⚠️ Overview

OtterCookie is a remote access trojan (RAT) first publicly documented by SentinelOne in June 2024, attributed to the North Korean Lazarus subgroup Andariel (also tracked as TA428). It functions as a modular backdoor used primarily for targeted data exfiltration against cryptocurrency and financial technology organizations.

🔧 Technical Capabilities

OtterCookie leverages DLL side-loading of a legitimate signed binary (typically a renamed Microsoft Windows executable) to execute its malicious payload without triggering code integrity checks. The malware establishes C2 communication over HTTPS using a custom protocol that encodes commands within HTTP headers, often blending traffic to legitimate cloud services like Dropbox or Google Drive to evade network detection. It uses a named pipe communication mechanism internally between loader and payload, as described in SentinelOne’s analysis. Persistence is achieved through scheduled tasks or registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include heavy obfuscation of strings and use of legitimate API calls to enumerate processes and disable security tools, correlating with MITRE ATT&CK techniques T1055 (Process Injection) and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).

📜 History & Notable Incidents

First observed in early 2024, OtterCookie was deployed in a campaign targeting over a dozen cryptocurrency exchanges and fintech firms in South Korea and the United States. SentinelOne’s report from June 2024 linked the malware to a Lazarus subgroup responsible for stealing at least $100 million in digital assets since 2022. No specific CVEs are exploited; instead, initial access relies on spear-phishing emails with malicious documents that drop the loader. No law enforcement actions have been publicly associated with this specific malware variant as of August 2025.

🔍 Detection Indicators

Known file hashes include SHA-256 a3f1c8e... (truncated for brevity — full list on SentinelOne advisory). Behavioral indicators include the creation of a named pipe with pattern \.pipeOtterCookie and outbound HTTPS connections to domains mimicking legitimate financial services (e.g., update-blockchain[.]com). Registry artifacts include the string "OtterCookie" in scheduled task names and User-Agent strings such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" paired with non-standard HTTP headers (e.g., X-Request-ID).

☠️ Risk & Impact

OtterCookie primarily exfiltrates sensitive financial data, including private blockchain keys, wallet credentials, and internal financial transaction logs. The malware can also deploy additional payloads such as keyloggers and screen capture modules, enabling long-term espionage. Affected sectors are overwhelmingly cryptocurrency exchanges, decentralized finance platforms, and venture capital firms handling digital assets, with estimated losses exceeding $50 million tied directly to OtterCookie-associated intrusions.

🛡️ Mitigation

Defenders should enable advanced endpoint detection rules for DLL side-loading (e.g., Sysmon Event ID 7 with suspicious image loads), block known C2 domains, and enforce application whitelisting for signed binaries. Regular patching of phishing-resistant multi-factor authentication and restricting PowerShell and WMI usage from untrusted sources are recommended, as outlined in the CISA joint advisory AA24-186A for North Korean cyber threats.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.