{ "id": "274a435a-ba9e-40b3-8688-d34af5f3b24f", "created_at": "2026-04-06T00:17:19.469164Z", "updated_at": "2026-04-10T03:38:20.558738Z", "deleted_at": null, "sha1_hash": "468806732a7e989d83fd148cbaa6eeac41dfd812", "title": "Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1531955, "plain_text": "Lazarus Group Enhances Malware with New OtterCookie Payload\r\nDelivery Technique\r\nBy Lucas Mancilha\r\nPublished: 2025-07-30 · Archived: 2026-04-05 19:51:32 UTC\r\nThe Contagious Interview campaign conducted by the Lazarus Group continues to expand its capabilities. We\r\nhave observed an exponential evolution in the delivery mechanisms for the campaign’s main payloads:\r\nBeaverTail, InvisibleFerret, and OtterCookie.\r\nIn this article, we will discuss the innovations related to the delivery techniques used by the group and\r\ndemonstrate the preservation of the group’s modus operandi throughout their code’s evolution. To this end, we\r\nanalyzed 3 distinct malicious projects that were highly active in campaigns.\r\nDelivery Mechanism 1: Eval Function\r\nFigure 1 – Initial post request to the delivery domain\r\nIn one of the projects, the group’s developers created and implemented a code snippet that performs a POST\r\nrequest to an external address named fashdefi[.]store using port 6168.\r\nAfter the request, the flow code captures the request’s response, stores it in the token object, and executes the\r\ncontent using the eval() function.\r\nhttps://gbhackers.com/lazarus-group-malware-with-ottercookie/\r\nPage 1 of 6\n\nFigure 2 – Execution of post request by curl command line tool\r\nIn this way, the code snippet above located within the catch block prevents the main payload (in this case,\r\n‘invisible ferret’) from needing to be written directly into the project’s main code as observed in projects prior to\r\nthe analysis period of this article thereby evading previously created detection mechanisms that relied solely on\r\ndirect scanning of the main code.\r\nDelivery Mechanism 2: False Token\r\nFigure 3 – Url parts declared into the project separately\r\nIn a distinct project, the group implemented new strategies to complicate code analysis by automated tools used\r\nfor scanning and detecting malicious code.\r\nIn this code snippet, the developers took care to split the entire URL into several parts within the code. The\r\nattackers utilized the legitimate hosting service of the Vercel.App platform as a command and control (C2) server\r\nto deliver the project’s favicon.\r\nFigure 3.1 – Constant “url” to concatenate the url and constant “options” to call the entire request\r\nand headers\r\nThese two constants above was developed to add more layers in the flow code for when the request be called in\r\nthe function “req” which is stored in another constant named “doing”, have more chances to evade static analysis\r\ntools who rely on pattern matching and some sandbox environments who don’t analyze the code in runtime.\r\nhttps://gbhackers.com/lazarus-group-malware-with-ottercookie/\r\nPage 2 of 6\n\nFigure 3.2 – Constant “doing” who store the function request\r\nFollowing the code’s construction flow, the “doing” constant, when called, will execute the entire request\r\noperation. In the end, within the try/catch block, it uses the eval() function to receive the malicious code below:\r\nFigure 4 – Post request adding token “logo” to receive the encoded payload\r\nBy using a sandbox platform, we verified the content delivered when the “bearrtoken: logo” is omitted from the\r\nrequest, confirming that a favicon is indeed served for the malicious project.\r\nFigure 5 – Accessing the C2 without proper token delivery the favicon of the malicious project\r\nBased on this information, we pivoted using the favicon and identified the reuse of the image across several prior\r\nprojects attributed to the North Korean group and the contagious interview campaign.\r\nhttps://gbhackers.com/lazarus-group-malware-with-ottercookie/\r\nPage 3 of 6\n\nFigure 6 – Hunting other projects using the same favicon\r\nDelivery Mechanism 3: Try/Catch\r\nThe third technique we observed demonstrates a continuous process of innovation based on elements present in\r\nprevious projects. In this approach, the group utilized a much more precise design with low detection rates up to\r\nthe time of this article, preserving their tactic of splitting the communication address for payload delivery to allow\r\nfor subsequent URL concatenation (Delivery Mechanism 2) and using the axios library to make the request\r\n(Delivery Mechanism 1), modifying it to the GET method.\r\nFigure 7 – Using the same tactic demonstrated in images 3 and 4, to bypass pattern-matching tools\r\nAs we saw in the other projects, we could expect the use of an eval() function somewhere in the code to receive\r\nand execute the main attack payload, however, on this project they implemented a curious approach.\r\nhttps://gbhackers.com/lazarus-group-malware-with-ottercookie/\r\nPage 4 of 6\n\nFigure 7.1 – Using same tactic demonstrated in image 5, creating a constant and storing a malicious\r\nfunction\r\nThe developers astutely replaced the need for use an eval() function with a code block programmed to return a 500\r\nerror from the API communication. Subsequently, it receives the malicious code within the Try/Catch block,\r\nutilizing the errorHandler() function demonstrated above.\r\nSo What?\r\nAll the implemented innovations highlight the group’s focal point for improvements; the logic in constructing the\r\ncode snippets for delivering payloads remained the same.\r\nHowever, the increase in innovations over a short period of time, some syntax errors present in the code, and the\r\nlack of review for these bugs suggest the constant use of artificial intelligence (AI) technologies to automate code\r\ncreation. This raises significant concerns for defense mechanisms that rely only on direct code detection and\r\npattern matching.\r\nTherefore, we can state with high confidence that in the coming months, we will see new approaches being\r\ndeveloped to further reduce the traces left in project codes. There will be a strong focus on continuous\r\nimprovement in the campaign’s delivery phase, demanding greater robustness in previously developed detection\r\nrules.\r\nIndicators of Compromise (IOCs):\r\nUrls:\r\nhttps[:]//cdn-static-server[.]vercel[.]app/icons/212 http[:]//fashdefi[.]store[:]6168/defy/v7 http[:\r\nhttp[:]//chainlink-api-v3[.]cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e\r\nProject name:\r\nCoinLocator-main\r\ncoin-promoting-app-main\r\n0xhpenvynb-mvp_gamba-6b10f2e9dd85\r\nhttps://gbhackers.com/lazarus-group-malware-with-ottercookie/\r\nPage 5 of 6\n\nIP:\r\n144.172.96[.]35\r\n107.189.24[.]80\r\n135.181.123[.]177\r\nFavicon Hash:\r\n41ee7ddb2be173686dc3a73a49b4e93bc883ef363acca770f7ede891451122ab\r\nFind this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.\r\nLucas Mancilha\r\nLucas is an Senior malware researcher. He specializes in malware analysis, reverse engineering and analysing\r\nAPT Threats, also a regualar contributor at The Cyber News.\r\nSource: https://gbhackers.com/lazarus-group-malware-with-ottercookie/\r\nhttps://gbhackers.com/lazarus-group-malware-with-ottercookie/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://gbhackers.com/lazarus-group-malware-with-ottercookie/" ], "report_names": [ "lazarus-group-malware-with-ottercookie" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434639, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/468806732a7e989d83fd148cbaa6eeac41dfd812.pdf", "text": "https://archive.orkl.eu/468806732a7e989d83fd148cbaa6eeac41dfd812.txt", "img": "https://archive.orkl.eu/468806732a7e989d83fd148cbaa6eeac41dfd812.jpg" } }