Back to Intelligence

OtterCookie & GHOSTSABER: North Korean Supply Chain Attack & Interlock Ransomware Exploitation — OTX Pulse Analysis

SA
Security Arsenal Team
April 15, 2026
6 min read

Recent OTX pulse data reveals a coordinated surge in supply chain compromises and vulnerability exploitation targeting the technology and cryptocurrency sectors. North Korean threat actors (Lazarus Group and Famous Chollima) are actively conducting sophisticated fake recruitment campaigns ('contagious interview') to distribute malicious npm and PyPI packages. These packages, including variants of OtterCookie, BeaverTail, and InvisibleFerret, serve as infostealers and SSH backdoors, utilizing Vercel for C2 infrastructure to evade detection.

Simultaneously, the Interlock Ransomware Group has escalated operations by exploiting CVE-2026-20131, a zero-day deserialization vulnerability in Cisco Firepower Management Center (FMC). This follows the identification of 31 high-impact CVEs in March 2026. The convergence of state-sponsored supply chain attacks and financially motivated ransomware exploiting zero-days represents a significant shift in the threat landscape, requiring immediate defensive posture adjustments.

Threat Actor / Malware Profile

Lazarus Group / Famous Chollima (North Korea)

  • Objective: Credential theft, source code exfiltration, and establishing persistence in development environments.
  • Malware Families:
    • OtterCookie: Infostealer targeting browser data and system credentials.
    • BeaverTail: Malicious npm payload often obfuscated within legitimate-looking libraries.
    • InvisibleFerret: SSH backdoor providing remote access.
  • Distribution Method: Social engineering via LinkedIn/Reddit posing as recruiters ('Veltrix Capital'). Victims are tricked into running 'test tasks' that require cloning repositories containing malicious dependencies.
  • C2 Communication: Uses abused cloud infrastructure (e.g., Vercel) and specific IP ranges (144.172.x.x) to blend in with legitimate dev traffic.

Interlock Ransomware Group

  • Objective: Extortion via file encryption and data leakage.
  • Malware Families: GHOSTSABER, PlasmaLoader.
  • Attack Technique: Exploitation of CVE-2026-20131 (Cisco FMC Deserialization RCE). Initial access is gained via exposed management interfaces, followed by payload deployment.
  • Persistence: Utilization of scheduled tasks and valid credentials harvested from the environment.

IOC Analysis

The provided pulses offer diverse indicator types requiring different operational responses:

  • IPv4 Addresses (C2 Infrastructure): 144.172.110.228, 107.189.22.20, etc. These represent active command and control nodes. SOC teams should block these at the perimeter firewall and proxy levels.
  • Domains (Infrastructure): codepool.cloud, aurevian.cloud. Used for C2 communication and payload delivery. These should be sinkholed or blocked via DNS filtering.
  • FileHash-MD5 (Payloads): 319 MD5 hashes provided (e.g., 0eb5d17f6c48e108355e26271ce1c115). These should be uploaded to EDR solutions for immediate scanning and quarantine.
  • CVEs: CVE-2026-20131, CVE-2026-27944. These require patching validation and vulnerability scanning prioritization.

Operational Guidance: Use SIEM correlation to match network connections (to the listed IPs) with process execution events involving npm or python to identify active infection chains.

Detection Engineering

YAML
title: Potential Malicious NPM/PyPI Package Installation
id: 5a3b2c1d-9e8f-7a6b-5c4d-3e2f1a0b9c8d
status: stable
description: Detects installation of known malicious npm or PyPI packages associated with North Korean fake recruitment campaigns.
references:
    - https://panther.com/blog/tracking-an-ottercookie-infostealer-campaign-across-npm
    - https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs
author: Security Arsenal
date: 2026/04/15
tags:
    - attack.initial_access
    - attack.supply_chain
logsource:
    category: process_creation
    product: windows
detection:
    selection_npm:
        CommandLine|contains:
            - 'npm install graphalgo'
            - 'npm install bigmathutils'
            - 'npm install ottercookie'
            - 'npm install beavertail'
            - 'npm install invisibleferret'
    selection_pip:
        CommandLine|contains:
            - 'pip install graphalgo'
            - 'pip install bignum'
            - 'pip install terminal-kleur'
    condition: 1 of selection*
falsepositives:
    - Legitimate developer usage of packages with similar names (low probability)
level: high
---
title: C2 Communication - OtterCookie/Lazarus Infrastructure
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: stable
description: Detects network connections to known Command and Control (C2) infrastructure associated with OtterCookie and Lazarus Group campaigns.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/04/15
tags:
    - attack.command_and_control
    - attack.exfiltration
logsource:
    category: network_connection
    product: windows
detection:
    selection_ip_range:
        DestinationIp|startswith:
            - '144.172.'
            - '107.189.'
    selection_domains:
        DestinationHostname|contains:
            - 'codepool.cloud'
            - 'aurevian.cloud'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
---
title: Suspicious Cisco FMC Exploitation Activity (Interlock Ransomware)
id: c4d5e6f7-8a9b-0c1d-2e3f-4a5b6c7d8e9f
status: stable
description: Detects potential exploitation attempts of CVE-2026-20131 exploited by Interlock Ransomware Group, characterized by deserialization anomalies.
references:
    - https://www.recordedfuture.com/blog/march-2026-cve-landscape
author: Security Arsenal
date: 2026/04/15
tags:
    - attack.initial_access
    - attack.exploitation
logsource:
    category: webserver
    product: cisco
detection:
    selection_exploit:
        cs-uri-query|contains: 'serializedData' # Placeholder for specific payload signature
    selection_status:
        sc-status: 200
    condition: selection_exploit and selection_status
falsepositives:
    - Legitimate API calls to FMC (requires tuning based on environment)
level: high


kql
// KQL for Microsoft Sentinel: Hunt for Malicious Package Installations and C2 Traffic
// 1. Process Creation Events for suspicious packages
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("npm install", "pip install")
| where ProcessCommandLine has_any ("graphalgo", "bigmathutils", "ottercookie", "beavertail", "terminal-kleur", "bignum")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend ThreatContext = "North Korean Supply Chain Package"

// 2. Network Connections to C2 Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP has_any ("144.172.", "107.189.") or RemoteUrl has_any ("codepool.cloud", "aurevian.cloud")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName
| extend ThreatContext = "Lazarus/OtterCookie C2 Traffic"


powershell
# PowerShell Hunt Script: Check for Indicators of Compromise (IOCs) related to OtterCookie/Lazarus

# 1. Check for presence of malicious npm package folders in common locations
Write-Host "Checking for malicious npm package folders..."
$maliciousPackages = @("node_modules/graphalgo", "node_modules/bigmathutils", "node_modules/ottercookie")
$drive = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($path in $maliciousPackages) {
    Get-ChildItem -Path $drive -Filter $path -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime
}

# 2. Check for active network connections to C2 IPs
Write-Host "Checking for active C2 connections..."
$c2IPs = @("144.172.110.228", "144.172.110.96", "107.189.22.20")
Get-NetTCPConnection | Where-Object { $c2IPs -contains $_.RemoteAddress } | Select-Object LocalAddress, RemoteAddress, State, OwningProcess

# 3. Check for specific file hashes (Simulated - requires hash database access)
Write-Host "Scanning for known malicious file hashes..."
# Note: In a real scenario, use Get-FileHash and compare against the provided IOC list
# Example: Get-ChildItem -Path C:\Users\ -Recurse -File | Get-FileHash -Algorithm MD5 | Where-Object { $knownHashes -contains $_.Hash }


# Response Priorities

**Immediate (0-12 hours)**:
*   **Block IOCs**: Implement immediate blocks on perimeter firewalls and proxies for IP ranges `144.172.0.0/16`, `107.189.0.0/16` and domains `codepool.cloud`, `aurevian.cloud`.
*   **Scan**: Run EDR full scans using the provided MD5 hashes to identify latent malware.

**24 Hours**:
*   **Hunt**: Execute the provided PowerShell/KQL queries across endpoints to identify developers who may have executed the malicious npm/pip packages.
*   **Verify**: Validate identity of recent recruitment contacts in development teams; revoke SSH keys and tokens if credential theft is suspected.

**1 Week**:
*   **Patch**: Prioritize and patch Cisco FMC appliances for CVE-2026-20131 and other critical CVEs listed in the March 2026 landscape.
*   **Architecture**: Implement Software Bill of Materials (SBOM) scanning and strict allow-listing for internal npm/PyPI registries to prevent supply chain infiltration.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptottercookielazarus-groupinterlock-ransomwaresupply-chain-attacknpm-pypi

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action