Malware

npoint

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

In their place, the npoint sample uses a different vocabulary covering the same functional categories: a victim-registration event, a shell-command dispatch event...

Credential Access

1 technique

T1555Credentials from Password StoresEvidence1

Collection class Behavior Browser data Credential and cookie theft consistent with the broader Contagious Interview campaign.

Discovery

1 technique

T1083File and Directory DiscoveryEvidence1

In their place, the npoint sample uses a different vocabulary covering the same functional categories: a victim-registration event, a shell-command dispatch event, directory-listing and file-read primitives...

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

OtterCookie is a separate JavaScript / Node.js RAT... Its command-and-control runs on Socket.IO over Engine.IO v4... The C2 maintains a live roster of connected victims and pushes that roster outward on a clock.

T1071.001Web ProtocolsEvidence1

Socket.IO gave the operators something BeaverTail did not: session state. A victim did not have to appear as a fresh HTTP request every time. It connected, upgraded to a WebSocket, stayed present, and became part of a roster.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

red asgardNews

May 16, 2026

Hunting Lazarus Part VIII: OtterCookie ? Red Asgard Blog

A related Node.js implant or developmental fork that uses Socket.IO C2 and targets stored credentials on macOS and Windows, with shell-command, directory-listing, file-read, and upload-tracking capabilities.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.