{
	"id": "5defe3d1-a34c-40c1-9b37-d3873ca31969",
	"created_at": "2026-04-06T00:18:27.792031Z",
	"updated_at": "2026-04-10T03:21:02.258417Z",
	"deleted_at": null,
	"sha1_hash": "799e89df59917c872498678381af35b8c0e16cf7",
	"title": "Understanding the WarmCookie Backdoor Threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 207130,
	"plain_text": "Understanding the WarmCookie Backdoor Threat\r\nBy Justin Torres\r\nPublished: 2024-07-26 · Archived: 2026-04-05 19:12:15 UTC\r\nWhat is WarmCookie malware?\r\nWarmCookie, also known as BadSpace [2], is a two-stage backdoor tool that provides functionality for threat\r\nactors to retrieve victim information and launch additional payloads. The malware is primarily distributed via\r\nphishing campaigns according to multiple open-source intelligence (OSINT) providers.\r\nBackdoor malware: A backdoor tool is a piece of software used by attackers to gain and maintain unauthorized\r\naccess to a system. It bypasses standard authentication and security mechanisms, allowing the attacker to control\r\nthe system remotely.\r\nTwo-stage backdoor malware: This means the backdoor operates in two distinct phases:\r\n1. Initial Stage: The first stage involves the initial infection and establishment of a foothold within the victim's\r\nsystem. This stage is often designed to be small and stealthy to avoid detection.\r\n2. Secondary Stage: Once the initial stage has successfully compromised the system, it retrieves or activates the\r\nsecond stage payload. This stage provides more advanced functionalities for the attacker, such as extensive data\r\nexfiltration, deeper system control, or the deployment of additional malicious payloads.\r\nHow does WarmCookie malware work?\r\nReported attack patterns include emails attempting to impersonate recruitment firms such as PageGroup, Michael\r\nPage, and Hays. These emails likely represented social engineering tactics, with attackers attempting to\r\nmanipulate jobseekers into engaging with the emails and following malicious links embedded within [3].\r\nThis backdoor tool also adopts stealth and evasion tactics to avoid the detection of traditional security tools.\r\nReported evasion tactics included custom string decryption algorithms, as well as dynamic API loading to prevent\r\nresearchers from analyzing and identifying the core functionalities of WarmCookie [1].\r\nBefore this backdoor makes an outbound network request, it is known to capture details from the target machine,\r\nwhich can be used for fingerprinting and identification [1], this includes:\r\n- Computer name\r\n- Username\r\n- DNS domain of the machine\r\n- Volume serial number\r\nhttps://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution\r\nPage 1 of 9\n\nWarmCookie samples investigated by external researchers were observed communicating over HTTP to a\r\nhardcoded IP address using a combination of RC4 and Base64 to protect its network traffic [1]. Ultimately, threat\r\nactors could use this backdoor to deploy further malicious payloads on targeted networks, such as ransomware.\r\nDarktrace Coverage of WarmCookie\r\nBetween April and June 2024, Darktrace’s Threat Research team investigated suspicious activity across multiple\r\ncustomer networks indicating that threat actors were utilizing the WarmCookie backdoor tool. Observed cases\r\nacross customer environments all included the download of unusual executable (.exe) files and suspicious\r\noutbound connectivity.\r\nAffected devices were all observed making external HTTP requests to the German-based external IP,\r\n185.49.69[.]41, and the URI, /data/2849d40ade47af8edfd4e08352dd2cc8.\r\nThe first investigated instance occurred between April 23 and April 24, when Darktrace detected a a series of\r\nunusual file download and outbound connectivity on a customer network, indicating successful WarmCookie\r\nexploitation. As mentioned by Elastic labs, \"The PowerShell script abuses the Background Intelligent Transfer\r\nService (BITS) to download WarmCookie and run the DLL with the Start export\" [1].\r\nLess than a minute later, the same device was observed making HTTP requests to the rare external IP address:\r\n185.49.69[.]41, which had never previously been observed on the network, for the URI\r\n/data/b834116823f01aeceed215e592dfcba7. The device then proceeded to download masqueraded executable file\r\nfrom this endpoint. Darktrace recognized that these connections to an unknown endpoint, coupled with the\r\ndownload of a masqueraded file, likely represented malicious activity.\r\nFollowing this download, the device began beaconing back to the same IP, 185.49.69[.]41, with a large number of\r\nexternal connections observed over port 80.  This beaconing related behavior could further indicate malicious\r\nsoftware communicating with command-and-control (C2) servers.\r\nDarktrace’s model alert coverage included the following details:\r\n[Model Alert: Device / Unusual BITS Activity]\r\n- Associated device type: desktop\r\n- Time of alert: 2024-04-23T14:10:23 UTC\r\n- ASN: AS28753 Leaseweb Deutschland GmbH\r\n- User agent: Microsoft BITS/7.8\r\n[Model Alert: Anomalous File / EXE from Rare External Location]\r\n[Model Alert: Anomalous File / Masqueraded File Transfer]\r\n- Associated device type: desktop\r\n- Time of alert: 2024-04-23T14:11:18 UTC\r\nhttps://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution\r\nPage 2 of 9\n\n- Destination IP: 185.49.69[.]41\r\n- Destination port: 80\r\n- Protocol: TCP\r\n- Application protocol: HTTP\r\n- ASN: AS28753 Leaseweb Deutschland GmbH\r\n- User agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)\r\n- Event details: File: http[:]//185.49.69[.]41/data/b834116823f01aeceed215e592dfcba7, total seen size: 144384B,\r\ndirection: Incoming\r\n- SHA1 file hash: 4ddf0d9c750bfeaebdacc14152319e21305443ff\r\n- MD5 file hash: b09beb0b584deee198ecd66976e96237\r\n[Model Alert: Compromise / Beaconing Activity To External Rare]\r\n- Associated device type: desktop\r\n- Time of alert: 2024-04-23T14:15:24 UTC\r\n- Destination IP: 185.49.69[.]41\r\n- Destination port: 80\r\n- Protocol: TCP\r\n- Application protocol: HTTP\r\n- ASN: AS28753 Leaseweb Deutschland GmbH  \r\n- User agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)\r\nBetween May 7 and June 4, Darktrace identified a wide range of suspicious external connectivity on another\r\ncustomer’s environment. Darktrace’s Threat Research team further investigated this activity and assessed it was\r\nlikely indicative of WarmCookie exploitation on customer devices.\r\nSimilar to the initial use case, BITS activity was observed on affected devices, which is utilized to download\r\nWarmCookie [1]. This initial behavior was observed with the device after triggering the model: Device / Unusual\r\nBITS Activity on May 7.\r\nJust moments later, the same device was observed making HTTP requests to the aforementioned German IP\r\naddress, 185.49.69[.]41 using the same URI /data/2849d40ade47af8edfd4e08352dd2cc8, before downloading a\r\nsuspicious executable file.\r\nhttps://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution\r\nPage 3 of 9\n\nJust like the first use case, this device followed up this suspicious download with a series of beaconing\r\nconnections to 185.49.69[.]41, again with a large number of connections via port 80.\r\nSimilar outgoing connections to 185.49.69[.]41 and model alerts were observed on additional devices during the\r\nsame timeframe, indicating that numerous customer devices had been compromised.\r\nDarktrace’s model alert coverage included the following details:\r\n[Model Alert: Device / Unusual BITS Activity]\r\n- Associated device type: desktop\r\n- Time of alert: 2024-05-07T09:03:23 UTC\r\n- ASN: AS28753 Leaseweb Deutschland GmbH\r\n- User agent: Microsoft BITS/7.8\r\n[Model Alert: Anomalous File / EXE from Rare External Location]\r\n[Model Alert: Anomalous File / Masqueraded File Transfer]\r\n- Associated device type: desktop\r\n- Time of alert: 2024-05-07T09:03:35 UTC  \r\n- Destination IP: 185.49.69[.]41\r\n- Protocol: TCP\r\n- ASN: AS28753 Leaseweb Deutschland GmbH\r\n- Event details: File: http[:]//185.49.69[.]41/data/2849d40ade47af8edfd4e08352dd2cc8, total seen size: 72704B,\r\ndirection: Incoming\r\n- SHA1 file hash: 5b0a35c574ee40c4bccb9b0b942f9a9084216816\r\n- MD5 file hash: aa9a73083184e1309431b3c7a3e44427  \r\n[Model Alert: Anomalous Connection / New User Agent to IP Without Hostname]\r\n- Associated device type: desktop\r\n- Time of alert: 2024-05-07T09:04:14 UTC  \r\n- Destination IP: 185.49.69[.]41  \r\n- Application protocol: HTTP  \r\n- URI: /data/2849d40ade47af8edfd4e08352dd2cc8\r\nhttps://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution\r\nPage 4 of 9\n\n- User agent: Microsoft BITS/7.8  \r\n[Model Alert: Compromise / HTTP Beaconing to New Endpoint]\r\n- Associated device type: desktop\r\n- Time of alert: 2024-05-07T09:08:47 UTC\r\n- Destination IP: 185.49.69[.]41\r\n- Protocol: TCP\r\n- Application protocol: HTTP  \r\n- ASN: AS28753 Leaseweb Deutschland GmbH  \r\n- URI: /  \r\n- User agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705) \\\r\nFigure 1: Cyber AI Analyst Coverage Details around the external destination, ‘185.49.69[.]41’.\r\nhttps://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution\r\nPage 5 of 9\n\nFigure 2: External Sites Summary verifying the geographical location of the external IP,\r\n185.49.69[.]41’.\r\nFortunately, this particular customer was subscribed to Darktrace’s Proactive Threat Notification (PTN) service\r\nand the Darktrace Security Operation Center (SOC) promptly investigated the activity and alerted the customer.\r\nThis allowed their security team to address the activity and begin their own remediation process.\r\nIn this instance, Darktrace’s Autonomous Response capability was configured in Human Confirmation mode,\r\nmeaning any mitigative actions required manual application by the customer’s security team.\r\nDespite this, Darktrace recommended two actions to contain the activity: blocking connections to the suspicious\r\nIP address 185.49.69[.]41 and any IP addresses ending with '69[.]41', as well as the ‘Enforce Pattern of Life’\r\naction. By enforcing a pattern of life, Darktrace can restrict a device (or devices) to its learned behavior, allowing\r\nit to continue regular business activities uninterrupted while blocking any deviations from expected activity.\r\nFigure 3: Actions suggested by Darktrace to contain the emerging activity, including blocking\r\nconnections to the suspicious endpoint and restricting the device to its ‘pattern of life’.\r\nConclusion\r\nBackdoor tools like WarmCookie enable threat actors to gather and leverage information from target systems to\r\ndeploy additional malicious payloads, escalating their cyber attacks. Given that WarmCookie’s primary\r\nhttps://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution\r\nPage 6 of 9\n\ndistribution method seems to be through phishing campaigns masquerading as trusted recruitments firms, it has\r\nthe potential to affect a large number of organizations.\r\nIn the face of such threats, Darktrace’s behavioral analysis provides organizations with full visibility over\r\nanomalous activity on their digital estates, regardless of whether the threat bypasses by human security teams or\r\nemail security tools. While threat actors seemingly managed to evade customers’ native email security and gain\r\naccess to their networks in these cases, Darktrace identified the suspicious behavior associated with WarmCookie\r\nand swiftly notified customer security teams.\r\nHad Darktrace’s Autonomous Response capability been fully enabled in these cases, it could have blocked any\r\nsuspicious connections and subsequent activity in real-time, without the need of human intervention, effectively\r\ncontaining the attacks in the first instance.\r\nCredit to Justin Torres, Cyber Security Analyst and Dylan Hinz, Senior Cyber Security Analyst\r\nAppendices\r\nDarktrace Model Detections\r\n- Anomalous File / EXE from Rare External Location\r\n- Anomalous File / Masqueraded File Transfer  \r\n- Compromise / Beacon to Young Endpoint  \r\n- Compromise / Beaconing Activity To External Rare  \r\n- Compromise / HTTP Beaconing to New Endpoint  \r\n- Compromise / HTTP Beaconing to Rare Destination\r\n- Compromise / High Volume of Connections with Beacon Score\r\n- Compromise / Large Number of Suspicious Successful Connections\r\n- Compromise / Quick and Regular Windows HTTP Beaconing\r\n- Compromise / SSL or HTTP Beacon\r\n- Compromise / Slow Beaconing Activity To External Rare\r\n- Compromise / Sustained SSL or HTTP Increase\r\n- Compromise / Sustained TCP Beaconing Activity To Rare Endpoint\r\n- Anomalous Connection / Multiple Failed Connections to Rare Endpoint\r\n- Anomalous Connection / New User Agent to IP Without Hostname\r\n- Compromise / Sustained SSL or HTTP Increase\r\nhttps://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution\r\nPage 7 of 9\n\nAI Analyst Incident Coverage:\r\n- Unusual Repeated Connections\r\n- Possible SSL Command and Control to Multiple Endpoints\r\n- Possible HTTP Command and Control\r\n- Suspicious File Download\r\nDarktrace RESPOND Model Detections:\r\n- Antigena / Network / External Threat / Antigena Suspicious File Block\r\n- Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block\r\nList of IoCs\r\nIoC - Type - Description + Confidence\r\n185.49.69[.]41 – IP Address – WarmCookie C2 Endpoint\r\n/data/2849d40ade47af8edfd4e08352dd2cc8 – URI – Likely WarmCookie URI\r\n/data/b834116823f01aeceed215e592dfcba7 – URI – Likely WarmCookie URI\r\n4ddf0d9c750bfeaebdacc14152319e21305443ff  - SHA1 Hash  – Possible Malicious File\r\n5b0a35c574ee40c4bccb9b0b942f9a9084216816  - SHA1 Hash – Possiblem Malicious File\r\nMITRE ATT\u0026CK Mapping\r\n(Technique Name) – (Tactic) – (ID) – (Sub-Technique of)\r\nDrive-by Compromise - INITIAL ACCESS - T1189\r\nIngress Tool Transfer - COMMAND AND CONTROL - T1105\r\nMalware - RESOURCE DEVELOPMENT - T1588.001 - T1588\r\nLateral Tool Transfer - LATERAL MOVEMENT - T1570\r\nWeb Protocols - COMMAND AND CONTROL - T1071.001 - T1071\r\nWeb Services - RESOURCE DEVELOPMENT - T1583.006 - T1583\r\nBrowser Extensions - PERSISTENCE - T1176\r\nApplication Layer Protocol - COMMAND AND CONTROL - T1071\r\nFallback Channels - COMMAND AND CONTROL - T1008\r\nhttps://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution\r\nPage 8 of 9\n\nMulti-Stage Channels - COMMAND AND CONTROL - T1104\r\nNon-Standard Port - COMMAND AND CONTROL - T1571\r\nOne-Way Communication - COMMAND AND CONTROL - T1102.003 - T1102\r\nEncrypted Channel - COMMAND AND CONTROL - T1573\r\nExternal Proxy - COMMAND AND CONTROL - T1090.002 - T1090\r\nNon-Application Layer Protocol - COMMAND AND CONTROL - T1095\r\nReferences\r\n[1] https://www.elastic.co/security-labs/dipping-into-danger\r\n[2] https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor\r\n[3] https://thehackernews.com/2024/06/new-phishing-campaign-deploys.html\r\nSource: https://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution\r\nhttps://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution"
	],
	"report_names": [
		"disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution"
	],
	"threat_actors": [],
	"ts_created_at": 1775434707,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/799e89df59917c872498678381af35b8c0e16cf7.pdf",
		"text": "https://archive.orkl.eu/799e89df59917c872498678381af35b8c0e16cf7.txt",
		"img": "https://archive.orkl.eu/799e89df59917c872498678381af35b8c0e16cf7.jpg"
	}
}