{ "id": "d0c2204e-ef56-4fd8-9118-e17ccf8db23c", "created_at": "2026-04-06T00:15:49.168427Z", "updated_at": "2026-04-10T03:38:19.934158Z", "deleted_at": null, "sha1_hash": "05c3fb7368292136a4ed80e69d6362311c4c46f1", "title": "Malicious Node Package Deploys OtterCookie", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 339395, "plain_text": "Malicious Node Package Deploys OtterCookie\r\nArchived: 2026-04-05 15:27:31 UTC\r\nThe Blackpoint SOC recently contained an incident involving OtterCookie, a North Korean linked malware family\r\ndelivered through a trojanized  open-source project hosted on Bitbucket. The campaign specifically targets developers\r\nand the financial sector, leveraging the trust placed in open-source dependencies to achieve initial access and stage\r\ndownstream payloads. The loader code, disguised as part of a 3D chess application, intentionally triggers a failure\r\nduring initialization so its catch block fetches an “error” message from a remote API and executes that returned string\r\nin-process, ultimately staging and deploying the OtterCookie malware. \r\nOnce executed, the malware unpacked a fake application named client-app into a user writable System32 directory\r\nunder %AppData%\\Roaming. A crafted package.json ensured required dependencies were installed before\r\nestablishing Command and Control (C2) communications, where the malware exfiltrated system details and\r\nscreenshots to prepare tailored payloads. \r\nThe attack chain relied on multiple supporting artifacts, including .bat, .ps1, .dat, and .js files. A launcher,\r\nsvchost.bat, invoked the PowerShell loader svchost.ps1, which initialized C2 and persisted via a registry Run key\r\nWindowsUpdate. From there the loader abused node.exe to execute .sysupdater.dat, an obfuscated JavaScript\r\npayload responsible for clipboard collection, screenshot capture, and staging further commands. \r\nTo expand visibility, the operators later deployed simple-keyboard-monitor.ps1, a PowerShell based keylogger that\r\ncaptured keystrokes and sent them to the same C2 infrastructure. Combined with clipboard polling and screenshot\r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 1 of 18\n\ncollection, OtterCookie gave the adversary continuous surveillance of user activity and a path to credential theft. \r\nKey Findings \r\nA trojanized Bitbucket repository posing as a 3D chess project served as the initial infection vector. Its code\r\nintentionally triggered an error during initialization, causing the catch block to fetch and execute attacker-supplied JavaScript from a remote API. \r\nExecution of the remote code deployed a trojanized Node module, which unpacked a malicious application\r\n(client-app) through its package.json script. \r\nThe package established C2 communications immediately after installation, exfiltrating host details and\r\nscreenshots. \r\nThe malware relied on multiple staging artifacts (.bat, .ps1, .dat, and .js) to support execution and persistence. \r\nThe batch file svchost.bat executed svchost.ps1, a loader that initiated C2 communications and persisted via a\r\nregistry Run key WindowsUpdate. \r\nThe loader abused node.exe to execute the hidden payload .sysupdater.dat, which spawned cmd loops,\r\ninvoked PowerShell commands such as Get-Clipboard, and captured screenshots to the temp directory. \r\nA PowerShell based keylogger, simple-keyboard-monitor.ps1, was deployed to log keystrokes and exfiltrate\r\nuser activity. \r\nThe campaign targeted developers and financial organizations, aiming to capture sensitive data and enable\r\nfinancial theft. \r\nObserved Killchain\r\nFrom Pyongyang with Love \r\nThe infection originated from a Bitbucket repository that outwardly hosted a benign 3D chess project, with normal\r\ndeveloper artifacts alongside an initialization routine wrapped in a try/catch. At runtime the app intentionally triggers\r\nthe failure path so the catch block runs, which appears as a harmless recovery step to casual reviewers (Figure 1). \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 2 of 18\n\nFigure 1: Bitbucket 3D chess repository containing the trojanized initialization routine. \r\nWhen the catch block runs it issues an HTTP request to an operator-controlled endpoint at serve-cookie[.]vercel[.]app,\r\ncalling /api/ipcheck-encrypted/\u003capiKey\u003e with a custom header. The loader assigns the response to a local variable and\r\nthen compiles and invokes the returned string as JavaScript with require passed into its scope, turning the remote\r\nresponse into executable code on the host. This try/fail design converts ordinary error handling into a stealthy staging\r\nand execution channel, because the visible repository remains largely benign while the remote response performs the\r\nmalicious work (Figure 2). \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 3 of 18\n\nFigure 2: Try/catch loader that retrieves and executes remote code on failure. \r\nExecution of the server supplied code resulted in a trojanized Node module being written to disk and installed, which\r\nunpacked a malicious application named client-app into the local node tree. During setup the module wrote a crafted\r\npackage.json and ensured the Node runtime would pull in its required dependencies. This gave the operators a\r\ncontrolled entry point, blending with the normal workflow of developers who frequently install new npm packages. \r\nAs part of the trojanized install the malware created a fake System32 directory under the user’s\r\n%AppData%\\Roaming path and used it as the central workspace for execution and persistence. Into that location the\r\nactor placed svchost.bat, svchost.ps1, package.json / package-lock.json, a populated node_modules tree, and the\r\nobfuscated JavaScript payload .sysupdater.dat, which together form the loop that launches and maintains the stealer\r\nexecution (Figure 3). \r\nFigure 3: Fake System32 Staging Directory Contents \r\nThe choice of the name svchost for both the batch and PowerShell scripts is deliberate, mimicking a legitimate\r\nWindows service host executable to increase the chance the artifacts are overlooked during casual triage. By imitating\r\nthe trusted Windows System32 path, but placing it in a user writable location, the adversary ensures persistence while\r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 4 of 18\n\nhiding in plain sight. Persistence itself is maintained through a registry Run key, where a value named\r\nWindowsUpdate points directly to the svchost.bat script in this fake System32 folder. \r\nThe on-disk loop begins with execution of svchost.bat, a small file that acts as the execution primer. This script\r\nrepeatedly calls PowerShell with -ExecutionPolicy Bypass, redirects all output to null, and runs svchost.ps1 from the\r\nstaging folder (Figure 4). Its purpose is simply to ensure the PowerShell stage is executed reliably on every logon\r\nwhile producing almost no visible activity. Coupled with the WindowsUpdate Run key, svchost.bat guarantees the\r\nloop will restart automatically, making the overall activity resilient even if the Node process itself is killed. \r\nFigure 4: Contents of the svchost.bat script. \r\nThe svchost.ps1 script is the primary engine behind the execution loop. Each run sets the working directory to the fake\r\nSystem32 staging folder, checks for a node_modules directory, and if dependencies are missing it writes\r\npackage.json and performs an unattended npm install to restore the runtime environment before launching the stealer,\r\nmaking the loader self-healing and resilient to basic cleanup attempts (Figure 5). Because the script validates and\r\nrebuilds its Node environment on each invocation, svchost.ps1 guarantees the loop can recover from file deletion or\r\nprocess termination and reliably hands control to the primary JavaScript payload in a hidden window. \r\nFigure 5: Contents of the svchost.ps1 script. \r\nThe package.json manifest lists the exact libraries the actor needs, and those dependencies map directly to capability:\r\naxios and form-data for HTTP and file exfiltration, screenshot-desktop for screen capture, socket.io-client for\r\nrealtime C2 channels, and uuid for host identification. When npm install runs, npm places the actual package code\r\ninto a node_modules folder, which contains the JavaScript, metadata, and any native addons or .bin helpers the stealer\r\nwill require at runtime. \r\nAfter staging, svchost.ps1 launches node.exe with .sysupdater.dat as the argument via a hidden Start-Process,\r\nhanding runtime control to Node while keeping the process windowless. The active stealer logic lives entirely in\r\n.sysupdater.dat, a heavily obfuscated JavaScript payload interpreted by Node (Figure 6). \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 5 of 18\n\nFigure 6: Contents of the .sysupdater.dat file. \r\nAnalysis of .sysupdater.dat shows the payload is heavily obfuscated and packed, consistent with output from\r\nobfuscater[.]io. The sample uses identifier renaming, large encoded string blocks, control flow flattening, dead code\r\ninjection, and self-defense/debug protections that rely on layered eval/Function calls and runtime decoding, all\r\nintended to slow static analysis and disrupt static review. At runtime the actor sets the process title to “Node.js\r\nJavascript Runtime” to blend the malicious execution among legitimate processes, further complicating casual\r\nobservation (Figure 7). \r\nFigure 7: Node process using a spoofed title. \r\nThe stealer enforces single instance execution by creating a lock file named cc.pid in the system temp directory\r\n(Figure 8). On startup it checks for the presence of cc.pid; if the file exists, the saved PID is read and probed with\r\nprocess.kill(pid, 0) to test whether the process is still alive. If an active process is found, the stealer logs the condition\r\nand exits to avoid running a duplicate instance. If the PID is stale, execution continues, and the file is updated with the\r\nnew process ID. To manage cleanup, the malware registers handlers for normal exit, SIGINT, and SIGTERM that\r\nremove the lock file before terminating, ensuring future runs can proceed without interference. \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 6 of 18\n\nFigure 8: Lock file logic using cc.pid to enforce single instance execution. \r\nThe stealer embeds a unique identifier, compromised of random characters, which it uses to tag telemetry and\r\nexfiltrated data, allowing the operators to associate this compromised host with the specific infection. It implements an\r\nasynchronous makeLog(message) routine that issues an HTTP POST to\r\nhxxp[://]86.106.85[.]234/api/service/makelog, packaging the supplied message along with the local hostname, the\r\nstatic UID, and a type flag t: 5 as JSON. This lightweight logging endpoint is used throughout the payload to report\r\nstatus and deliver small pieces of collected data. \r\nAll network calls are plaintext HTTP, and the code is defensive against failures. Each Axios promise is followed by a\r\n.catch(() =\u003e {}), and calls are wrapped in an outer try/catch with an empty handler, so network failures or malformed\r\nresponses do not crash the process. In practice the stealer repeatedly calls makeLog to beacon, surface errors, and\r\nexfiltrate short text items (for example clipboard contents), enabling the operator to correlate events across\r\ncompromised hosts using the shared UID and hostname metadata. \r\nThe stealer includes an async setHeader routine that fingerprints the host and determines whether it is likely running\r\nin a virtualized environment. On Windows the code runs wmic computersystem get model,manufacturer, on macOS\r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 7 of 18\n\nit calls system_profiler SPHardwareDataType, and on Linux it reads /proc/cpuinfo; the returned text is lowercased\r\nand scanned for indicators such as vmware, virtualbox, qemu, kvm, xen, parallels, and bochs, and on Windows it\r\nalso checks for microsoft corporation. When a match is found the payload sets an isVM flag to true (Figure 9). \r\nFigure 9: Virtualization check logic inside setHeader function. \r\nThe stealer issues an initial registration POST request to hxxp://86.106.85[.]234/api/service/process/\u003cuid\u003e over\r\nplaintext HTTP, sending a machine profile that includes os.type(), os.platform(), an OS release annotated with\r\n“(VM)” or “(Local)”, the hostname, and os.userInfo() (username, uid/gid, home directory, shell where\r\napplicable), together with the static uid and a type flag t: 5.  \r\nNetwork failures during registration are forwarded to makeLog(e.message) so errors are reported without interrupting\r\nexecution. The loader calls setHeader() immediately on startup, making this registration the stealer’s first beacon and\r\ngiving the operator a quick inventory of the host and its likely virtualization state (Figure 10). \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 8 of 18\n\nFigure 10: Initial registration POST sending host profile to C2. \r\nThe socketServer routine turns the stealer into an interactive C2 agent by silently installing socket.io-client at runtime\r\nand opening a WebSocket session to hxxp://86.106.85[.]234:4552. The runtime npm install uses noise suppressing\r\nflags (–no-progress, –loglevel silent) and hides the console on Windows, reducing visible artifacts while ensuring the\r\nclient library is present even on otherwise clean hosts.  \r\nOnce loaded, the code establishes a resilient beacon with aggressive reconnection logic, up to 15 reconnect attempts, a\r\n2 second delay between retries, and a 2 second timeout per attempt. This keeps the channel alive without long blocking\r\nwaits and enabling real-time commands and exfiltration from the operator (Figure 11). \r\nFigure 11: Runtime installation of socket.io-client and WebSocket C2 connection. \r\nOnce the socket connects the stealer exposes a full set of operator controls via event handlers. The command listener\r\naccepts arbitrary shell commands and executes them with child_process.exec, suppressing spawned consoles on\r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 9 of 18\n\nWindows and allowing very large outputs via a 300 MB buffer so command results can be returned as stdout over the\r\nsame socket.  \r\nResponses, stderr, and error messages are posted back with correlation fields (cid, sid, code) and the per-victim uid to\r\npreserve session context across requests. A whour probe triggers a whoIm reply that fingerprints the host via OS type,\r\nplatform, kernel/release, hostname, and os.userInfo(), giving the operator a quick inventory for targeting. In\r\npractice this yields a fully interactive, outbound only C2 loop that avoids inbound listeners, blends with normal web\r\ntraffic, and fetches dependencies on demand to reduce static detection surface (Figure 12). \r\nFigure 12: Socket event handlers enabling command execution and fingerprinting. \r\nThe stealer includes a clipboard watcher that passively taps copied data and sends changes to the operator (Figure 13).\r\nAfter a 3 second startup delay it enters a 500 ms polling loop, using pbpaste on macOS and Get-Clipboard on\r\nWindows to read the clipboard, trimming the result and comparing it to the last captured value. When a change is\r\ndetected, it waits for a 500 ms debounce, then calls handleClipboardChange, which forwards the new clipboard text\r\nto the remote log via makeLog. On Windows the code hides spawned consoles and ignores stdio to minimize visible\r\nartifacts during polling, and a lastClipboardContent variable prevents duplicate submissions. \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 10 of 18\n\nFigure 13: Clipboard watcher loop polling for changes every 500 ms. \r\nThe clipboard watcher doesn’t just generate logs; it actively harvests sensitive data copied during normal activity. With\r\npolling and debounce both tuned to 500 ms, it captures passwords, MFA codes, API tokens, wallet seeds, and\r\ncommand snippets at near real time without generating noisy duplicates. Errors are caught and passed into makeLog,\r\nso collection continues even if a read fails, and the reliance on a global currentClipboardContent variable, while\r\nfragile, is enough to keep the loop running. In practice this design creates a low noise, cross platform clipboard tap that\r\ncontinuously feeds user sourced secrets into the stealer’s exfiltration pipeline. \r\nBeyond the clipboard watcher, Blackpoint SOC identified two additional JavaScript artifacts on the compromised\r\ndevice that appear tied to OtterCookie but diverge in functionality. These samples suggest the operators were layering\r\nor experimenting with multiple tools rather than relying on a single payload. The first of these files, tmp.js, acts as\r\nanother stealer with overlapping behaviors but distinct implementation choices. \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 11 of 18\n\ntmp.js mirrors elements of the main .sysupdater.dat payload while introducing its own capabilities (Figure 14).\r\nSimilarly to the main payload, it sets the process title to “Node.js Javascript Runtime” to blend in with legitimate\r\nactivity, then silently installs node-global-key-listener, screenshot-desktop, and sharp via npm with suppressed\r\noutput. After a short delay it initializes a global keyboard hook and maintains a plaintext buffer called text that records\r\nkeystrokes. The routine accounts for modifier keys like SHIFT and CTRL, translates input into characters, and tags\r\nspecial keys such as \u003cTAB\u003e, \u003cBS\u003e, arrow keys, and \u003cCTRL\u003e…\u003c/CTRL\u003e, while ignoring mouse events. \r\nFigure 14: tmp.js code showing process title spoofing and keyboard hook setup. \r\nOn key release tmp.js starts a 3 second debounce; when that timer fires it captures a desktop screenshot, resizes the\r\nimage to a width of 1024 pixels, compresses it to JPEG at quality 60 using sharp, and writes the result to\r\n\u003ctmp\u003e/windows cache/2.jpeg (Figure 13). The code then uploads the JPEG and the current keystroke buffer to\r\nhxxp://86.106.85[.]234:4558/upload as multipart form-data, including headers such as userkey: 507, hostname,\r\npath, and t: “5”. If the upload fails the payload ensures the stash directory \u003ctmp\u003e/windows cache exists and appends\r\nthe keystroke buffer to 1.tmp for later exfiltration. All these actions are guarded by broad try/catch blocks, so errors\r\nare suppressed, and the process continues running even if dependencies fail to install or individual steps error out. \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 12 of 18\n\nFigure 15: Screenshot capture, resize, and upload post-debounce. \r\nA PowerShell keylogger was also observed, simple-keyboard-monitor.ps1, which embeds a small C# type via Add-Type to P/Invoke user32.dll functions (GetAsyncKeyState and GetKeyState) and then spins an infinite polling loop\r\nto capture keystrokes (Figure 16). The mixed PowerShell/C# approach gives the script low level access to keyboard\r\nstate without relying on Node, and the loop based reader is designed for steady, persistent collection of typed input;\r\noutputs are typically buffered and written to disk or posted back to C2 via the same logging/exfil routines used by the\r\nJavaScript components. \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 13 of 18\n\nFigure 16: PowerShell keylogger using Add-Type to P/Invoke user32.dll. \r\nThe PowerShell keylogger maintains a 256 element boolean array to track key-down state and reads modifier states\r\n(Shift, Ctrl, Alt, CapsLock), then polls every 10 ms across virtual-key codes 0-255 to detect fresh presses. On a new\r\npress it converts the virtual-key into a printable token using GetKeyName, applying Shift XOR Caps logic for letter\r\ncase, mapping digits to their shifted symbols (for example 1 becomes ! when Shift is held), encoding function keys as\r\n[F1]…[F12], and normalizing navigation/control keys to tokens like [TAB], [ENTER], [BACKSPACE], and arrow\r\nnames; numpad keys and punctuation are handled with appropriate shift variants. Each resolved token is emitted to\r\nstandard output via Console.WriteLine, producing a readable stream of keystrokes for collection and exfiltration\r\n(Figure 17). \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 14 of 18\n\nFigure 17: Keylogger logic converting virtual-key codes to printable tokens. \r\nSay Cheese, Comrade: OtterCookie’s C2 Exposed \r\nThe primary C2 server used for exfiltration by the JavaScript stealer is 86.106.85[.]234, which was actively reachable\r\nduring analysis (Figure 18). A lookup on Censys attributes the host to M247 infrastructure, provisioned out of\r\nManchester, England. This indicates the adversary is leveraging a commercial VPS provider rather than bespoke\r\ninfrastructure.  \r\nFigure 18: Censys result showing 86.106.85[.]234 hosted by M247 in Manchester, UK. \r\nThe Blackpoint SOC also observed an additional C2 endpoint at 78.46.94[.]230, which resolved to a VPS hosted by\r\nHetzner Online GmbH in Germany (Figure 19). This second host appears to serve as supplementary infrastructure,\r\nindicating the operators maintained more than one exfiltration node across different providers. \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 15 of 18\n\nFigure 19: Hetzner VPS at 78.46.94[.]230 identified as secondary C2. \r\nNotably, the primary C2 86.106.85[.]234 also exposed SMB and reported its system hostname as WIN-3O8L0TLB135, providing a glimpse into the underlying host. Open-source research into that hostname led to the\r\nidentification of four additional IP addresses registered through the same provider, each resembling clones of the\r\nprimary C2 server: \r\n146.70.87[.]202 \r\n193.27.14[.]208 \r\n193.187.148[.]116 \r\n86.106.85[.]90 \r\nThis cluster suggests the operators provisioned multiple VPS nodes under the same naming convention to provide\r\nredundancy or serve different stages of their campaign. \r\nMethodology and Attribution \r\nThe incident originated from a high-fidelity detection that matched a behavioral signature associated with OtterCookie\r\nmalware. This alert was notable, as no comparable activity or signature hits had been observed across any other\r\ncustomer environments within the last 90 days. The uniqueness and fidelity of the match prompted a targeted\r\ninvestigation into the payload’s lineage and behavioral characteristics. \r\nAnalysis revealed that the sample’s structure and functionality strongly align with previously documented OtterCookie\r\nvariants. As outlined in NTT Security’s OtterCookie Research the observed source code shares near identical segments\r\nwith version 4 of OtterCookie, including overlapping function names, logic flow, and exfiltration routines. These\r\nconsistencies provide high confidence that the sample represents an OtterCookie variant. \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 16 of 18\n\nFurther correlation was established through ANY.RUN’s OtterCookie Malware Analysis, which documents the same\r\ncore TTPs observed in this incident. Both analyses highlight clipboard data exfiltration as a primary function, along\r\nwith screenshot collection and remote command staging. These behaviors were mirrored in our investigation. \r\nThe campaign also used developer-focused lures on Bitbucket and GitHub, centered on a trojanized “chess” project\r\nthat executed the OtterCookie payload. The actors abused open-source project scaffolding to conceal loader logic, used\r\nJavaScript/Node-based staging, and exhibited post-exploitation behavior that closely aligns with Lazarus playbooks\r\ntargeting engineers. \r\nAttribution is difficult by design because tooling is shared, infrastructure rotates, and indicators can be staged. Even\r\nso, the TTPs and IOCs observed here closely match the OtterCookie malware family, which has been repeatedly linked\r\nto North Korean operators. Overlapping C2 patterns, Node based loader behavior, and the use of npm-style packaging\r\nand dependencies mirror previously documented OtterCookie tradecraft. This indicates strong alignment while\r\nstopping short of a definitive attribution. \r\nAdditionally, Lazarus group operators have been known to leverage legitimate online tools such as deobfuscate[.]io to\r\nobfuscate JavaScript payloads within fake NPM packages and broader malware frameworks like Beavertail, as noted\r\nby ANY.RUN. The use of similar obfuscation patterns within this sample aligns with TTPs historically associated with\r\nthe Lazarus group. \r\nIn summary, Blackpoint confidently assesses this sample as an OtterCookie variant based on code and behavioral\r\noverlap. While the observed activity shares tradecraft with previously documented Lazarus operations, we do not make\r\ndefinitive attribution to that group with the evidence currently available. \r\nFinal Thoughts \r\nThis case illustrates how OtterCookie leveraged a seemingly benign Bitbucket project to stage infection through an\r\nintentional try/catch execution path, converting a standard error handler into a remote code execution channel. From\r\nthere, the malware deployed a trojanized Node module to establish a durable foothold, targeting developer and finance\r\nenvironments where package installs are routine. The malware unpacked a trojanized client, registered persistence via\r\na Run key WindowsUpdate, and abused Node to chain into PowerShell for clipboard collection and screenshot\r\ncapture, later extending coverage with a PowerShell based keylogger. These components worked together to provide\r\ncontinuous visibility into user activity while keeping noise low and communications in clear text. \r\nBlackpoint SOC contained the intrusion, traced back the C2 infrastructure, and the lessons from this campaign now\r\nfeed into stronger supply-chain defenses and behavior-driven detections tuned for developer endpoints. Treating open-source dependencies as part of the attack surface, and monitoring for behaviors like staged npm installs, fake system\r\ndirectories, and Node invoked with unusual arguments, significantly reduces exposure and accelerates response. \r\nRecommendations \r\nRequire approval of third-party packages before they are installed or used in development. \r\nAudit package source code and manifests to ensure nothing malicious has been introduced. \r\nProvide an internal, vetted repository where developers can pull authorized packages. \r\nSegment and harden developer workstations to limit access to sensitive production data. \r\nRestrict and monitor outbound network traffic from developer endpoints to reduce C2 exposure. \r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 17 of 18\n\nVerify download links and package sources before installation. \r\nContinuously audit installed software to validate legitimacy and catch unauthorized changes. \r\nUse the Blackpoint SOC to detect and respond to these types of incidents. \r\nIndicators of Compromise (IOCs) \r\nIP  Description \r\n86.106.85[.]234  Primary Command and Control (C2) \r\n78.46.94[.]230  Secondary Command and Control (C2) \r\n146.70.87[.]202  Possible C2 Identified via OSINT \r\n193.27.14[.]208  Possible C2 Identified via OSINT \r\n193.187.148[.]116  Possible C2 Identified via OSINT \r\n86.106.85[.]90  Possible C2 Identified via OSINT \r\nFilename  Hash \r\nsvchost.bat  57533E0BF2A9857BF1E603039B6B3E9EEB9CB5B53BB490D4ECDAA57EFAD0D27C \r\nsimple-keyboard-monitor.ps1 \r\nADEE6C5CC15432F0E4A5202B2653AEB057D988DC18ECDCDED7038B91BD8212B2 \r\nsvchost.ps1  8B3DEB9426B405EB8E08AC2A9868E55980A3A24B7F033E4040A08C029D721894 \r\ncc.pid  C077F24E0C8FD9B10AF046F7811046BC97FE9723A354FAE129FD49720DA5C87E \r\ntmp.js  C0CEC1CA432EB8AE0CB43325CA10C25B436EE88EDD6F08E4B74BC1EE27E83766 \r\npackage.json  51322339B720D6E81BEF2B7D415C242E222939C0A3624C5EDC791DB9472F7EC8 \r\n.sysupdater.dat  8D3B4D38914029C2B9CF83F6DED99FA1E73F89FC390FFF369BDDEDAB4729F04D \r\nIOC  Explanation \r\nlabs525  Malicious User tied to BitBucket Link \r\nterin6  User tied to malicious App hosting in Github \r\nhxxps[://]bitbucket[.]org/labs525/chess/src/main/  Malicious BitBucket Repo \r\nhxxps[://]github[.]com/terin6/CHESS  Malicious Github Repo \r\nSource: https://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nhttps://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blackpointcyber.com/blog/malicious-node-package-deploys-ottercookie/" ], "report_names": [ "malicious-node-package-deploys-ottercookie" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434549, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/05c3fb7368292136a4ed80e69d6362311c4c46f1.pdf", "text": "https://archive.orkl.eu/05c3fb7368292136a4ed80e69d6362311c4c46f1.txt", "img": "https://archive.orkl.eu/05c3fb7368292136a4ed80e69d6362311c4c46f1.jpg" } }