Lazarus Group Deploys New 'OtterCookie' Malware to Target Crypto Professionals

North Korea-linked hacking group Lazarus is back in the spotlight with a sophisticated new cyberattack campaign aimed at professionals in the cryptocurrency and financial sectors. According to web3 security firm SlowMist, the group is leveraging a new malware strain dubbed OtterCookie, using tactics like fake job offers, deepfake recruiter videos, and booby-trapped coding challenges to infect victims' systems.

In a June 6 public alert, SlowMist revealed that OtterCookie is designed to steal sensitive data from macOS machines—a growing platform for developers and crypto users. The malware can extract saved browser credentials, macOS Keychain passwords, private keys from crypto wallets, and even digital certificates, giving attackers a direct line to confidential information.

What sets this campaign apart is its emphasis on social engineering over brute-force or infrastructure attacks. Lazarus appears to be shifting toward more targeted, personalized tactics that exploit human trust rather than software vulnerabilities.

This isn’t the group’s first major move in 2024. Lazarus is widely believed to be behind February’s $1.5 billion Bybit hack, one of the largest in crypto history, which was carried out using similar phishing and impersonation techniques. Since then, the group has continued to target developer environments and wallet infrastructure through malicious npm packages and spoofed tech company websites.

One such fake platform, known as Blocknovas, was seized in April by the FBI and cybersecurity firm Silent Push. It had posed as a legitimate U.S.-based tech firm and was used to distribute malware under the guise of job recruitment.

SlowMist is urging crypto professionals to stay vigilant. Key recommendations include avoiding unsolicited job or investment offers—especially those that involve downloading files or attending unfamiliar video calls. Enhanced endpoint detection and cautious behavior around unknown binaries are also crucial, the firm noted.

These warnings come at a time when the crypto sector is facing an increasingly hostile threat landscape. In Q1 of 2024 alone, the industry saw losses exceeding $1.6 billion due to cyberattacks. May alone accounted for another $244 million, driven by incidents like the $220 million Cetus Protocol hack and the $12 million Cork Protocol exploit.

As Lazarus continues to evolve its attack strategies, the line between technical exploits and psychological manipulation is blurring. For crypto professionals, staying secure now means more than just updating software—it means verifying identities, questioning offers, and staying ahead of increasingly clever social engineering tactics.