{
	"id": "d19d1ade-6c28-4959-a313-5d41594b819a",
	"created_at": "2026-04-06T00:18:25.768672Z",
	"updated_at": "2026-04-10T03:19:56.8705Z",
	"deleted_at": null,
	"sha1_hash": "6e70c0df70d089be213f9ea4fa33a2e184030a74",
	"title": "WARMCOOKIE One Year Later: New Features and Fresh Insights",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1130229,
	"plain_text": "WARMCOOKIE One Year Later: New Features and Fresh Insights\r\nBy Daniel Stepanic, Seth Goodwin\r\nPublished: 2025-10-01 · Archived: 2026-04-05 15:11:58 UTC\r\nRevisiting WARMCOOKIE\r\nElastic Security Labs continues to track developments in the WARMCOOKIE codebase, uncovering new\r\ninfrastructure tied to the backdoor. Since our original post, we have been observing ongoing updates to the code\r\nfamily and continued activity surrounding the backdoor, including new infections and its use with emerging loaders. A\r\nrecent finding by the IBM X-Force team highlighted a new Malware-as-a-Service (MaaS) loader, dubbed\r\nCASTLEBOT, distributing WARMCOOKIE.\r\nIn this article, we will review new features added to WARMCOOKIE since its initial publication. Following this, we’ll\r\npresent the extracted configuration information from various samples.\r\nKey takeaways\r\nThe WARMCOOKIE backdoor is actively developed and distributed\r\nCampaign ID, a recently added marker, sheds light on targeting specific services and platforms\r\nWARMCOOKIE operators appear to receive variant builds distinguished by their command handlers and\r\nfunctionality\r\nElastic Security Labs identified a default certificate that can be used to track new WARMCOOKIE C2 servers\r\nWARMCOOKIE recap\r\nWe first published research about WARMCOOKIE in the summer of 2024, detailing its functionality and how it was\r\ndeployed through recruiting-themed phishing campaigns. Since then, we have observed various development changes\r\nto the malware, including the addition of new handlers, a new campaign ID field, code optimization, and evasion\r\nadjustments.\r\nWARMCOOKIE’s significance was highlighted in May 2025, during Europol’s Operation Endgame, in which\r\nmultiple high-profile malware families, including WARMCOOKIE, were disrupted. Despite this, we are still seeing\r\nthe backdoor being actively used in various malvertising and spam campaigns.\r\nWARMCOOKIE updates\r\nHandlers\r\nDuring our analysis of the new variant of WARMCOOKIE, we identified four new handlers introduced in the summer\r\nof 2024, providing quick capabilities to launch executables, DLLs, and scripts:\r\nPE file execution\r\nDLL execution\r\nhttps://www.elastic.co/security-labs/revisiting-warmcookie\r\nPage 1 of 11\n\nPowerShell script execution\r\nDLL execution with Start export\r\nSwitch statement inside command handler\r\nThe most recent WARMCOOKIE builds we have collected contain the DLL/EXE execution functionality, with\r\nPowerShell script functionality being much less prevalent. These capabilities leverage the same function by passing\r\ndifferent arguments for each file type. The handler creates a folder in a temporary directory, writing the file content\r\n(EXE / DLL / PS1) to a temporary file in the newly created folder. Then, it executes the temporary file directly or uses\r\neither rundll32.exe or PowerShell.exe . Below is an example of PE execution from procmon.\r\nPE execution handler via Procmon\r\nString bank\r\nAnother change observed was the adoption of using a list of legitimate companies for the folder paths and scheduled\r\ntask names for WARMCOOKIE (referred to as a “string bank”). This is done for defense evasion purposes, allowing\r\nthe malware to relocate to more legitimate-looking directories. This approach uses a more dynamic method (a list of\r\ncompanies to use as folder paths, assigned at malware runtime) as opposed to hardcoding the path into a static\r\nlocation, as we observed with previous variants ( C:\\ProgramData\\RtlUpd\\RtlUpd.dll ).\r\nhttps://www.elastic.co/security-labs/revisiting-warmcookie\r\nPage 2 of 11\n\nWARMCOOKIE string bank\r\nThe malware uses GetTickCount as a seed for the srand function to randomly select a string from the string bank.\r\nFunction used for selecting strings from the string bank\r\nThe following depicts an example of a scheduled task showing the task name and folder location:\r\nScheduled task using string bank\r\nBy searching a few of these names and descriptions, our team found that this string bank is sourced from a website\r\nused to rate and find reputable IT/Software companies.\r\nhttps://www.elastic.co/security-labs/revisiting-warmcookie\r\nPage 3 of 11\n\nIT rating website used to populate the string bank\r\nSmaller changes\r\nIn our last write-up, WARMCOOKIE passed a command-line parameter using /p to determine if a scheduled task\r\nneeds to be created; this parameter has been changed to /u . This appears to be a small, but additional change to\r\nbreak away from previous reporting.\r\nIn this new variant, WARMCOOKIE now embeds 2 separate GUID-like mutexes; these are used in combination to\r\nbetter control initialization and synchronization. Previous versions only used one mutex.\r\nAnother noticeable improvement in the more recent versions of WARMCOOKE is code optimization. The\r\nimplementation seen below is now cleaner with less inline logic which makes the program optimized for readability,\r\nperformance, and maintainability.\r\nCode optimization comparison\r\nhttps://www.elastic.co/security-labs/revisiting-warmcookie\r\nPage 4 of 11\n\nClustering configs\r\nSince our initial publication in July 2024, WARMCOOKIE samples have included a campaign ID field. This field is\r\nused by operators as a tag or marker providing context to the operators around the infection, such as the distribution\r\nmethod. Below is an example of a sample with a campaign ID of traffic2 .\r\nCampaign ID within WARMCOOKIE\r\nBased on the extracted configurations of samples in the last year, we hypothesize that the embedded RC4 key can be\r\nused to distinguish between operators using WARMCOOKIE. While unproven, we observed from various samples\r\nthat some patterns started to emerge based on clustering the RC4 key.\r\nRC4 key distribution with campaign IDs\r\nhttps://www.elastic.co/security-labs/revisiting-warmcookie\r\nPage 5 of 11\n\nBy using the RC4 key, we can see overlap in campaign themes over time, such as the build using RC4 key\r\n83ddc084e21a244c , which leverages keywords such as bing , bing2 , bing3, and aws for campaign mapping.\r\nAn interesting note, as it relates to these build artifacts, is that some builds contain different command\r\nhandlers/functionality. For example, the build using the RC4 key 83ddc084e21a244c is the only variant we have\r\nobserved that has PowerShell script execution capabilities, while most recent builds contain the DLL/EXE handlers.\r\nOther campaign IDs appear to use terms such as lod2lod , capo, or PrivateDLL . For the first time, we saw the\r\nuse of embedded domains versus numeric IP addresses in WARMCOOKIE from a sample in July 2025.\r\nWARMCOOKIE infrastructure overview\r\nAfter extracting the infrastructure from these configurations, one SSL certificate stands out. Our hypothesis is that the\r\ncertificate below is possibly a default certificate used for the WARMCOOKIE back-end.\r\nIssuer\r\n C=AU, ST=Some-State, O=Internet Widgits Pty Ltd\r\nNot Before\r\n 2023-11-25T02:46:19Z\r\nNot After\r\n 2024-11-24T02:46:19Z\r\nFingerprint (SHA1)\r\n e88727d4f95f0a366c2b3b4a742950a14eff04a4\r\nFingerprint (SHA256)\r\n 8c5522c6f2ca22af8db14d404dbf5647a1eba13f2b0f73b0a06d8e304bd89cc0\r\nCertificate details\r\nNote the “Not After” date above shows that this certificate is expired. However, new (and reused) infrastructure\r\ncontinues to be initialized using this expired certificate. This is not entirely new infrastructure, but rather a\r\nreconfiguration of redirectors to breathe new life into existing infrastructure. This could indicate that the campaign\r\nowners are not concerned with the C2 being discovered.\r\nhttps://www.elastic.co/security-labs/revisiting-warmcookie\r\nPage 6 of 11\n\nCertificate reuse screenshot, September 2024 to September 2025\r\nConclusion\r\nElastic Security Labs continues to observe WARMCOOKIE infections and the deployment of new infrastructure for\r\nthis family. Over the last year, the developer has continued to make updates and changes, suggesting it will be around\r\nfor some time to come. Based on its selective usage, it continues to remain under the radar. We hope that by sharing\r\nthis information, organizations will be better equipped to protect themselves from this threat.\r\nMalware and MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats use against enterprise networks.\r\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing\r\nan action.\r\nInitial Access\r\nExecution\r\nDefense Evasion\r\nDiscovery\r\nCommand and Control\r\nExfiltration\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nPhishing\r\nhttps://www.elastic.co/security-labs/revisiting-warmcookie\r\nPage 7 of 11\n\nUser Execution: Malicious Link\r\nCommand and Scripting Interpreter: PowerShell\r\nSystem Information Discovery\r\nScheduled Task/Job\r\nScreen Capture\r\nCommand and Scripting Interpreter: Windows Command Shell\r\nIndicator Removal: Relocate Malware\r\nDetecting malware\r\nPrevention\r\nSuspicious PowerShell Downloads\r\nScheduled Task Creation by an Unusual Process\r\nSuspicious PowerShell Execution via Windows Scripts\r\nRunDLL32 with Unusual Arguments\r\nWindows.Trojan.WarmCookie\r\nYARA\r\nElastic Security has created the following YARA rules to identify this activity.\r\nWindows.Trojan.WarmCookie\r\nObservations\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\n87.120.126.32\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\nstorsvc-win[.]com domain\r\nWARMCOOKIE\r\nC2 Server\r\n85.208.84.220\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n109.120.137.42\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n195.82.147.3\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n93.152.230.29\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\nhttps://www.elastic.co/security-labs/revisiting-warmcookie\r\nPage 8 of 11\n\nObservable Type Name Reference\r\n155.94.155.155\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n87.120.93.151\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n170.130.165.112\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n192.36.57.164\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n83.172.136.121\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n45.153.126.129\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n170.130.55.107\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n89.46.232.247\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n89.46.232.52\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n185.195.64.68\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n107.189.18.183\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n192.36.57.50\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n62.60.238.115\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n178.209.52.166\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n185.49.69.102\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n185.49.68.139\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\nhttps://www.elastic.co/security-labs/revisiting-warmcookie\r\nPage 9 of 11\n\nObservable Type Name Reference\r\n149.248.7.220\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n194.71.107.41\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n149.248.58.85\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n91.222.173.219\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n151.236.26.198\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n91.222.173.91\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n185.161.251.26\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n194.87.45.138\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\n38.180.91.117\r\nipv4-\r\naddr\r\nWARMCOOKIE\r\nC2 Server\r\nc7bb97341d2f0b2a8cd327e688acb65eaefc1e01c61faaeba2bc1e4e5f0e6f6e\r\nSHA-256\r\nWARMCOOKIE\r\n9d143e0be6e08534bb84f6c478b95be26867bef2985b1fe55f45a378fc3ccf2b\r\nSHA-256\r\nWARMCOOKIE\r\nf4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659\r\nSHA-256\r\nWARMCOOKIE\r\n5bca7f1942e07e8c12ecd9c802ecdb96570dfaaa1f44a6753ebb9ffda0604cb4\r\nSHA-256\r\nWARMCOOKIE\r\nb7aec5f73d2a6bbd8cd920edb4760e2edadc98c3a45bf4fa994d47ca9cbd02f6\r\nSHA-256\r\nWARMCOOKIE\r\ne0de5a2549749aca818b94472e827e697dac5796f45edd85bc0ff6ef298c5555\r\nSHA-256\r\nWARMCOOKIE\r\n169c30e06f12e33c12dc92b909b7b69ce77bcbfc2aca91c5c096dc0f1938fe76\r\nSHA-256\r\nWARMCOOKIE\r\nhttps://www.elastic.co/security-labs/revisiting-warmcookie\r\nPage 10 of 11\n\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/operation-endgame-strikes-again-ransomware-kill-chain-broken-its-source\r\nSource: https://www.elastic.co/security-labs/revisiting-warmcookie\r\nhttps://www.elastic.co/security-labs/revisiting-warmcookie\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/revisiting-warmcookie"
	],
	"report_names": [
		"revisiting-warmcookie"
	],
	"threat_actors": [],
	"ts_created_at": 1775434705,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e70c0df70d089be213f9ea4fa33a2e184030a74.pdf",
		"text": "https://archive.orkl.eu/6e70c0df70d089be213f9ea4fa33a2e184030a74.txt",
		"img": "https://archive.orkl.eu/6e70c0df70d089be213f9ea4fa33a2e184030a74.jpg"
	}
}