{ "type": "URL", "indicator": "https://cdn-static-server.vercel.app/icons/212", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cdn-static-server.vercel.app/icons/212", "type": "url", "type_title": "URL", "validation": [ { "source": "majestic", "message": "Whitelisted domain vercel.app", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4110170032, "indicator": "https://cdn-static-server.vercel.app/icons/212", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "688dae713de770774cb69364", "name": "Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique.", "description": "The Contagious Interview campaign, attributed to the Lazarus Group, has demonstrated significant evolution in its operational techniques, particularly in the delivery mechanisms for its primary payloads: BeaverTail, InvisibleFerret, and OtterCookie. Recent analysis reveals that the group has adopted innovative methodologies to obfuscate their malicious code, making it more challenging for automated detection tools to identify their activities. One notable tactic employed by the Lazarus Group involves fragmenting URLs within the code. This method hides the command and control (C2) infrastructure by using legitimate hosting platforms, specifically http://Vercel.App, to deliver malicious payloads disguised as innocuous favicon content. The mechanism involves a call to a \"doing\" constant, which initiates a request operation to the C2 server.", "modified": "2025-09-01T06:00:31.037000", "created": "2025-08-02T06:21:37.025000", "tags": [ "anubis ransomware", "anubis", "ransomware", "bitsight", "underground", "bitsight trace", "anubis overview", "november", "raas", "access", "path", "android", "ransom", "august", "cyber security", "strong", "linkedin", "constant", "follow", "updates", "checklist", "victims across", "sees surge", "twitter", "malware", "june", "hack", "lockbit", "lazarus", "beavertail", "invisibleferret", "execution", "teamviewer" ], "references": [ "https://gbhackers.com/lazarus-group-malware-with-ottercookie/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 21, "domain": 2, "URL": 15 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "272 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://gbhackers.com/lazarus-group-malware-with-ottercookie/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 42 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/vercel.app", "whois": "http://whois.domaintools.com/vercel.app", "domain": "vercel.app", "hostname": "cdn-static-server.vercel.app" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "688dae713de770774cb69364", "name": "Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique.", "description": "The Contagious Interview campaign, attributed to the Lazarus Group, has demonstrated significant evolution in its operational techniques, particularly in the delivery mechanisms for its primary payloads: BeaverTail, InvisibleFerret, and OtterCookie. Recent analysis reveals that the group has adopted innovative methodologies to obfuscate their malicious code, making it more challenging for automated detection tools to identify their activities. One notable tactic employed by the Lazarus Group involves fragmenting URLs within the code. This method hides the command and control (C2) infrastructure by using legitimate hosting platforms, specifically http://Vercel.App, to deliver malicious payloads disguised as innocuous favicon content. The mechanism involves a call to a \"doing\" constant, which initiates a request operation to the C2 server.", "modified": "2025-09-01T06:00:31.037000", "created": "2025-08-02T06:21:37.025000", "tags": [ "anubis ransomware", "anubis", "ransomware", "bitsight", "underground", "bitsight trace", "anubis overview", "november", "raas", "access", "path", "android", "ransom", "august", "cyber security", "strong", "linkedin", "constant", "follow", "updates", "checklist", "victims across", "sees surge", "twitter", "malware", "june", "hack", "lockbit", "lazarus", "beavertail", "invisibleferret", "execution", "teamviewer" ], "references": [ "https://gbhackers.com/lazarus-group-malware-with-ottercookie/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 21, "domain": 2, "URL": 15 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "272 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cdn-static-server.vercel.app/icons/212", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cdn-static-server.vercel.app/icons/212", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780266720.053063 }