6-1.jpg 1897w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 6: A forced failure<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>After launching an <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ubuntu instance<\/a> and installing <a href=\"https:\/\/any.run\/cybersecurity-blog\/pre-installed-dev-tools\/\" target=\"_blank\" rel=\"noreferrer noopener\">Node.js<\/a>, the next step involves adding the legacy peer dependencies from NPM\u2014around 1,540 packages in total. Running the web server then triggers the expected error routine: <em>\u201cUnexpected reserved word.\u201d<\/em> Despite the wording, this error is anything but unexpected.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSpeed up and simplify analysis of malware and phishing threats with <span class=\"highlight\">ANY.RUN&#8217;s Interactive Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=ottercookie&#038;utm_term=030625&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nSign up with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Originally, the task was to fix a simple visual bug. But that raises the question\u2014how did a blatant, critical error like using a reserved word make it into the code? The answer becomes obvious a bit too late: while the app was running, it quietly queried a remote API in Finland\u2014chainlink-api-v3[.]cloud\u2014and received what appeared to be an error response.&nbsp;<\/p>\n\n\n\n<p>Or at least something that looked like one. And it got executed.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"640\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/7-1024x640.jpg\" alt=\"\" class=\"wp-image-14021\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/7-1024x640.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/7-300x187.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/7-768x480.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/7-1536x959.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/7-370x231.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/7-270x169.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/7-740x462.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/7.jpg 1897w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 7: The response, obfuscated in JavaScript<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Deobfuscation and Payload Behavior&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s try to deobfuscate that response.&nbsp;<\/p>\n\n\n\n<p>Lazarus is known for its frequent use of a legitimate online tool: <strong>deobfuscate[.]io<\/strong>. This platform has been used to obfuscate JavaScript payloads in fake NPM packages, and even entire malware families like Beavertail.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/8-1024x683.jpg\" alt=\"\" class=\"wp-image-14023\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/8-1024x683.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/8-300x200.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/8-768x513.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/8-1536x1025.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/8-370x247.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/8-270x180.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/8-740x494.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/8.jpg 1897w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 8: Decoded malware<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>When the obfuscated code is pasted, the webapp recognizes which version was used to scramble it and offers to redirect you straight to the right decoder. One click later, you get the original code, which is nice and readable. Let me introduce you to OtterCookie. Let\u2019s analyze it.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Inside OtterCookie: What It Targets&nbsp;<\/h2>\n\n\n\n<p>OtterCookie begins by requesting libraries that allow interaction with the operating system, such as fs, os, path, request, and child_process. It also includes modules specifically designed to target major browsers like Brave, Google Chrome, Opera, and Mozilla Firefox, along with numerous browser extensions, primarily those related to cryptocurrency wallets and password managers.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"754\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/9-1024x754.jpg\" alt=\"\" class=\"wp-image-14025\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/9-1024x754.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/9-300x221.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/9-768x565.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/9-1536x1130.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/9-370x272.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/9-270x199.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/9-740x545.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/9-80x60.jpg 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/9.jpg 1897w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 9: Imported libraries and dedicated malicious modules<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This behavior may sound familiar to those who\u2019ve followed earlier DPRK-linked malware campaigns, such as Beavertail and InvisibleFerret.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Credential and Wallet Theft&nbsp;<\/h2>\n\n\n\n<p>In this case, OtterCookie specifically targets Firefox profile directories, copying the user\u2019s Solana-related profile data for exfiltration.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"753\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/10-1024x753.jpg\" alt=\"\" class=\"wp-image-14027\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/10-1024x753.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/10-300x221.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/10-768x565.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/10-1536x1129.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/10-370x272.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/10-270x198.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/10-740x544.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/10-80x60.jpg 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/10.jpg 1895w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 10: Firefox and Solana profiles are stolen<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In addition to Solana, other wallets, such as Exodus, are also targeted, with sensitive files being copied for exfiltration. This aligns with the broader pattern observed in DPRK campaigns, where cryptocurrency assets are a primary focus due to their relative ease of laundering and anonymization.&nbsp;<\/p>\n\n\n\n<p>And it\u2019s not just about cryptocurrency. Some NFTs, despite having little market value, are used as authentication mechanisms in certain Web3 environments, which are increasingly widespread. These, too, can be valuable to threat actors.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"753\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/11-1024x753.jpg\" alt=\"\" class=\"wp-image-14029\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/11-1024x753.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/11-300x221.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/11-768x565.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/11-1536x1129.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/11-370x272.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/11-270x198.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/11-740x544.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/11-80x60.jpg 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/11.jpg 1891w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 11: Exodus Wallet is actively targeted<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Next, OtterCookie attempts to access the macOS login keychain, along with credential databases from various browsers, extracting saved passwords, session tokens, and other sensitive authentication data.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Exfiltration Tactics and Infrastructure&nbsp;<\/h2>\n\n\n\n<p>Once everything is staged, the malware sends the loot to a webserver in the US (144.172.101.45), using port 1224 and the \/uploads path.&nbsp;<\/p>\n\n\n\n<p>We\u2019ve seen this exact pattern before\u2026 in InvisibleFerret.&nbsp;<\/p>\n\n\n\n<p>It\u2019s safe to assume that some practices\u2014and even bits of code\u2014are being recycled across these malware strains.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"754\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/12-1024x754.jpg\" alt=\"\" class=\"wp-image-14032\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/12-1024x754.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/12-300x221.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/12-768x565.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/12-1536x1130.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/12-370x272.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/12-270x199.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/12-740x545.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/12-80x60.jpg 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/12.jpg 1897w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 12: Remembrances of InvisibleFerret and BeaverTail<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Before exfiltration, OtterCookie attempts to compress the collected data using tar. At this stage, some familiar filenames appear, <strong>p.zi<\/strong> and <strong>p2.zip, <\/strong>previously seen in related campaigns.&nbsp;<\/p>\n\n\n\n<p>That definitely rings a bell. Similar filenames were seen in the Beavertail campaign, used to download and install its partner-in-crime and next stage: InvisibleFerret, pulled from an endpoint called \/pdown. Just like in the snippet at the end of this script.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"784\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/13-1024x784.jpg\" alt=\"\" class=\"wp-image-14034\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/13-1024x784.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/13-300x230.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/13-768x588.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/13-1536x1176.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/13-370x283.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/13-270x207.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/13-740x566.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/13-80x60.jpg 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/13.jpg 1897w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 13: Downloading the next stage: InvisibleFerret<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Next Stage: Delivering InvisibleFerret&nbsp;<\/h2>\n\n\n\n<p>At this stage, the malware attempts to download a portable Python distribution, compatible with either Windows or Unix, from its command-and-control (C2) server. Once installed, it proceeds to execute InvisibleFerret as the next stage of the attack. For context, InvisibleFerret is a cross-platform remote access trojan (RAT) written in Python, known for leveraging legitimate tools such as AnyDesk to maintain persistent access to the victim\u2019s system.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"784\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/14-1-1024x784.jpg\" alt=\"\" class=\"wp-image-14037\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/14-1-1024x784.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/14-1-300x230.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/14-1-768x588.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/14-1-1536x1176.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/14-1-370x283.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/14-1-270x207.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/14-1-740x567.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/14-1-80x60.jpg 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/14-1.jpg 1897w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 14: Preparing the next stage by setting up Python<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The good news is that ANY.RUN successfully detects all three malware strains\u2014OtterCookie, InvisibleFerret, and Beavertail.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nFollow along a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<p>In this case, the obfuscated payload was flagged even before manual deobfuscation could begin.&nbsp;<\/p>\n\n\n\n<p>With that covered, it&#8217;s time to move on to the MITRE ATT&amp;CK Matrix, which ANY.RUN conveniently generates as part of the analysis.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"580\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/15-1024x580.jpg\" alt=\"\" class=\"wp-image-14039\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/15-1024x580.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/15-300x170.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/15-768x435.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/15-1536x870.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/15-370x210.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/15-270x153.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/15-740x419.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/15.jpg 1897w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 15: Detected as OTTERCOOKIE<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">The OtterCookie Matrix&nbsp;<\/h2>\n\n\n\n<p>OtterCookie shares several Tactics, Techniques, and Procedures (TTPs) with its counterparts, InvisibleFerret and Beavertail. Some of the most notable include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>T1082 \u2013 System Information Discovery<\/strong>&nbsp;<br>OtterCookie collects detailed information from the victim\u2019s system to build a comprehensive host profile.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>T1003 \u2013 OS Credential Dumping<\/strong>&nbsp;<br>The malware accesses sensitive local files such as \/etc\/passwd and \/etc\/shadow, along with browser credential stores and OS keychains. The harvested data is then compressed and prepared for exfiltration.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>T1071 \u2013 Application Layer Protocol<\/strong>&nbsp;<br>This technique is used to communicate with the command-and-control server (144.172.101.45) for data exfiltration.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>T1571 \u2013 Non-Standard Port<\/strong>&nbsp;<br>Supporting T1071, this technique involves the use of an uncommon port\u20141224\u2014to evade standard detection mechanisms.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"581\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/16-1024x581.jpg\" alt=\"\" class=\"wp-image-14041\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/16-1024x581.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/16-300x170.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/16-768x436.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/16-1536x871.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/16-370x210.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/16-270x153.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/16-740x420.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/16.jpg 1897w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Picture 16: MITRE ATT&amp;CK Matrix<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>OtterCookie is yet another reminder of how advanced and deceptive modern malware has become. Hidden behind a routine bug fix task, it exfiltrates credentials, crypto wallet data, and system information, while quietly setting up a second-stage payload like InvisibleFerret.&nbsp;<\/p>\n\n\n\n<p>Attacks like this demand more than traditional detection. They require a dynamic, transparent environment to truly understand what\u2019s happening.&nbsp;<\/p>\n\n\n\n<p>With <strong>ANY.RUN\u2019s interactive sandbox<\/strong>, security teams can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cut investigation time from hours to seconds <\/strong>by getting clear verdicts in under 40 seconds even for obfuscated, evasive malware.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Understand threats in real time<\/strong>, helping analysts take action before damage is done.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Train junior analysts faster<\/strong> by giving them a safe, hands-on environment to explore real malware behavior without risking the network.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improve response quality and speed<\/strong>, thanks to visualized tactics, techniques, and clear IOCs that can be used immediately in detection rules.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Boost team efficiency<\/strong> with easy-to-share sessions and collaborative analysis tools, reducing back-and-forth and enabling faster decision-making.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Whether you\u2019re investigating OtterCookie or preparing for what\u2019s next, <strong>ANY.RUN helps <\/strong>you detect, understand, and respond faster with clarity and control.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=ottercookie&amp;utm_term=030625&amp;utm_content=linktoregistration#register\/\">Register now with a business email to try ANY.RUN \u2192<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Gathered IOCs&nbsp;<\/h2>\n\n\n\n<p>IPv4: 135.181.123.177<\/p>\n\n\n\n<p>IPv4: 144.172.101.45<\/p>\n\n\n\n<p>Domain: chainlink-api-v3.cloud<\/p>\n\n\n\n<p>URL: http:\/\/144.172.101.45:1224\/<\/p>\n\n\n\n<p>URL: http[:]\/\/chainlink-api-v3[.]cloud\/api\/service\/token\/56e15ef3b5e5f169fc063f8d3e88288e<\/p>\n\n\n\n<p>URL:http[:]\/\/chainlink-api-v3[.]cloud\/api\/<\/p>\n\n\n\n<p>URL: https[:]\/\/bitbucket.org\/0xhpenvynb\/mvp_gamba\/downloads\/<\/p>\n\n\n\n<p>SHA256: aa0d64c39680027d56a32ffd4ceb7870b05bdd497a3a7c902f23639cb3b43ba1<\/p>\n\n\n\n<p>SHA256: 071aff6941dc388516d8ca0215b757f9bee7584dea6c27c4c6993da192df1ab9<\/p>\n\n\n\n<p>SHA256: 486f305bdd09a3ef6636e92c6a9e01689b8fa977ed7ffb898453c43d47b5386d<\/p>\n\n\n\n<p>SHA256: ec234419fc512baded05f7b29fefbf12f898a505f62c43d3481aed90fef33687<\/p>\n\n\n\n<p>FileName: 0xhpenvynb-mvp_gamba-6b10f2e9dd85.zip<\/p>\n\n\n\n<p>SOLWallet: V2grJiwjs25iJYqumbHyKo5MTK7SFqZSdmoRaj8QWb9&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:&nbsp;The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can&nbsp;find Mauro on X.&nbsp; What looks like a simple freelance bug fix turns out to be a full-blown malware infection. OtterCookie, a new tool from the Lazarus Group APT, hides behind clean code and fake job offers, then [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":14045,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-13999","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>OtterCookie: Analysis of New Lazarus Group Malware<\/title>\n<meta name=\"description\" content=\"Explore in-depth technical analysis of OtterCookie, a new North Korean Lazarus APT malware that steals victims&#039; crypto and credentials.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mauro Eldritch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/\"},\"author\":{\"name\":\"Mauro Eldritch\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"OtterCookie: Analysis of Lazarus Group Malware Targeting Finance and Tech Professionals\",\"datePublished\":\"2025-06-03T08:25:08+00:00\",\"dateModified\":\"2025-06-03T10:56:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/\"},\"wordCount\":2095,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/\",\"name\":\"OtterCookie: Analysis of New Lazarus Group Malware\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-06-03T08:25:08+00:00\",\"dateModified\":\"2025-06-03T10:56:58+00:00\",\"description\":\"Explore in-depth technical analysis of OtterCookie, a new North Korean Lazarus APT malware that steals victims' crypto and credentials.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"OtterCookie: Analysis of Lazarus Group Malware Targeting Finance and Tech Professionals\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mauro Eldritch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"caption\":\"Mauro Eldritch\"},\"description\":\"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OtterCookie: Analysis of New Lazarus Group Malware","description":"Explore in-depth technical analysis of OtterCookie, a new North Korean Lazarus APT malware that steals victims' crypto and credentials.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/","twitter_misc":{"Written by":"Mauro Eldritch","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/"},"author":{"name":"Mauro Eldritch","@id":"https:\/\/any.run\/"},"headline":"OtterCookie: Analysis of Lazarus Group Malware Targeting Finance and Tech Professionals","datePublished":"2025-06-03T08:25:08+00:00","dateModified":"2025-06-03T10:56:58+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/"},"wordCount":2095,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/","name":"OtterCookie: Analysis of New Lazarus Group Malware","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-06-03T08:25:08+00:00","dateModified":"2025-06-03T10:56:58+00:00","description":"Explore in-depth technical analysis of OtterCookie, a new North Korean Lazarus APT malware that steals victims' crypto and credentials.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"OtterCookie: Analysis of Lazarus Group Malware Targeting Finance and Tech Professionals"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mauro Eldritch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","caption":"Mauro Eldritch"},"description":"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13999"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=13999"}],"version-history":[{"count":29,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13999\/revisions"}],"predecessor-version":[{"id":14054,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13999\/revisions\/14054"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/14045"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=13999"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=13999"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=13999"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}