FAMOUS CHOLLIMA & Lazarus Supply Chain Assault: OtterCookie, Graphalgo & Interlock Exploits

Threat Summary

Current OTX pulses indicate a surge in sophisticated supply chain attacks orchestrated by North Korean state-sponsored actors (FAMOUS CHOLLIMA and Lazarus Group) alongside aggressive zero-day exploitation by the Interlock Ransomware Group. These campaigns are aggressively targeting the technology and cryptocurrency sectors. The common modus operandi involves the distribution of malicious packages via open-source repositories (npm, PyPI) using typosquatting and dependency confusion techniques. Specifically, FAMOUS CHOLLIMA is deploying the OtterCookie infostealer through obfuscated npm packages that masquerade as legitimate libraries. Simultaneously, the Lazarus Group is leveraging a "fake recruiter" campaign to deliver RATs and infostealers via malicious Python and JavaScript packages (e.g., graphalgo, netstruct). Parallel to these espionage-focused activities, the Interlock Ransomware Group is actively exploiting a Cisco FMC zero-day (CVE-2026-20131) and other high-impact CVEs to deploy GHOSTKNIFE and GhostSaber payloads.

Threat Actor / Malware Profile

FAMOUS CHOLLIMA / OtterCookie

Distribution: Malicious npm packages (e.g., variants mimicking big.js). Utilizes a two-layer wrapper strategy to evade initial detection.
Payload Behavior: OtterCookie infostealer, capable of credential theft and data exfiltration.
C2 Communication: Communicates with IPv4 infrastructure (e.g., 144.172.110.0/24 range) and utilizes Vercel for command and control infrastructure to blend in with legitimate traffic.
Persistence: N/A (likely stage 1 dropper).

Lazarus Group / Graphalgo Campaign

Distribution: Social engineering via LinkedIn, Reddit, and Facebook posing as recruiters from fake companies (e.g., Veltrix Capital). Victims are coerced into downloading malicious npm or PyPI packages.
Malware Families: Packages like netstruct, bigmathlib, graphalgo deliver RATs and infostealers.
C2 Communication: Domains such as codepool.cloud and aurevian.cloud.
Objective: Theft of cryptocurrency source code, credentials, and intellectual property.

Interlock Ransomware Group

Malware: GHOSTKNIFE, GhostSaber, PlasmaLoader.
Technique: Exploitation of recently disclosed CVEs, specifically targeting Cisco FMC via CVE-2026-20131.
Objective: Ransomware deployment and double extortion.

IOC Analysis

The provided indicators of compromise (IOCs) consist of:

IPv4 Addresses: A cluster of IPs in the 144.172.0.0/16 and 107.189.0.0/16 ranges associated with the OtterCookie C2 infrastructure. These should be blocked immediately at the perimeter.
Domains: codepool.cloud and aurevian.cloud linked to the Lazarus Graphalgo campaign. These are likely C2 domains.
File Hashes (MD5): Over 300 MD5 hashes associated with the Lazarus payloads. These are critical for YARA rule creation and EDR correlation.
CVEs: High-risk identifiers including CVE-2026-27944 and CVE-2026-20131 requiring immediate patch management prioritization.

SOC teams should ingest these IOCs into SIEM correlation rules and EDR threat feeds. Special attention should be paid to egress traffic from development workstations to the listed IPs/domains.

Detection Engineering

YAML

title: Suspicious npm or PyPI Package Installation - OtterCookie/Graphalgo
id: 8493a1b2-0c3d-4b5e-9f1a-2b3c4d5e6f7g
status: stable
description: Detects the installation of known malicious packages associated with FAMOUS CHOLLIMA and Lazarus Group campaigns (OtterCookie, Graphalgo).
references:
    - https://otx.alienvault.com/pulse/661f5a1e8b3e4c0b8c9f0a1b
author: Security Arsenal Research
date: 2026/04/16
tags:
    - attack.initial_access
    - attack.t1195.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\npm.cmd'
            - '\pip.exe'
        CommandLine|contains:
            - 'ottercookie'
            - 'beavertail'
            - 'netstruct'
            - 'bigmathlib'
            - 'graphalgo'
            - 'graphnetworkx'
    condition: selection
falsepositives:
    - Legitimate installation of similarly named legitimate packages (rare in this context)
level: high
---
title: Potential C2 Traffic - OtterCookie IP Ranges
id: 93b2c3d4-1e4f-5a6b-0c2d-3e4f5a6b7c8d
status: stable
description: Detects outbound network connections to known FAMOUS CHOLLIMA C2 infrastructure IP ranges associated with the OtterCookie campaign.
references:
    - https://otx.alienvault.com/pulse/661f5a1e8b3e4c0b8c9f0a1b
author: Security Arsenal Research
date: 2026/04/16
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|startswith:
            - '144.172.'
            - '107.189.'
        DestinationPort:
            - 80
            - 443
            - 8080
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Lazarus Fake Recruiter - Suspicious Process Spawning
id: a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects suspicious child processes (PowerShell, cmd) spawned by Node.js or Python interpreters, indicative of malicious package execution during a fake recruitment workflow.
references:
    - https://otx.alienvault.com/pulse/6620e3a1b2c3d4e5f6a7b8c9
author: Security Arsenal Research
date: 2026/04/16
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith:
            - '\node.exe'
            - '\python.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'EncodedCommand'
            - '-NoP'
            - '-w hidden'
    condition: all of selection_*
falsepositives:
    - Legitimate developer scripts triggering shells
level: medium

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for OtterCookie C2 Connections and Lazarus File Hashes
let MaliciousIPs = dynamic(['144.172.110.228', '107.189.22.20', '144.172.110.96']);
let MaliciousDomains = dynamic(['codepool.cloud', 'aurevian.cloud']);
let MaliciousHashes = dynamic(['0eb5d17f6c48e108355e26271ce1c115', '3492aead8bbc9184d69f25bb04eed5ca']);

// Network Connections
DeviceNetworkEvents
| where RemoteIP in (MaliciousIPs) or RemoteUrl has_any (MaliciousDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| extend HuntContext = "Network_C2_OtterCookie_Lazarus"

| union (
// File Creation/Process Execution with Malicious Hashes
DeviceProcessEvents
| where SHA256 in (MaliciousHashes) or MD5 in (MaliciousHashes) // Assuming SHA256 available, else MD5
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,FolderPath, SHA256, MD5
| extend HuntContext = "Process_MaliciousHash_Lazarus"
)
| order by Timestamp desc

PowerShell IOC Hunt Script

PowerShell

<#
.SYNOPSIS
    Hunts for OtterCookie and Lazarus Graphalgo campaign IOCs on the local filesystem.
#>

$IOC_Hashes = @(
    '0eb5d17f6c48e108355e26271ce1c115',
    '3492aead8bbc9184d69f25bb04eed5ca',
    '3c1a44a8fb59cf0d7fc1adbb2ff92e9e',
    '40cd39ac67133aba9aa6c17b8a0982bd',
    '47d06b0a7287a50a364cd02cfc55b05a',
    '4cc1e104a41aaafe84a867258ef43caf'
)

$SearchPaths = @("C:\Users\", "C:\Program Files\node_modules\", "C:\Python\Lib\site-packages\")

Write-Host "[*] Initiating Hunt for Lazarus/Chollima IOCs..." -ForegroundColor Cyan

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Write-Host "[*] Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $File = $_
            try {
                $Hash = (Get-FileHash -Path $File.FullName -Algorithm MD5 -ErrorAction Stop).Hash.ToLower()
                if ($IOC_Hashes -contains $Hash) {
                    Write-Host "[!] MALICIOUS FILE FOUND: $($File.FullName)" -ForegroundColor Red
                    Write-Host "    Hash: $Hash" -ForegroundColor Red
                }
            } catch {

                # Ignore access errors
            }
        }
    }
}

# Check for known malicious package folders (Heuristic)
$MaliciousPackages = @("ottercookie", "netstruct", "graphalgo", "bigmathlib")
Write-Host "[*] Checking for malicious package names..." -ForegroundColor Yellow
Get-ChildItem -Path "C:\Users\" -Recurse -Directory -ErrorAction SilentlyContinue | Where-Object {
    $MaliciousPackages -contains $_.Name
} | ForEach-Object {
     Write-Host "[!] SUSPICIOUS PACKAGE FOUND: $($_.FullName)" -ForegroundColor Red
}

Write-Host "[*] Hunt Complete." -ForegroundColor Green

Response Priorities

Immediate (0-4 hours):
- Block all listed IPv4 addresses and domains (codepool.cloud, aurevian.cloud) at the firewall and proxy level.
- Isolate any endpoints triggering the Sigma rules or KQL alerts.
- Scan development environments for the specific MD5 hashes provided.
24 Hours:
- Conduct identity verification for developers who may have executed these packages (credential theft risk).
- Review git/logs for unauthorized commits originating from potentially compromised dev environments.
1 Week:
- Implement strict package allow-listing for npm, PyPI, and build pipelines.
- Patch Cisco FMC and other critical infrastructure for CVE-2026-20131 and other listed CVEs.
- Conduct security awareness training specifically regarding "Fake Recruiter" social engineering.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub