{ "id": "805d3249-7792-41b6-9d37-0f74c09b3987", "created_at": "2026-04-06T00:19:52.678616Z", "updated_at": "2026-04-10T03:38:19.116315Z", "deleted_at": null, "sha1_hash": "bc1a2aa8d98b28bcc30405c86d384c875024ac8b", "title": "OtterCookie: Analysis of Lazarus Group Malware Targeting Finance and Tech Professionals", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 444976, "plain_text": "OtterCookie: Analysis of Lazarus Group Malware Targeting\r\nFinance and Tech Professionals\r\nBy Mauro Eldritch\r\nPublished: 2025-06-03 · Archived: 2026-04-05 23:40:22 UTC\r\nEditor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat\r\nintelligence analyst. You can find Mauro on X. \r\nWhat looks like a simple freelance bug fix turns out to be a full-blown malware infection. OtterCookie, a new tool\r\nfrom the Lazarus Group APT, hides behind clean code and fake job offers, then silently steals credentials, crypto\r\nwallets, and more.  \r\nIn this step-by-step technical analysis, Mauro Eldritch breaks down the full attack chain, supported by live\r\ninsights from ANY.RUN’s Interactive Sandbox. \r\nOverview of OtterCookie Malware \r\nNorth Korean state-sponsored groups, most notably Lazarus, continue to target the financial and cryptocurrency\r\nsectors using a range of custom malware families. Previously observed campaigns included threats like\r\nInvisibleFerret and Beavertail, which were distributed through elaborate social engineering tactics such as fake\r\ndeveloper interviews and staged business calls with executives. \r\nA new addition to this toolkit is OtterCookie, a stealer malware that, much like its predecessors, isn’t spread\r\nthrough random means like pirated software or infected USB drives. Instead, it is part of a broader, coordinated\r\ncampaign targeting professionals in the tech, financial, and crypto industries. By staging fake interviews, threat\r\nactors deliver malware disguised either as coding challenges (or their dependencies) or video call software, in a\r\ncampaign now known as Contagious Interview or DevPopper. \r\nOtterCookie, written in heavily obfuscated JavaScript, was uncovered during a recent investigation conducted\r\nwith the Bitso Quetzal Team. Notably, the delivery method used in this case stands out for its creativity and level\r\nof deception. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 1 of 18\n\nPicture 1: Obfuscated code. Lazarus loves Deobfuscator.io \r\nKey Takeaways \r\nOtterCookie is a new stealer malware linked to North Korean APT Lazarus, delivered through fake job\r\noffers. \r\nPayload is fetched from an external API and executed using a require() call—no local implant needed. \r\nTargets include browser credentials, macOS keychains, and crypto wallets like Solana and Exodus. \r\nData is exfiltrated via port 1224 to a U.S.-based C2 server, following patterns seen in Beavertail and\r\nInvisibleFerret. \r\nANY.RUN detects OtterCookie early, before deobfuscation, and maps its behavior in the ATT\u0026CK\r\nMatrix. \r\nOtterCookie eventually deploys InvisibleFerret, continuing Lazarus’s modular, multi-stage approach. \r\nSocial Engineering Delivery: The “Job Offer” Trap \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 2 of 18\n\nAs part of the Contagious Interview campaign, one observed variation involved a new form of social engineering\r\ndistributed through LinkedIn. Instead of requesting participation in a coding challenge or scheduling a business\r\ncall, as seen in previous campaigns, the attacker proposed freelance contract work. The task was simple: resolve a\r\nminor visual bug in the frontend of a decentralized application (DApp). \r\nThe sender claimed their development team was unavailable due to vacation and shared access to a Bitbucket\r\nrepository containing Node.js code. \r\nPicture 2: Bitbucket repo \r\nSurprisingly, the repository appeared entirely clean. No implants, no hidden payloads, and none of the suspicious\r\nNPM dependencies commonly associated with earlier malware like Beavertail. This wasn’t an example of FUD\r\n(Fully Undetectable) malware bypassing antivirus detection, it was genuinely clean. The kind of clean that instills\r\nconfidence and lowers suspicion. \r\nPicture 3: VirusTotal \r\nA Closer Look at OtterCookie Malware\r\nThe code simulates a NodeJS web service and frontend based on Express, with two interesting functions. First,\r\nthere’s an error section that looks hastily written, with a particularly odd error message. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 3 of 18\n\nPicture 4: Badly written Error \r\nNext, there’s a notable try/catch block in the code. For context, a try/catch block is a common programming\r\nconstruct that allows an application to attempt an operation. If the operation fails, due to either a specific error or a\r\ngeneral exception, the catch block executes to handle the failure without crashing the application. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 4 of 18\n\nPicture 5: Try/Catch block \r\nExecution Through Controlled Failure \r\nThis particular implementation is one of the most creative ways of deploying malware seen recently. The app’s\r\ninitialization sequence is wrapped in a try/catch block. When an error is triggered, it fetches a response from an\r\nexternal API that appears to provide contextual error information, and then… executes it. \r\nYou read it right – it uses a require() statement to execute whatever response comes back from the external API. \r\nThe first thought that comes to mind: “Does that mean the system gets infected if the app fails?” \r\nAnd yes, that’s exactly the point! The failure is intentional and triggered during the app’s bootstrap phase. It kicks\r\nin, catches the error, prints it to the console, and pretends it just handled the issue gracefully—like everything’s\r\nfine now and ready to go. In the background, it already fetched “the error” and is executing it. \r\nInteractive Sandbox Analysis with ANY.RUN \r\nLet’s take a closer look at how this plays out in ANY.RUN’s interactive sandbox \r\nView analysis session \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 5 of 18\n\nPicture 6: A forced failure \r\nAfter launching an Ubuntu instance and installing Node.js, the next step involves adding the legacy peer\r\ndependencies from NPM—around 1,540 packages in total. Running the web server then triggers the expected\r\nerror routine: “Unexpected reserved word.” Despite the wording, this error is anything but unexpected. \r\nOriginally, the task was to fix a simple visual bug. But that raises the question—how did a blatant, critical error\r\nlike using a reserved word make it into the code? The answer becomes obvious a bit too late: while the app was\r\nrunning, it quietly queried a remote API in Finland—chainlink-api-v3[.]cloud—and received what appeared to be\r\nan error response. \r\nOr at least something that looked like one. And it got executed. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 6 of 18\n\nPicture 7: The response, obfuscated in JavaScript \r\nDeobfuscation and Payload Behavior \r\nLet’s try to deobfuscate that response. \r\nLazarus is known for its frequent use of a legitimate online tool: deobfuscate[.]io. This platform has been used to\r\nobfuscate JavaScript payloads in fake NPM packages, and even entire malware families like Beavertail. \r\nPicture 8: Decoded malware \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 7 of 18\n\nWhen the obfuscated code is pasted, the webapp recognizes which version was used to scramble it and offers to\r\nredirect you straight to the right decoder. One click later, you get the original code, which is nice and readable. Let\r\nme introduce you to OtterCookie. Let’s analyze it.  \r\nInside OtterCookie: What It Targets \r\nOtterCookie begins by requesting libraries that allow interaction with the operating system, such as fs, os, path,\r\nrequest, and child_process. It also includes modules specifically designed to target major browsers like Brave,\r\nGoogle Chrome, Opera, and Mozilla Firefox, along with numerous browser extensions, primarily those related to\r\ncryptocurrency wallets and password managers. \r\nPicture 9: Imported libraries and dedicated malicious modules \r\nThis behavior may sound familiar to those who’ve followed earlier DPRK-linked malware campaigns, such as\r\nBeavertail and InvisibleFerret. \r\nCredential and Wallet Theft \r\nIn this case, OtterCookie specifically targets Firefox profile directories, copying the user’s Solana-related profile\r\ndata for exfiltration. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 8 of 18\n\nPicture 10: Firefox and Solana profiles are stolen \r\nIn addition to Solana, other wallets, such as Exodus, are also targeted, with sensitive files being copied for\r\nexfiltration. This aligns with the broader pattern observed in DPRK campaigns, where cryptocurrency assets are a\r\nprimary focus due to their relative ease of laundering and anonymization. \r\nAnd it’s not just about cryptocurrency. Some NFTs, despite having little market value, are used as authentication\r\nmechanisms in certain Web3 environments, which are increasingly widespread. These, too, can be valuable to\r\nthreat actors. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 9 of 18\n\nPicture 11: Exodus Wallet is actively targeted \r\nNext, OtterCookie attempts to access the macOS login keychain, along with credential databases from various\r\nbrowsers, extracting saved passwords, session tokens, and other sensitive authentication data. \r\nExfiltration Tactics and Infrastructure \r\nOnce everything is staged, the malware sends the loot to a webserver in the US (144.172.101.45), using port 1224\r\nand the /uploads path. \r\nWe’ve seen this exact pattern before… in InvisibleFerret. \r\nIt’s safe to assume that some practices—and even bits of code—are being recycled across these malware strains. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 10 of 18\n\nPicture 12: Remembrances of InvisibleFerret and BeaverTail \r\nBefore exfiltration, OtterCookie attempts to compress the collected data using tar. At this stage, some familiar\r\nfilenames appear, p.zi and p2.zip, previously seen in related campaigns. \r\nThat definitely rings a bell. Similar filenames were seen in the Beavertail campaign, used to download and install\r\nits partner-in-crime and next stage: InvisibleFerret, pulled from an endpoint called /pdown. Just like in the snippet\r\nat the end of this script. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 11 of 18\n\nPicture 13: Downloading the next stage: InvisibleFerret \r\nNext Stage: Delivering InvisibleFerret \r\nAt this stage, the malware attempts to download a portable Python distribution, compatible with either Windows\r\nor Unix, from its command-and-control (C2) server. Once installed, it proceeds to execute InvisibleFerret as the\r\nnext stage of the attack. For context, InvisibleFerret is a cross-platform remote access trojan (RAT) written in\r\nPython, known for leveraging legitimate tools such as AnyDesk to maintain persistent access to the victim’s\r\nsystem. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 12 of 18\n\nPicture 14: Preparing the next stage by setting up Python \r\nThe good news is that ANY.RUN successfully detects all three malware strains—OtterCookie, InvisibleFerret, and\r\nBeavertail. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 13 of 18\n\nLearn to analyze cyber threats\r\nFollow along a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis\r\nRead full guide\r\nIn this case, the obfuscated payload was flagged even before manual deobfuscation could begin. \r\nWith that covered, it’s time to move on to the MITRE ATT\u0026CK Matrix, which ANY.RUN conveniently generates\r\nas part of the analysis. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 14 of 18\n\nPicture 15: Detected as OTTERCOOKIE \r\nThe OtterCookie Matrix \r\nOtterCookie shares several Tactics, Techniques, and Procedures (TTPs) with its counterparts, InvisibleFerret and\r\nBeavertail. Some of the most notable include: \r\nT1082 – System Information Discovery \r\nOtterCookie collects detailed information from the victim’s system to build a comprehensive host profile. \r\nT1003 – OS Credential Dumping \r\nThe malware accesses sensitive local files such as /etc/passwd and /etc/shadow, along with browser\r\ncredential stores and OS keychains. The harvested data is then compressed and prepared for exfiltration. \r\nT1071 – Application Layer Protocol \r\nThis technique is used to communicate with the command-and-control server (144.172.101.45) for data\r\nexfiltration. \r\nT1571 – Non-Standard Port \r\nSupporting T1071, this technique involves the use of an uncommon port—1224—to evade standard\r\ndetection mechanisms. \r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 15 of 18\n\nPicture 16: MITRE ATT\u0026CK Matrix \r\nConclusion \r\nOtterCookie is yet another reminder of how advanced and deceptive modern malware has become. Hidden behind\r\na routine bug fix task, it exfiltrates credentials, crypto wallet data, and system information, while quietly setting up\r\na second-stage payload like InvisibleFerret. \r\nAttacks like this demand more than traditional detection. They require a dynamic, transparent environment to truly\r\nunderstand what’s happening. \r\nWith ANY.RUN’s interactive sandbox, security teams can: \r\nCut investigation time from hours to seconds by getting clear verdicts in under 40 seconds even for\r\nobfuscated, evasive malware. \r\nUnderstand threats in real time, helping analysts take action before damage is done. \r\nTrain junior analysts faster by giving them a safe, hands-on environment to explore real malware\r\nbehavior without risking the network. \r\nImprove response quality and speed, thanks to visualized tactics, techniques, and clear IOCs that can be\r\nused immediately in detection rules. \r\nBoost team efficiency with easy-to-share sessions and collaborative analysis tools, reducing back-and-forth and enabling faster decision-making. \r\nWhether you’re investigating OtterCookie or preparing for what’s next, ANY.RUN helps you detect, understand,\r\nand respond faster with clarity and control. \r\nRegister now with a business email to try ANY.RUN →\r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 16 of 18\n\nGathered IOCs \r\nIPv4: 135.181.123.177\r\nIPv4: 144.172.101.45\r\nDomain: chainlink-api-v3.cloud\r\nURL: http://144.172.101.45:1224/\r\nURL: http[:]//chainlink-api-v3[.]cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e\r\nURL:http[:]//chainlink-api-v3[.]cloud/api/\r\nURL: https[:]//bitbucket.org/0xhpenvynb/mvp_gamba/downloads/\r\nSHA256: aa0d64c39680027d56a32ffd4ceb7870b05bdd497a3a7c902f23639cb3b43ba1\r\nSHA256: 071aff6941dc388516d8ca0215b757f9bee7584dea6c27c4c6993da192df1ab9\r\nSHA256: 486f305bdd09a3ef6636e92c6a9e01689b8fa977ed7ffb898453c43d47b5386d\r\nSHA256: ec234419fc512baded05f7b29fefbf12f898a505f62c43d3481aed90fef33687\r\nFileName: 0xhpenvynb-mvp_gamba-6b10f2e9dd85.zip\r\nSOLWallet: V2grJiwjs25iJYqumbHyKo5MTK7SFqZSdmoRaj8QWb9 \r\nMauro\r\nMauro Eldritch\r\nMauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina / Uruguay).\r\nHe has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and\r\nBiohacking. He currently leads Bitso’s Quetzal Team, the first in Latin America dedicated to Web3 Threat\r\nResearch.\r\nFollow Mauro on:\r\nX\r\nLinkedIn\r\nGitHub\r\nmauro-eldritch\r\nMauro Eldritch\r\nMauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina / Uruguay).\r\nHe has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and\r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 17 of 18\n\nBiohacking. He currently leads Bitso’s Quetzal Team, the first in Latin America dedicated to Web3 Threat\r\nResearch.\r\nFollow Mauro on:\r\nX\r\nLinkedIn\r\nGitHub\r\nSource: https://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nhttps://any.run/cybersecurity-blog/ottercookie-malware-analysis/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://any.run/cybersecurity-blog/ottercookie-malware-analysis/" ], "report_names": [ "ottercookie-malware-analysis" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434792, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc1a2aa8d98b28bcc30405c86d384c875024ac8b.pdf", "text": "https://archive.orkl.eu/bc1a2aa8d98b28bcc30405c86d384c875024ac8b.txt", "img": "https://archive.orkl.eu/bc1a2aa8d98b28bcc30405c86d384c875024ac8b.jpg" } }