{ "type": "Domain", "indicator": "chainlink-api-v3.cloud", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/chainlink-api-v3.cloud", "alexa": "http://www.alexa.com/siteinfo/chainlink-api-v3.cloud", "indicator": "chainlink-api-v3.cloud", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4056619278, "indicator": "chainlink-api-v3.cloud", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44164, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 386475, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6820301bf40ecf6cb4a38f38", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new Stealer modules for credential theft, improved virtual environment detection, and modified clipboard stealing methods. The malware now targets various file types, including those related to cryptocurrencies, and has sophisticated methods for stealing browser credentials. The continuous updates to OtterCookie demonstrate WaterPlum's active development efforts, posing an ongoing threat to financial institutions and cryptocurrency operators worldwide.", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-11T05:05:31.267000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WageMole", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386475, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a64eabf1247228cd91f305", "name": "North Korean Actors Abuse npm Ecosystem to Deliver Steganography-Based Malware", "description": "A look back at some of the most interesting snippets from the past week, as well as some interesting analysis of what might happen in the next few weeks. \u00c2\u00a31m-worth of malware.", "modified": "2026-04-02T02:10:40.173000", "created": "2026-03-03T02:59:55.403000", "tags": [ "javascript", "malware", "npm", "dprk", "appdata", "pastebin", "february", "famous chollima", "wednesday", "pm cdt", "edgar04231", "gemini", "next", "linux", "execution", "macos", "back", "\u2019m", "lazarus", "threat intelligence", "osint", "https", "apikey", "starlancer555", "thtduoje", "luka1291", "http", "millosmike3", "kaiserman1029", "crouchtomy", "holppkgaske6i75", "vlad", "malicious", "info", "august", "ottercookie", "beavertail", "april", "june", "contact" ], "references": [ "https://kmsec.uk/blog/dprk-text-steganography/", "https://dprk-research.kmsec.uk/?start=1733011200000" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 379, "email": 76, "URL": 57, "domain": 21, "hostname": 34 }, "indicator_count": 589, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688dae713de770774cb69364", "name": "Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique.", "description": "The Contagious Interview campaign, attributed to the Lazarus Group, has demonstrated significant evolution in its operational techniques, particularly in the delivery mechanisms for its primary payloads: BeaverTail, InvisibleFerret, and OtterCookie. Recent analysis reveals that the group has adopted innovative methodologies to obfuscate their malicious code, making it more challenging for automated detection tools to identify their activities. One notable tactic employed by the Lazarus Group involves fragmenting URLs within the code. This method hides the command and control (C2) infrastructure by using legitimate hosting platforms, specifically http://Vercel.App, to deliver malicious payloads disguised as innocuous favicon content. The mechanism involves a call to a \"doing\" constant, which initiates a request operation to the C2 server.", "modified": "2025-09-01T06:00:31.037000", "created": "2025-08-02T06:21:37.025000", "tags": [ "anubis ransomware", "anubis", "ransomware", "bitsight", "underground", "bitsight trace", "anubis overview", "november", "raas", "access", "path", "android", "ransom", "august", "cyber security", "strong", "linkedin", "constant", "follow", "updates", "checklist", "victims across", "sees surge", "twitter", "malware", "june", "hack", "lockbit", "lazarus", "beavertail", "invisibleferret", "execution", "teamviewer" ], "references": [ "https://gbhackers.com/lazarus-group-malware-with-ottercookie/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 21, "domain": 2, "URL": 15 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688be5ccd1838dfc4c3aa7f1", "name": "Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique", "description": "", "modified": "2025-08-30T21:00:12.643000", "created": "2025-07-31T21:53:16.563000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 1, "URL": 4, "domain": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842284d6a04a6c334dc13ef", "name": "InQuest - 05-06-2025", "description": "", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:29:17.072000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 247, "URL": 881, "domain": 522, "hostname": 127, "FileHash-SHA1": 113, "FileHash-MD5": 47 }, "indicator_count": 1937, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683ecc28d5d833c19956cbee", "name": "OtterCookie: Analysis of New Lazarus Group Malware", "description": "North Korean state-sponsored cyber-attack group Lazarus is continuing to target professionals in the tech, financial and crypto sectors with a new tool called OtterCookie, an analysis shows, including fake job offers.", "modified": "2025-07-03T10:00:53.370000", "created": "2025-06-03T10:19:20.970000", "tags": [ "ottercookie", "invisibleferret", "beavertail", "mauro eldritch", "lazarus", "eldritch", "solana", "ck matrix", "lazarus group", "javascript", "exodus", "python", "uruguay", "team", "express", "next", "anydesk", "mamona", "dprk", "exodus wallet" ], "references": [ "https://any.run/cybersecurity-blog/ottercookie-malware-analysis/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Exodus Wallet", "display_name": "Exodus Wallet", "target": null }, { "id": "Beavertail", "display_name": "Beavertail", "target": null }, { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [ "Financial", "Cryptocurrency", "Crypto" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 4, "URL": 15, "domain": 3, "hostname": 3 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821d949f6b867405ed38192", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "", "modified": "2025-06-11T11:02:57.911000", "created": "2025-05-12T11:19:37.949000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821d95685592ea0f8484ced", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "", "modified": "2025-06-11T11:02:57.911000", "created": "2025-05-12T11:19:49.984000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6822c9c1ff97cbeb534e965d", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-13T04:25:37.044000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WaterPlum", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6820301bf40ecf6cb4a38f38", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6824456968bc22b5832d4209", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-14T07:25:29.342000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WaterPlum", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6820301bf40ecf6cb4a38f38", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ab285563f035283076acc", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-19T04:24:37.887000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WaterPlum", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6820301bf40ecf6cb4a38f38", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681fb0a920db0a60817f753c", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "The latest version of the OtterCookie malware used by WaterPlum, a North Korean-linked cyber-attack group, has been released by the Japanese National Security Agency (NSJ).", "modified": "2025-06-09T20:02:22.586000", "created": "2025-05-10T20:01:45.064000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept", "contagious interview" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "Japan", "Singapore" ], "malware_families": [ { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Financial", "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "355 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681de4f2c62ec9577ad29661", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "The latest version of the OtterCookie malware used by WaterPlum, a North Korean-linked cyber-attack group, has been released by the Japanese National Security Agency (NSJ).", "modified": "2025-06-08T11:02:48.130000", "created": "2025-05-09T11:20:18.509000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept", "contagious interview" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "Japan", "Singapore" ], "malware_families": [ { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Financial", "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ahyka123", "id": "254370", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f968e54901170c0ddabf3c", "name": "OtterCookie Malware IOCs & Lazarus Distribution Infrastructure", "description": "Contagious Interview is a cyberespionage campaign tracked by the Quetzal Team. We identified adversary infrastructure hosted in Finland, which serves as a malware delivery channel for OtterCookie.\n\nThis intelligence pulse provides indicators of compromise (IOCs) for OtterCookie, along with detailed information about the distribution infrastructure used by the attackers. Additionally, we include the original repository where the loader is distributed, helping to track its propagation and identify potential victims.\n\nThe loader is primarily distributed through LinkedIn, where the adversary creates fake profiles and posts fraudulent temporary job offers. These offers ask targets to download the loader and fix a supposed bug. Once the loader is executed, the infection begins.", "modified": "2025-05-11T18:00:12.957000", "created": "2025-04-11T19:09:25.934000", "tags": [ "Lazarus" ], "references": [], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Finance", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "QuetzalTeam", "id": "273351", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_273351/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 4, "domain": 1, "URL": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://any.run/cybersecurity-blog/ottercookie-malware-analysis/", "https://gbhackers.com/lazarus-group-malware-with-ottercookie/", "https://kmsec.uk/blog/dprk-text-steganography/", "Aug1.pdf", "https://labs.inquest.net/iocdb", "https://dprk-research.kmsec.uk/?start=1733011200000", "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops", "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "related": { "alienvault": { "adversary": [ "WageMole", "Contagious Interview" ], "malware_families": [ "Invisibleferret", "Beavertail", "Ottercookie" ], "industries": [ "Finance", "Technology" ] }, "other": { "adversary": [ "WaterPlum", "Multiple", "Lazarus", "Lazarus Group" ], "malware_families": [ "Beavertail", "Ottercookie", "Exodus wallet", "Invisibleferret", "\u2019m", "Contagious interview", "Lazarus" ], "industries": [ "Crypto", "Finance", "Technology", "Cryptocurrency", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44164, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 386475, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6820301bf40ecf6cb4a38f38", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new Stealer modules for credential theft, improved virtual environment detection, and modified clipboard stealing methods. The malware now targets various file types, including those related to cryptocurrencies, and has sophisticated methods for stealing browser credentials. The continuous updates to OtterCookie demonstrate WaterPlum's active development efforts, posing an ongoing threat to financial institutions and cryptocurrency operators worldwide.", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-11T05:05:31.267000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WageMole", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386475, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a64eabf1247228cd91f305", "name": "North Korean Actors Abuse npm Ecosystem to Deliver Steganography-Based Malware", "description": "A look back at some of the most interesting snippets from the past week, as well as some interesting analysis of what might happen in the next few weeks. \u00c2\u00a31m-worth of malware.", "modified": "2026-04-02T02:10:40.173000", "created": "2026-03-03T02:59:55.403000", "tags": [ "javascript", "malware", "npm", "dprk", "appdata", "pastebin", "february", "famous chollima", "wednesday", "pm cdt", "edgar04231", "gemini", "next", "linux", "execution", "macos", "back", "\u2019m", "lazarus", "threat intelligence", "osint", "https", "apikey", "starlancer555", "thtduoje", "luka1291", "http", "millosmike3", "kaiserman1029", "crouchtomy", "holppkgaske6i75", "vlad", "malicious", "info", "august", "ottercookie", "beavertail", "april", "june", "contact" ], "references": [ "https://kmsec.uk/blog/dprk-text-steganography/", "https://dprk-research.kmsec.uk/?start=1733011200000" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 379, "email": 76, "URL": 57, "domain": 21, "hostname": 34 }, "indicator_count": 589, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688dae713de770774cb69364", "name": "Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique.", "description": "The Contagious Interview campaign, attributed to the Lazarus Group, has demonstrated significant evolution in its operational techniques, particularly in the delivery mechanisms for its primary payloads: BeaverTail, InvisibleFerret, and OtterCookie. Recent analysis reveals that the group has adopted innovative methodologies to obfuscate their malicious code, making it more challenging for automated detection tools to identify their activities. One notable tactic employed by the Lazarus Group involves fragmenting URLs within the code. This method hides the command and control (C2) infrastructure by using legitimate hosting platforms, specifically http://Vercel.App, to deliver malicious payloads disguised as innocuous favicon content. The mechanism involves a call to a \"doing\" constant, which initiates a request operation to the C2 server.", "modified": "2025-09-01T06:00:31.037000", "created": "2025-08-02T06:21:37.025000", "tags": [ "anubis ransomware", "anubis", "ransomware", "bitsight", "underground", "bitsight trace", "anubis overview", "november", "raas", "access", "path", "android", "ransom", "august", "cyber security", "strong", "linkedin", "constant", "follow", "updates", "checklist", "victims across", "sees surge", "twitter", "malware", "june", "hack", "lockbit", "lazarus", "beavertail", "invisibleferret", "execution", "teamviewer" ], "references": [ "https://gbhackers.com/lazarus-group-malware-with-ottercookie/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 21, "domain": 2, "URL": 15 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688be5ccd1838dfc4c3aa7f1", "name": "Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique", "description": "", "modified": "2025-08-30T21:00:12.643000", "created": "2025-07-31T21:53:16.563000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 1, "URL": 4, "domain": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842284d6a04a6c334dc13ef", "name": "InQuest - 05-06-2025", "description": "", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:29:17.072000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 247, "URL": 881, "domain": 522, "hostname": 127, "FileHash-SHA1": 113, "FileHash-MD5": 47 }, "indicator_count": 1937, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683ecc28d5d833c19956cbee", "name": "OtterCookie: Analysis of New Lazarus Group Malware", "description": "North Korean state-sponsored cyber-attack group Lazarus is continuing to target professionals in the tech, financial and crypto sectors with a new tool called OtterCookie, an analysis shows, including fake job offers.", "modified": "2025-07-03T10:00:53.370000", "created": "2025-06-03T10:19:20.970000", "tags": [ "ottercookie", "invisibleferret", "beavertail", "mauro eldritch", "lazarus", "eldritch", "solana", "ck matrix", "lazarus group", "javascript", "exodus", "python", "uruguay", "team", "express", "next", "anydesk", "mamona", "dprk", "exodus wallet" ], "references": [ "https://any.run/cybersecurity-blog/ottercookie-malware-analysis/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Exodus Wallet", "display_name": "Exodus Wallet", "target": null }, { "id": "Beavertail", "display_name": "Beavertail", "target": null }, { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [ "Financial", "Cryptocurrency", "Crypto" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 4, "URL": 15, "domain": 3, "hostname": 3 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821d949f6b867405ed38192", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "", "modified": "2025-06-11T11:02:57.911000", "created": "2025-05-12T11:19:37.949000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821d95685592ea0f8484ced", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "", "modified": "2025-06-11T11:02:57.911000", "created": "2025-05-12T11:19:49.984000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "chainlink-api-v3.cloud", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "chainlink-api-v3.cloud", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200343.710557 }