Cyberdudebivash

Inside the Keylogging Fusion: Analyzing North Korea’s New ‘BeaverTail & OtterCookie’ Malware Combination

, , , ,
CYBERDUDEBIVASH

CYBERDUDEBIVASH • ThreatWire

Published: October 17, 2025

Inside the Keylogging Fusion: Analyzing North Korea’s New “BeaverTail & OtterCookie” Malware Combinationwww.cyberdudebivash.com•cyberdudebivash-news.blogspot.com•cyberbivash.blogspot.com•cryptobivash.code.blogBeaverTail — Low-noise Keylogger OtterCookie — Browser Token/Cookie Theft SSO / JWT C2 • Proxy Relay / Dead Drop“BeaverTail” captures keystrokes while “OtterCookie” steals session tokens/cookies; both trickle data to proxy C2 for account takeover and lateral movement.

TL;DR: A North Korea–aligned cluster is pairing a quiet user-mode keylogger (“BeaverTail”) with a token/cookie stealer (“OtterCookie”). The combo evades MFA by hijacking active sessions, then replays stolen cookies to access email, Git, CI/CD and cloud consoles. Initial access: malicious Office docspackage manager scripts, and IT support lures. Priority: invalidate tokensrotate SSO secrets, hunt for browser data exfil, and enforce device-bound MFA.

Focus regions: US • EU • UK • AU • IN • Targets: Media, Crypto/FinTech, Defense-adjacent R&D, IT MSPs/MSSPs

Executive Summary

Instead of brute-forcing MFA, the operators harvest what MFA protects—your already-validated browser state. By combining keystrokes (credentials, seed phrases, CLI tokens) with live cookies (SSO/JWT/SessionID), they jump straight into mailboxes, source repos, ticketing, and cloud admin portals. Expect hands-on-keyboard follow-ups and selective data theft to sustain access.

Probable Attack Chain

  1. Initial Access — Malicious Office/ISO/zipped JS; staged via drive-by, spear-phish, or fake helpdesk chats. Some samples use signed-but-abused installers or LOLBins (wscript, mshta, rundll32).
  2. Execution — User-space loader drops “BeaverTail” (DLL/EXE) and a lightweight “OtterCookie” module (per-browser grabber).
  3. Persistence — Run keys, scheduled tasks, WMI subscriptions; optional Edge/Chrome extensions for refresh-proof session access.
  4. Discovery & Collection — Keystrokes + clipboard; export Cookies/Login Data DBs, localStorage, extension vaults.
  5. Exfiltration — HTTPS to rotating C2, paste/notes dead-drops, or commodity file hosts; optional DNS canary trickle.
  6. Post-Exploitation — Cookie replay to Outlook/Teams/Slack/Jira/Git; creation of PATs, OAuth app grants, admin role sprawl.

Technical Traits (What to Look For)

  • BeaverTail: low-rate file writes to obfuscated paths, event hooks via SetWindowsHookEx, rare ETW tamper; sleeps/jitters to blend with user activity.
  • OtterCookie: copies Chromium profiles (%LOCALAPPDATA%\[Browser]\User Data\), decrypts with DPAPI; grabs CookiesLogin DataWeb Data, and app tokens.
  • Defense evasion: signed loader; LOLBins for staging; encrypted config blobs with domain allowlists; proxy-aware beaconing.
  • C2 patterns: short-lived domains behind CDN/fronting, rotating TLS prints; URIs that mimic telemetry.

Detections that Actually Fire

EDR / Sysmon
- Event hooking: SetWindowsHookEx from unknown signer → ALERT
- Abnormal reads of leveldb/SQLite in browser profile by non-browser process
- DPAPI decrypt shortly after browser shutdown
- New Scheduled Task / WMI subscriptions with random animal/day names
- Mass PAT creation in GitHub/GitLab/Azure DevOps within 60m of atypical login

Identity / SIEM
- Impossible travel + cookie replay (no fresh MFA) to M365/Jira/Confluence
- Spike in OAuth consent grants or new enterprise app registrations

Network
- Small periodic HTTPS POSTs (

Rapid Response Playbook (60–180 minutes)

  Contain: Isolate hosts; block C2 FQDN/IP; revoke OAuth grants & PATs; disable suspicious extension IDs.
  Invalidate Sessions: Force re-auth on IdP; revoke refresh tokens org-wide; rotate session keys/secrets.
  Hunt: Query for DPAPI access on browser stores; non-browser reads of Cookies/Login Data; new tasks/WMI.
  Credential Hygiene: Reset user pwds; rotate app secrets; require device-bound passkeys for privileged roles.
  Eradicate: Remove persistence; uninstall rogue extensions; reimage high-risk admin/dev machines if needed.
  Hardening: Conditional Access (device compliance + MFA), short session life, CAE, disable legacy protocols.


For Your SOC: Practical Queries (Examples)
Windows (pseudo-KQL)
DeviceProcessEvents
| where FileName in~ ("rundll32.exe","wscript.exe","mshta.exe")
| where ProcessCommandLine has_any ("User Data\\Default\\Cookies","\\Login Data","localstorage")

DeviceFileEvents
| where FolderPath has "\\User Data\\Default\\"
| where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","brave.exe")

OAuth/PAT audit
AuthZGrant
| where NewConsent == true or Scopes has_any ("Mail.ReadWrite","offline_access")
| summarize count() by UserId, AppId, bin(1h)


IOC & Telemetry (Populate During IR)

  Filenames/Paths: user-profile temp dirs with animal-theme names; %APPDATA%\Microsoft\<random>\*.log slowly growing.
  Mutexes: simple words (“btail”, “otter”), day-based tokens.
  C2: newly registered domains; subdomains resembling analytics/telemetry.
  Hashes: case-specific; expect rapid re-packing → do not rely on static IOCs.



Who’s in the Crosshairs?

  US/EU media & tech: newsroom accounts → social hijack + data theft.
  UK/AU MSP/MSSP: shared admin workstations → downstream client compromise.
  IN crypto/fintech: wallet seed/keystroke theft + SSO cookie replay → instant takeover.



Related Reading on CyberDudeBivash

  Keylogger case studies & detections
  Cookie theft & token replay defenses
  Stopping OAuth app abuse in the enterprise



Stay ahead of APT tradecraft. Get board-ready briefs, YARA/EDR hunts, and one-page exec actions.
  Subscribe to our LinkedIn Newsletter →



  Security Essentials (sponsored)
  
      Kaspersky Endpoint Security
      ASR/behavioral rules to block keyloggers & token stealers.
    
      HideMyName VPN
      Lock IdP/cloud admin portals to fixed egress IPs.
    
      TurboVPN
      Secure remote admin with device-bound MFA and short sessions.
    
  Disclosure: We may earn a commission if you buy via these links. This supports independent research.



Why trust CyberDudeBivash? We publish vendor-agnostic, executive-grade threat intel and SOC runbooks for US/EU/UK/AU/IN enterprises—focused on real detections, fast containment, and measurable risk reduction.




  APT, DPRK, keylogger, cookie theft, session hijacking, MFA bypass, OAuth abuse, DPAPI, Chromium profiles,
  Sysmon, EDR, SIEM, identity security, OAuth consent, passkeys, conditional access, US, EU, UK, Australia, India.




  #APT #DPRK #Keylogger #CookieTheft #SessionHijacking #MFABypass #IdentitySecurity #EDR #Sysmon #OAuth #ZeroTrust
  #ThreatHunting #IncidentResponse #SOC #US #EU #UK #Australia #India #CISO #MSSP #MDR


Educational, defensive guidance only. Indicators above are representative; validate against your telemetry and current advisories before enforcement.

Leave a comment

Design a site like this with WordPress.com
Get started