Eleven Hours: Inside the Lazarus Operator’s Disk After the Fake Interview Campaign

OtterCookie – The Malware That Watched the Developer

Every five seconds, OtterCookie took another look at the workstation. Episode 06 of The Fake Interview examines OtterCookie, a second-stage malware family associated with DPRK-linked Contagious Interview activity. Where earlier stages helped explain how fake technical interviews moved developers from conversation to code execution, OtterCookie shows what the operation wanted after the code was already running. This episode focuses on the real target: the developer workstation. Not an empty sandbox. Not a clean analysis VM. The real machine, with browser history, terminal residue, clipboard activity, authenticated sessions, wallets, cloud consoles, source-control access, and work still in motion. OtterCookie matters because it moved the compromise from static theft toward live observation. A credential dump captures one moment. A watcher can wait for the work to happen. In this episode: OtterCookie’s role in the broader fake-interview pipeline Why screenshots and keyboard capture mean something different on real workstations Why clean sandboxes can miss the operational value of the implant How wallet targeting changes the personal stakes for Web3 developers Why “use a VM” is right, but incomplete Why the developer became the perimeter This episode avoids live indicators, exploit walkthroughs, victim records, and reusable operational detail. The goal is to explain the campaign safely: what changed, why it mattered, and what developers and defenders should understand. The real workstation was the target. The Fake Interview is a narrative technical podcast from Red Asgard about DPRK-linked fake interview campaigns targeting developers.

the FTP Server: How One Boring Label Hid a Second Layer of the Campaign

Episode 05 focuses on how infrastructure can be misclassified during an active investigation. The server discussed here was initially understood through its FTP exfiltration role. Later evidence tied the same host to additional campaign-linked services, including OtterCookie-related collection behavior.

Eleven Hours: Inside the Lazarus Operator’s Disk After the Fake Interview Campaign

A live adversary server. Two password changes. Eleven hours. Episode 04 follows the forensic window where researchers preserved a contested Windows machine used in a Lazarus-attributed fake-interview campaign, uncovering the operator workbench behind the lures: campaign archives, fake-company material, targeting pipelines, wallet artifacts, browser traces, and signs of AI-assisted workflow.

The Factory: How a Lazarus-Attributed Credential Pipeline Collected Its Own Operators

Episode 3 focuses on the operator side of the campaign: - why the collection pipeline did not distinguish between targets and operators; - how operator workstations appeared in material collected by the campaign; - how those workstations exposed social-engineering workflow, persona infrastructure, testing behavior, provisioning activity, and command structure; - why OtterCookie should be understood as a post-access occupation tool; - what defenders can learn from the factory model without needing access to sensitive data.

Trailer: The Fake Interview

A fake coding interview. A malicious repository. A real developer workstation. The Fake Interview is a Red Asgard narrative investigation into a DPRK-linked, Lazarus-attributed campaign targeting developers, Web3 engineers, and freelance technologists through job offers, coding tests, and trust. Start with Episode 1: Real Blood on the Wire.