Pulse Detail — Threat Intelligence

PULSE NAME

OtterCookie: Analysis of New Lazarus Group Malware

WHITE Lazarus PetrP.73 2025-06-03 Modified: 2025-07-03

IOCs

MEDIUM VOLUME

North Korean state-sponsored cyber-attack group Lazarus is continuing to target professionals in the tech, financial and crypto sectors with a new tool called OtterCookie, an analysis shows, including fake job offers.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1003 T1071 T1082 T1571 T1560 T1095 T1496 T1027 T1106

MALWARE FAMILIES

Lazarus Exodus Wallet Beavertail OtterCookie

Indicators of Compromise (26)

All FileHash-MD5 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	56e15ef3b5e5f169fc063f8d3e88288e	—	2025-06-03
FileHash-SHA256	071aff6941dc388516d8ca0215b757f9bee7584dea6c27c4c6993da192df1ab9	—	2025-06-03
FileHash-SHA256	486f305bdd09a3ef6636e92c6a9e01689b8fa977ed7ffb898453c43d47b5386d	—	2025-06-03
FileHash-SHA256	aa0d64c39680027d56a32ffd4ceb7870b05bdd497a3a7c902f23639cb3b43ba1	—	2025-06-03
FileHash-SHA256	ec234419fc512baded05f7b29fefbf12f898a505f62c43d3481aed90fef33687	—	2025-06-03
URL	http://144.172.101.45:1224/	—	2025-06-03
domain	chainlink-api-v3.cloud	—	2025-06-03
domain	deobfuscate.io	—	2025-06-03
URL	http://chainlink-api-v3.cloud/api/	—	2025-06-03
URL	http://chainlink-api-v3.cloud/api/service/token/3d5c7f64bbd450c5e85f0d1cf0202341	—	2025-06-03
URL	http://chainlink-api-v3.cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e	—	2025-06-03
URL	http://135.181.123.177/api/service/makelog	—	2025-06-03
URL	http://135.181.123.177/api/service/process/3ae1d04a7c1a35b9edf045a7d131c4a7	—	2025-06-03
hostname	api.deobfuscate.io	—	2025-06-03
hostname	landing.deobfuscate.io	—	2025-06-03
hostname	obf-io.deobfuscate.io	—	2025-06-03
URL	http://api.deobfuscate.io	—	2025-06-03
URL	http://api.deobfuscate.io/	—	2025-06-03
URL	http://landing.deobfuscate.io	—	2025-06-03
URL	http://landing.deobfuscate.io/	—	2025-06-03
URL	http://obf-io.deobfuscate.io	—	2025-06-03
URL	https://api.deobfuscate.io	—	2025-06-03
URL	https://landing.deobfuscate.io	—	2025-06-03
URL	https://obf-io.deobfuscate.io	—	2025-06-03
URL	https://obf-io.deobfuscate.io/	—	2025-06-03
domain	gamba-6b10f2e9dd85.zip	—	2025-06-03

References (1)

↗ https://any.run/cybersecurity-blog/ottercookie-malware-analysis/