← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique.
WHITE PetrP.73 2025-08-02 Modified: 2025-09-01
39
IOCs
MEDIUM VOLUME
The Contagious Interview campaign, attributed to the Lazarus Group, has demonstrated significant evolution in its operational techniques, particularly in the delivery mechanisms for its primary payloads: BeaverTail, InvisibleFerret, and OtterCookie. Recent analysis reveals that the group has adopted innovative methodologies to obfuscate their malicious code, making it more challenging for automated detection tools to identify their activities. One notable tactic employed by the Lazarus Group involves fragmenting URLs within the code. This method hides the command and control (C2) infrastructure by using legitimate hosting platforms, specifically http://Vercel.App, to deliver malicious payloads disguised as innocuous favicon content. The mechanism involves a call to a "doing" constant, which initiates a request operation to the C2 server.
anubis ransomwareanubisransomwarebitsightundergroundbitsight traceanubis overviewnovemberraasaccesspathandroidransomaugustcyber securitystronglinkedinconstantfollowupdateschecklistvictims acrosssees surgetwittermalwarejunehacklockbitlazarusbeavertailinvisibleferretexecutionteamviewer
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (39)
All FileHash-MD5 FileHash-SHA256 domain URL
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 56e15ef3b5e5f169fc063f8d3e88288e 2025-08-02
FileHash-SHA256 41ee7ddb2be173686dc3a73a49b4e93bc883ef363acca770f7ede891451122ab 2025-08-02
domain chainlink-api-v3.cloud 2025-08-02
domain safeconnect.ir 2025-08-02
URL http://144.172.96.35/api/service/makelog/ 2025-08-02
URL http://144.172.96.35/api/service/process/6f790bce36b2686a86a50799b98aa4b1 2025-08-02
URL http://135.181.123.177/api/service/makelog 2025-08-02
URL http://135.181.123.177/api/service/process/3ae1d04a7c1a35b9edf045a7d131c4a7 2025-08-02
URL http://chainlink-api-v3.cloud/api/ 2025-08-02
URL http://chainlink-api-v3.cloud/api/service/token/3d5c7f64bbd450c5e85f0d1cf0202341 2025-08-02
URL http://chainlink-api-v3.cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e 2025-08-02
URL http://chainlink-api-v3.cloud/API/ 2025-08-02
URL http://chainlink-api-v3.cloud/API/SERVICE/TOKEN/56E15EF3B5E5F169FC063F8D3E88288E 2025-08-02
URL http://chainlink-api-v3.cloud/api/service/token/43f5201fa89bbf908db8b3e0a4f1698e 2025-08-02
URL https://chainlink-api-v3.cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e 2025-08-02
URL http://bujey.store/6168/defy/v7 2025-08-02
URL https://cdn-static-server.vercel.app/icons/212 2025-08-02
URL http://fashdefi.store:6168/defy/v7 2025-08-02
URL https://bitbucket.org/0xhpenvynb/mvp_gamba/src/master/ 2025-08-02
FileHash-SHA256 1878db91b6ab8cbf4b6bd49a84cda16ff82bb641eb5e24ef55bbb9756446a002 2025-08-02
FileHash-SHA256 1b0101fd2bbf84306e80bfe9ffbee5f1bbf7f201efa70b26263c17182f9db849 2025-08-02
FileHash-SHA256 288c33fd88abafaf37045c5378c29555481cf61ed1005ad8d8e77a64e5ce0c3c 2025-08-02
FileHash-SHA256 2ceb6b623f4c5e0aa6eaf503acca77af3452784b805849c3de322ef2cd0a90c0 2025-08-02
FileHash-SHA256 2ddee177c23fb0a6cce4f25adcdb0f2041f8fd6d5ff10e200412df2c303b8e77 2025-08-02
FileHash-SHA256 3156d96370bccc5668eb35caa87c5fd1cc58a03a9eb714e7387ffadd57f12949 2025-08-02
FileHash-SHA256 4d1ac1a96c780ac98b84e7dfbc3f3097cb1576f7541525adb6d510dfa28c0e13 2025-08-02
FileHash-SHA256 5d0509f68a9b7c415a726be75a078180e3f02e59866f193b0a99eee8e39c874f 2025-08-02
FileHash-SHA256 71c40d53e39e986687f0b4fd899f915f120f2535c85a8c909964ba42f354acf2 2025-08-02
FileHash-SHA256 9b82e6bde926ebce146e62293bd2d59d23218adaddfed0f8b132cb2eb2dedd72 2025-08-02
FileHash-SHA256 9dcfc0ac60e09585824b8cc8c65e2618522853317f513cd2c9df325ca66c2fb3 2025-08-02
FileHash-SHA256 aa13b744626d3ac40ed3686a975ae4037b0b9c98027200212587e437b76a244f 2025-08-02
FileHash-SHA256 aee0237510709a2eb68bbc0ed66387fcbfa07697b7e908416f876a8db929fb3b 2025-08-02
FileHash-SHA256 b287deafb2142a8f41fea687f261cb2eed8bd594b8ec35e1955402fb95fa9070 2025-08-02
FileHash-SHA256 b630c9a84b173f2f70bce8a2b8963faeee64d6c6887c6c292a8ad90c81b1aaa3 2025-08-02
FileHash-SHA256 c3d6622670be1fbf8dea59c18c352480e35a2470a8e18383a76f142e9a3cafbf 2025-08-02
FileHash-SHA256 c663d6e7de3a12e89784aa42de04afc56c0d2f18318aa364b3f87a01cca98778 2025-08-02
FileHash-SHA256 ca5c9bccca89b1b96101ea59b917d76f9db1f511952e159f49337280f8466ea9 2025-08-02
FileHash-SHA256 cffa04679b5c0d744da2a859d6b95c672f7d89a03eff318b92a7ce4389febafd 2025-08-02
FileHash-SHA256 f9a4237ad9a9b2117ebed2e1640bae46c3f31576422e800a752db10459802a6c 2025-08-02
References (1)
↗ https://gbhackers.com/lazarus-group-malware-with-ottercookie/