← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
OtterCookie Malware IOCs & Lazarus Distribution Infrastructure
WHITE Lazarus Group QuetzalTeam 2025-04-11 Modified: 2025-05-11
9
IOCs
LOW VOLUME
Contagious Interview is a cyberespionage campaign tracked by the Quetzal Team. We identified adversary infrastructure hosted in Finland, which serves as a malware delivery channel for OtterCookie. This intelligence pulse provides indicators of compromise (IOCs) for OtterCookie, along with detailed information about the distribution infrastructure used by the attackers. Additionally, we include the original repository where the loader is distributed, helping to track its propagation and identify potential victims. The loader is primarily distributed through LinkedIn, where the adversary creates fake profiles and posts fraudulent temporary job offers. These offers ask targets to download the loader and fix a supposed bug. Once the loader is executed, the infection begins.
Lazarus
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
OtterCookie
Indicators of Compromise (9)
All FileHash-MD5 FileHash-SHA256 domain URL
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 56e15ef3b5e5f169fc063f8d3e88288e 2025-04-11
FileHash-SHA256 071aff6941dc388516d8ca0215b757f9bee7584dea6c27c4c6993da192df1ab9 2025-04-11
FileHash-SHA256 486f305bdd09a3ef6636e92c6a9e01689b8fa977ed7ffb898453c43d47b5386d 2025-04-11
FileHash-SHA256 aa0d64c39680027d56a32ffd4ceb7870b05bdd497a3a7c902f23639cb3b43ba1 2025-04-11
FileHash-SHA256 ec234419fc512baded05f7b29fefbf12f898a505f62c43d3481aed90fef33687 2025-04-11
domain chainlink-api-v3.cloud 2025-04-11
URL http://chainlink-api-v3.cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e 2025-04-11
URL http://chainlink-api-v3.cloud/api/ 2025-04-11
URL https://bitbucket.org/0xhpenvynb/mvp_gamba/downloads/ 2025-04-11