{
	"id": "f697d290-09c4-4f82-ac22-1e3fb00c9bc7",
	"created_at": "2026-04-06T00:16:05.849375Z",
	"updated_at": "2026-04-10T03:21:57.787732Z",
	"deleted_at": null,
	"sha1_hash": "7692eb73f80df6bfac940e06962af10f0aece737",
	"title": "Newly discovered: BadSpace backdoor delivered by high-ranking websites",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 211503,
	"plain_text": "Newly discovered: BadSpace backdoor delivered by high-ranking\r\nwebsites\r\nBy Karsten Hahn, Anna Lvova\r\nPublished: 2025-04-09 · Archived: 2026-04-05 16:15:37 UTC\r\n06/12/2024\r\nReading time: 5 min (1298 words)\r\nImagine visiting your favorite website with the same address that you always use and it tells you that your browser\r\nneeds an update. After downloading and executing the update, there's an unwelcome surprise: the BadSpace\r\nbackdoor. What is this new threat capable of, and how is it eerily similar to a warm cookie?\r\nThe backstory\r\nOn the 19th of May, the threat intelligence analyst Gi7w0rm drew the attention of the cybersecurity community to\r\na new backdoor “BadSpace” that was discovered by the researcher @kevross33  several days earlier. We outline\r\nthe infection chain and give an overview to the functionality of the backdoor.  \r\nVectors in the infection chain\r\nURL construction\r\nThere is a tendency to infect WordPress websites and to inject the malicious code to the JavaScript libraries like\r\njQuery[1] or in the index page itself[2]. \r\nWe were able to acquire several JScript files that drop and run the BadSpace backdoor. Some of them use\r\nextension spoofing like “.pdf.js”[3][4].\r\nGi7w0rm also informed us that some of the websites show a window with a fake Google Chrome update and after\r\ndownloading, it drops the malicious backdoor or the JScript onto the system. \r\nThe domains that serve as C2 servers in the web attack[6][7] were mentioned by Group-IB Threat intelligence.\r\nThey associate them to the threat actor SocGholish. According to a report by Proofpoint, it is typical for\r\nSocGholish to use fake updates and JS files. The described attack has a lot of similarities in the way how the\r\nbackdoor was delivered. \r\nhttps://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor\r\nPage 1 of 6\n\nJScript\r\nThe JScript file[3] employs different obfuscation techniques. The de-obfuscation starts with three functions and a\r\nstrings array. For example, the first function shifts the given array 143,858 times (0x231f2), and another function\r\nafter subtracting 383 (0x17f) points to the first element of a new array. The shift and subtract values are not fixed\r\nand are unique for each sample. This new array will replace obfuscated names of the variables and functions.\r\nHowever, for additional complexity, not all variables will be renamed after the execution of the mentioned\r\nfunctions. The rest of the variables are declared within the code. We suspect that the threat actor used service\r\nobfuscator.io.  \r\nThe third function at the end of the file is obfuscated with the help of JavaScript Compressor by Dean Edwards.\r\nThe result of this function will finish the construction of the PowerShell downloader.  \r\nThe PowerShell code silently downloads the BadSpace backdoor[5] and after ten seconds it executes the\r\ndownloaded file using rundll32.exe. \r\nBadSpace string and API obfuscation\r\nThe present BadSpace sample[5] is a PE32+ DLL that is not packed but obfuscated. \r\nThe strings, Windows API DLL names, and Windows API function names that it uses are encrypted with RC4.\r\nEach string blob has the following buildup: four bytes length of encrypted data, followed by a four bytes RC4 key,\r\nfollowed by the encrypted data.\r\nBuildup of encrypted string blob\r\nAPIs are resolved dynamically via LoadLibraryW and GetProcAddress using the decrypted function names from\r\nthe strings table. \r\nWe created an IDA Python script to automatically decode strings and APIs in the IDA database. The script\r\nsearches potential decryption function calls in the Ctree of the decompiler, decrypts the argument, changes the\r\nstring reference label to the decrypted string, and adds comments. \r\nWhile discussing the case with other researchers, Mohamed Ashraf provided a standalone Python script that also\r\ndecrypts BadSpace strings. It works independently from IDA. \r\nhttps://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor\r\nPage 2 of 6\n\nBadSpace anti-sandbox and persistence\r\nBadSpace[5] employs several anti-sandbox heuristics.  \r\n It counts the number of folders in the %TEMP% directory and the %APPDATA% and makes sure that\r\nthese are above a certain threshold.\r\nIt queries the registry and counts how often DisplayName appears as a subkey of\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall.  \r\nIt checks the number of processors and the global memory status.  \r\nThe thresholds for all anti-sandbox heuristics are slightly different for each sample. \r\nAnti-sandbox checks at the start of execution\r\nAfter the anti-sandbox checks it first creates the mutex “32ac0087-89d0-4ea5-89af-26a8d08e87ce\"; this UUID\r\nvalue is different for each BadSpace sample.\r\nThen it persists via scheduled task creation and self-copying. The persistence function accounts for both, EXE and\r\nDLL files. Because the present sample is a DLL, the scheduled task uses the command: \r\nIf that fails, it tries a different folder: \r\nThe arguments Start /p make sure that the persistence function is not executed again.\r\nC2 communication\r\nThe initial request to the server sends a cookie, which contains encrypted information of the infected system. This\r\ncookie is most likely the reason for the malware’s alias name WarmCookie. The following data is sent to the\r\nserver: \r\ncomputer name \r\nDNS domain assigned to the local computer \r\ncrc32 hash of the Volume Serial Number for C: xored with the crc32 hash of 32ac0087-89d0-4ea5-89af-26a8d08e87ce (this UUID is different for each sample and it is the same value that is being used for the\r\nhttps://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor\r\nPage 3 of 6\n\nmutex) \r\nOS version info \r\nusername \r\nRC4 key \r\nEncrypted and Base64 encoded cookie via VMRay\r\nThere are seven different commands that the server may issue towards the client. The command is determined by a\r\nnumber. \r\nCommand Meaning\r\n0x1\r\nquery ProcessorNameString in\r\nHKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\r\n0x2 take a screenshot\r\n0x3\r\nquery DisplayName, DisplayVersion and InstallDate in\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \r\n0x4 execute cmd command \r\n0x5 write file \r\n0x6 read file \r\n0xA delete scheduled task persistence\r\nIndicators of compromise\r\nThe remaining section describes the SHA256 hashes, IPs and URLs that we analysed for this article. The square\r\nbrackets [X] are references to the samples or URLs in the text.\r\nJava Script (Web infection)\r\n[1] 2b4d7ed8d12d34cbf5d57811ce32f9072845f5274a2934221dd53421c7b8762b\r\n[2] f3fed82131853a35ebb0060cb364c89f42f55e357099289ca22f7af651ee2c48\r\nhttps://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor\r\nPage 4 of 6\n\n255cc818a2e11d7485c1e6cc1722b72c1429b899304881cf36c95ae65af2e566\r\nJScript droppers \r\n[3] c64cb9e0740c17b2561eed963a4d9cf452e84f462d5004ddbd0e0c021a8fdabc \r\n[4] 9786569f7c5e5183f98986b78b8e6d7afcad78329c9e61fb881d3d0960bc6a15 \r\nc7fc0661c1dabd6efd61eaf6c11f724c573bb70510e1345911bdb68197e598e7 \r\n2a311dd5902d8c6654f2b50f3656201f4ceb98c829678834edaeae5c50c316f5 \r\n0da87bff1a95de9fc7467b9894a8d8e0486dfd868c2c7305e83951babacde642\r\nBadSpace\r\n[5] 6a195e6111c9a4b8c874d51937b53cd5b4b78efc32f7bb255012d05087586d8f \r\n2a5a12cc4ef2f0f527cc072243aa27d3e95e48402ef674e92c6709dc03a0836a \r\n2a4451ef47b1f4b971539fb6916f7954f80a6735cf75333fa9d19b169c31de2e \r\n9bc4c44b24f4ba71a1c7f5dd1c8135544218235ae58efa81898e55515938da6a \r\n475edfbb2b03182ef7c42c1bc2cc4179b3060d882827029a6e67c045a0c1149b \r\n676cbcaa74ee8e43abaf0a2767c7559a8f4a7c6720ecc5ae53101a16a3219b9a \r\n770cafb3fe795c2f13eb44f0a6073b8fe4fb3ee08240b3243c747444592d85ff \r\n84519a45da0535087202b576391d1952a4cc81213f0e470db65f1817b65ee9d7 \r\na5f16fa960fe0461e2009bd748bc9057ef5cd31f05f48b12cfd7790fa741a24e \r\na725883bd1c39e48ab60b2c26b5692f7334a3e4544927057a9ffbdabfeedf432 \r\nad2333e1403e3d8f5d9bd89d7178e85523fa7445e0a05b57fd9bc35547ec0d98 \r\nba4c8be6a1eb92d79df396eea8658b778f4bc0f010da48e1d26e3fc55d83e9c7 \r\nb6ac7f6e3b03acd364123a07b2122d943c4111ac4786bb188d94eae0e5b22c02 \r\nbb74c6fc0323956dd140988372c412f8b32735fb0ed1ad416e367d29c06af9cc \r\nc437e5caa4f644024014d40e62a5436c59046efc76c666ea3f83ab61df615314 \r\nC2\r\n80.66.88.146 \r\nhttps://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor\r\nPage 5 of 6\n\n185.49.69.41 \r\n[6] uhsee[.]com \r\n[7] kongtuke[.]com \r\nKarsten Hahn\r\nPrincipal Malware Researcher\r\nShare Article\r\n Content\r\nThe backstory\r\nVectors in the infection chain\r\nJScript\r\nBadSpace string and API obfuscation\r\nBadSpace anti-sandbox and persistence\r\nC2 communication\r\nIndicators of compromise\r\nSource: https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor\r\nhttps://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor"
	],
	"report_names": [
		"37947-badspace-backdoor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434565,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7692eb73f80df6bfac940e06962af10f0aece737.pdf",
		"text": "https://archive.orkl.eu/7692eb73f80df6bfac940e06962af10f0aece737.txt",
		"img": "https://archive.orkl.eu/7692eb73f80df6bfac940e06962af10f0aece737.jpg"
	}
}