← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Triple Fork: OtterCookie Variant Delivered via Bitbucket Developer Lure | ThreatProphet
WHITE Lazarus ThreatProphet 2026-04-01 Modified: 2026-05-01
19
IOCs
MEDIUM VOLUME
An OtterCookie-family three-child loader was deployed in a Contagious Interview campaign that targeted developers, cryptocurrency wallets, and 2FA seeds, according to an analysis by security researchers.
ottercookiecontagious-interviewbeavertaillinkedin-lurefamous-chollimajavascriptbitbucketnode-jscrypto-stealernpointcloudzywindowsstagec2 ipntt securityweb dataauthycisco talosttp similaritytronharmonyloaderkiwiharvesterdesktoplazaruscontagious interview
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Contagious Interview OtterCookie
Indicators of Compromise (19)
All FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 17fc8a5acc76fcbf9f2dbc0f68d2e80cd1b5187f8ccab3d2a014898dadc44fc8 2026-04-01
FileHash-SHA256 790277d4067c6fd0a36f450ae8c83bd2e4e5f812eb3a86f83c9b9a1c67f9a63e 2026-04-01
FileHash-SHA256 8c1d99ea78e07c8ec88671a56729d19fcff0def699c3b8dc3b42861112497293 2026-04-01
FileHash-SHA256 df8768c18dce2140b5a1df78dcb821f103409b6c5bbf86f09bf1ceefb6e75c43 2026-04-01
URL http://144.172.110.132:8085 2026-04-01
URL http://144.172.110.132:8085/api/upload-file 2026-04-01
URL http://144.172.110.132:8085/upload 2026-04-01
URL http://144.172.110.132:8086 2026-04-01
URL http://144.172.110.132:8086/upload 2026-04-01
URL http://144.172.110.132:8087 2026-04-01
URL http://144.172.110.132:8087/api/log 2026-04-01
URL http://144.172.110.132:8087/api/notify 2026-04-01
URL http://api.npoint.io/77363e668161581fb2de 2026-04-01
URL http://static.cloudzy.com 2026-04-01
URL https://api.npoint.io/77363e668161581fb2de 2026-04-01
domain jsonkeeper.com 2026-04-01
domain npoint.io 2026-04-01
hostname 132.110.172.144.static.cloudzy.com 2026-04-01
hostname api.npoint.io 2026-04-01
References (1)
↗ https://threatprophet.com/posts/2026-03-26-triple-fork/