Inside the Keylogging Fusion: Analyzing North Korea's New 'BeaverTail & OtterCookie' Malware Combination

CYBERDUDEBIVASH • ThreatWire

Published: October 17, 2025

Inside the Keylogging Fusion: Analyzing North Korea's New “BeaverTail & OtterCookie” Malware Combination

www.cyberdudebivash.com• cyberdudebivash-news.blogspot.com• cyberbivash.blogspot.com• cryptobivash.code.blog

“BeaverTail” captures keystrokes while “OtterCookie” steals session tokens/cookies; both trickle data to proxy C2 for account takeover and lateral movement.

TL;DR: A North Korea–aligned cluster is pairing a quiet user-mode keylogger (“BeaverTail”) with a token/cookie stealer (“OtterCookie”). The combo evades MFA by hijacking active sessions, then replays stolen cookies to access email, Git, CI/CD and cloud consoles. Initial access: malicious Office docs, package manager scripts, and IT support lures. Priority: invalidate tokens, rotate SSO secrets, hunt for browser data exfil, and enforce device-bound MFA.

Focus regions: US • EU • UK • AU • IN • Targets: Media, Crypto/FinTech, Defense-adjacent R&D, IT MSPs/MSSPs

Executive Summary

Instead of brute-forcing MFA, the operators harvest what MFA protects—your already-validated browser state. By combining keystrokes (credentials, seed phrases, CLI tokens) with live cookies (SSO/JWT/SessionID), they jump straight into mailboxes, source repos, ticketing, and cloud admin portals. Expect hands-on-keyboard follow-ups and selective data theft to sustain access.

Probable Attack Chain

Initial Access — Malicious Office/ISO/zipped JS; staged via drive-by, spear-phish, or fake helpdesk chats. Some samples use signed-but-abused installers or LOLBins (wscript, mshta, rundll32).
Execution — User-space loader drops “BeaverTail” (DLL/EXE) and a lightweight “OtterCookie” module (per-browser grabber).
Persistence — Run keys, scheduled tasks, WMI subscriptions; optional Edge/Chrome extensions for refresh-proof session access.
Discovery & Collection — Keystrokes + clipboard; export Cookies/Login Data DBs, localStorage, extension vaults.
Exfiltration — HTTPS to rotating C2, paste/notes dead-drops, or commodity file hosts; optional DNS canary trickle.
Post-Exploitation — Cookie replay to Outlook/Teams/Slack/Jira/Git; creation of PATs, OAuth app grants, admin role sprawl.

Technical Traits (What to Look For)

BeaverTail: low-rate file writes to obfuscated paths, event hooks via SetWindowsHookEx, rare ETW tamper; sleeps/jitters to blend with user activity.
OtterCookie: copies Chromium profiles (%LOCALAPPDATA%\[Browser]\User Data\), decrypts with DPAPI; grabs Cookies, Login Data, Web Data, and app tokens.
Defense evasion: signed loader; LOLBins for staging; encrypted config blobs with domain allowlists; proxy-aware beaconing.
C2 patterns: short-lived domains behind CDN/fronting, rotating TLS prints; URIs that mimic telemetry.

Detections that Actually Fire

EDR / Sysmon - Event hooking: SetWindowsHookEx from unknown signer → ALERT - Abnormal reads of leveldb/SQLite in browser profile by non-browser process - DPAPI decrypt shortly after browser shutdown - New Scheduled Task / WMI subscriptions with random animal/day names - Mass PAT creation in GitHub/GitLab/Azure DevOps within 60m of atypical login Identity / SIEM - Impossible travel + cookie replay (no fresh MFA) to M365/Jira/Confluence - Spike in OAuth consent grants or new enterprise app registrations Network - Small periodic HTTPS POSTs (<3kb -="" 3="" after="" aged="" days="" dev="" domains="" immediately="" logins="" lt="" notes="" paste="" pre="" services="" to="" used="">

Rapid Response Playbook (60–180 minutes)

Contain: Isolate hosts; block C2 FQDN/IP; revoke OAuth grants & PATs; disable suspicious extension IDs.
Invalidate Sessions: Force re-auth on IdP; revoke refresh tokens org-wide; rotate session keys/secrets.
Hunt: Query for DPAPI access on browser stores; non-browser reads of Cookies/Login Data; new tasks/WMI.
Credential Hygiene: Reset user pwds; rotate app secrets; require device-bound passkeys for privileged roles.
Eradicate: Remove persistence; uninstall rogue extensions; reimage high-risk admin/dev machines if needed.
Hardening: Conditional Access (device compliance + MFA), short session life, CAE, disable legacy protocols.

For Your SOC: Practical Queries (Examples)

Windows (pseudo-KQL)
DeviceProcessEvents
| where FileName in~ ("rundll32.exe","wscript.exe","mshta.exe")
| where ProcessCommandLine has_any ("User Data\\Default\\Cookies","\\Login Data","localstorage")

DeviceFileEvents
| where FolderPath has "\\User Data\\Default\\"
| where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","brave.exe")

OAuth/PAT audit
AuthZGrant
| where NewConsent == true or Scopes has_any ("Mail.ReadWrite","offline_access")
| summarize count() by UserId, AppId, bin(1h)

IOC & Telemetry (Populate During IR)

Filenames/Paths: user-profile temp dirs with animal-theme names; %APPDATA%\Microsoft\<random>\*.log slowly growing.
Mutexes: simple words (“btail”, “otter”), day-based tokens.
C2: newly registered domains; subdomains resembling analytics/telemetry.
Hashes: case-specific; expect rapid re-packing → do not rely on static IOCs.

Who’s in the Crosshairs?

US/EU media & tech: newsroom accounts → social hijack + data theft.
UK/AU MSP/MSSP: shared admin workstations → downstream client compromise.
IN crypto/fintech: wallet seed/keystroke theft + SSO cookie replay → instant takeover.

Related Reading on CyberDudeBivash

Stay ahead of APT tradecraft. Get board-ready briefs, YARA/EDR hunts, and one-page exec actions. Subscribe to our LinkedIn Newsletter →

Security Essentials (sponsored)

Kaspersky Endpoint Security

ASR/behavioral rules to block keyloggers & token stealers.

HideMyName VPN

Lock IdP/cloud admin portals to fixed egress IPs.

TurboVPN

Secure remote admin with device-bound MFA and short sessions.

Disclosure: We may earn a commission if you buy via these links. This supports independent research.

Why trust CyberDudeBivash? We publish vendor-agnostic, executive-grade threat intel and SOC runbooks for US/EU/UK/AU/IN enterprises—focused on real detections, fast containment, and measurable risk reduction.

APT, DPRK, keylogger, cookie theft, session hijacking, MFA bypass, OAuth abuse, DPAPI, Chromium profiles, Sysmon, EDR, SIEM, identity security, OAuth consent, passkeys, conditional access, US, EU, UK, Australia, India.

#APT #DPRK #Keylogger #CookieTheft #SessionHijacking #MFABypass #IdentitySecurity #EDR #Sysmon #OAuth #ZeroTrust #ThreatHunting #IncidentResponse #SOC #US #EU #UK #Australia #India #CISO #MSSP #MDR

Educational, defensive guidance only. Indicators above are representative; validate against your telemetry and current advisories before enforcement.

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...

Cyberdudebivash

Search This Blog

Latest Cybersecurity News

New AI-Powered Malware & Deepfake-Driven Phishing Are Spiking — Volume, Sophistication, and Real-World Defenses CYBERDUDEBIVASH THREATWIRE [50th-Edition]