ctipilot.ch

OTTERCOOKIE

tool · tool:ottercookie single-source

Multi-stage malware family aligned with the DPRK Contagious Interview campaign (first documented by NTT Security, December 2024; overlaps the BEAVERTAIL lineage); the 2026-07-18 Elastic-documented variant chains a browser/crypto-wallet credential stealer, a sensitive-file stealer, a Socket.IO-based RAT with interactive shell execution, and a clipboard stealer/Windows PE dropper.

Coverage timeline
1
first 2026-07-18 → last 2026-07-18
Peak priority
notable
1 notable
Sources cited
1
1 hosts
Sections touched
1
research
Co-occurring entities
1
see Related entities below
ATT&CK techniques
7
pinned v19.1 · see below

ATT&CK techniques

7 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Execution TA0002

T1204.002User Execution: Malicious File×1

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

Stealth TA0005

T1027.003Obfuscated Files or Information: Steganography×1

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

Credential Access TA0006

T1552.001Unsecured Credentials: Credentials In Files×1

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

T1555.003Credentials from Password Stores: Credentials from Web Browsers×1

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

Discovery TA0007

T1083File and Directory Discovery×1

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

Collection TA0009

T1115Clipboard Data×1

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

Command and Control TA0011

T1071.001Application Layer Protocol: Web Protocols×1

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

Story timeline

  1. 2026-07-18Contagious Interview (DPRK) hides an OTTERCOOKIE-aligned payload in SVG-comment steganography inside fake coding-interview repos
    researchElastic finds a new Contagious Interview chain that splits its payload across Base64 comments in every SVG flag image and reassembles it via eval()

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

used by

Where this entity is cited

  • research1

Source distribution

  • elastic.co1 (100%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about OTTERCOOKIE (1)

2026-07-18 · view entry permalink →

NOTABLENATOB2

Contagious Interview (DPRK) hides an OTTERCOOKIE-aligned payload in SVG-comment steganography inside fake coding-interview repos

Elastic Security Labs disclosed a new instance of the long-running DPRK-aligned Contagious Interview campaign (internally tracked REF9403) after the operators targeted Elastic's own community Slack workspace with a fake job posting and a "coding challenge" project (Elastic Security Labs, 2026-07-18). The lure is a fully functional take-home project — a Next.js e-commerce template copied from a real open-source repository — that a candidate is asked to run. The novelty is where the payload hides: it is "split into Base64 fragments inside HTML comments across every SVG flag image inside an assets directory" (Elastic Security Labs, 2026-07-18). The files look like ordinary country-flag images; a JavaScript loader in the repo reassembles the comment fragments from every flag in alphabetical order, decodes them with a custom Base64 routine, and runs the result with eval() — deliberately avoiding atob() and Buffer.from so simple content scanners do not flag the decode. Because the project's package.json wires the loader into the server entry point, the payload runs on every npm run dev / npm start, and the trojanized repositories "have zero detections and are not flagged by any AV vendors" (Elastic Security Labs, 2026-07-18).

The payload is a four-stage chain Elastic assesses as aligned with OTTERCOOKIE (first documented by NTT Security in December 2024, overlapping the BEAVERTAIL lineage). Stage one enumerates browser profiles across Windows, macOS and Linux and steals saved credentials, autofill data and cryptocurrency-wallet-extension stores, masquerading its process as a benign npm-cache process. Stage two recursively discovers and exfiltrates sensitive files — environment files, private keys, keychains, shell histories, documents and source code. Stage three opens a persistent Socket.IO command-and-control channel giving the operator interactive shell execution, with sandbox/VM detection used to tag rather than halt on analysis machines. Stage four (Windows) drops further second-stage binaries disguised as text files and adds a clipboard stealer polling every 500 ms.

The payloads are split into Base64 fragments inside HTML comments across every SVG flag image inside an assets directory.

These trojanized repositories at the time of writing have zero detections and are not flagged by any AV vendors

Elastic Security Labs 2026-07-18
research18 Jul 04:35Zsingle-sourceOpen finding ↗