{
	"id": "15d58346-6da1-413d-9440-11c616156292",
	"created_at": "2026-04-06T00:08:52.847243Z",
	"updated_at": "2026-04-10T13:12:35.03267Z",
	"deleted_at": null,
	"sha1_hash": "7c3cf270000a4be5c760b9a54f348e1a0a18f6c9",
	"title": "WarmCookie Infrastructure Update: Uncovering New C2 Servers and Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2811253,
	"plain_text": "WarmCookie Infrastructure Update: Uncovering New C2 Servers\r\nand Threats\r\nPublished: 2024-10-17 · Archived: 2026-04-05 22:40:08 UTC\r\nTABLE OF CONTENTS\r\nIntroductionInitial Findings and ResearchUncovering Additional InfrastructureShared SSH KeysIPs Sharing SSH\r\nKeysConclusionNetwork Observables\r\nIntroduction\r\nOn September 30, Gen Threat Labs posted a warning on X (formerly Twitter), highlighting a new wave of a\r\nFakeUpdate campaign using compromised websites to deliver the WarmCookie backdoor. Of note, an updated\r\nversion of the backdoor adding capabilities was identified, accompanied by indicators of compromise (IoC),\r\nincluding an IP address.\r\nUsing this command-and-control (C2) server as a starting point, we identified a small subset of infrastructure\r\nsharing characteristics to the IP reported on X. Certificates and HTTP response patterns played a large role in our\r\nfindings, which we'll discuss below.\r\nInitial Findings and Research\r\nThe IP address 38.180.91[.]117, identified by Gen Threat Labs as a WarmCookie C2 server, is hosted within the\r\nScalaxy B.V. ASN. Four open ports were observed: 22, 443, 3389, and 8080. By querying this IP in Hunt, we can\r\ngain additional insight into its operational context, including details on port configurations and certificate history.\r\nhttps://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure\r\nPage 1 of 8\n\nFigure 1: Overview of IP address 38.180.91[.]117 (The IOC Hunter link in the image will take you to the above\r\nmentioned X post)\r\nInterestingly, no associated resolving domains were detected for this IP. However, a range of certificates, including\r\nboth RDP and TLS, which shed light on its operational history. These certificates spanned from mid-June 2024,\r\nwith the most recent first seen just two days prior to this analysis.\r\nAdditionally, HTTP responses helped in connecting other infrastructure to the updated WarmCookie backdoor.\r\nTogether, these observations hint at a server that might not be static but instead adapting to changing operational\r\nrequirements.\r\nWhile the certificate history alone doesn't confirm we are looking at a repurposed server, it does suggest a high\r\nprobability of regular maintenance or adaptation that could align with the malwares update cycle.\r\nhttps://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure\r\nPage 2 of 8\n\nFigure 2: SSL History overview for the initial IP linked to WarmCookie\r\nThe distinct certificate properties and HTTP responses observed for this server provided key IOCs for expanding\r\nour investigation. Below, we'll discuss the additional IP's likely connected to this new version of WarmCookie.\r\nUncovering Additional Infrastructure\r\nUsing Hunt SQL, we executed a query primarily based on the certificate attributes, with the HTTP response\r\nadding for verification. This resulted in six additional servers sharing characteristics with the IP in the previous\r\nsection. The IP addresses are listed below:\r\n91.222.173[.]91\r\n178.209.52[.]166\r\n185.49.68[.]139\r\n185.161.251[.]26\r\n194.71.107[.]41\r\n194.87.45[.]138\r\nhttps://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure\r\nPage 3 of 8\n\nFigure 3: Hunt results for additional infrastructure linked to 38.180.91[.]117\r\nThe small number of results strongly suggests that we were indeed tracking relevant infrastructure connected to\r\nthe updated WarmCookie backdoor.\r\nTo further validate our findings, we cross-referenced our results with publicly available sources. Resources such\r\nas VirusTotal and ThreatFox proved particularly valuable in this process.\r\nOur scans revealed servers active from late September onward, aligning closely with the IPs listed in ThreatFox,\r\nand public reporting.\r\nhttps://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure\r\nPage 4 of 8\n\nFigure 4: Community results in VirusTotal for one of the recently found WarmCookie servers\r\nUpon reviewing the IPs returned from our query, we found that most yielded nothing significant to pivot on. That\r\nwas until we got to 91.222.173[.]91, which using the Associations tab in Hunt revealed an interesting connection.\r\nThis server shared an SSH key (fingerprint:\r\n888f05c2856ad60c5ab1e9826b57b87ae697d16303304959930f4b7e149458ac) with 24 other servers, suggesting\r\na potential network tied to WarmCookie, or use of a standard server image with a pre-configured SSH key that\r\nwas shared/leaked.\r\nTo better understand the associations and the extent of WarmCookies operational reach, we've provided a list of\r\nthe IPs and any linked domains for defenders to comb through. If you come across something interesting (we did!)\r\nlet us know.\r\nIPs Sharing SSH Keys\r\nIP Address ASN Domain(s)\r\n45.11.59[.]231 Virtual Systems LLC N/A\r\n45.134.174[.]245 SOLLUTIUM EU Sp z.o.o. N/A\r\n176.97.124[.]149 Virtual Systems LLC N/A\r\n195.66.213[.]111 Leaseweb Deutschland GmbH N/A\r\n45.11.59[.]207 SOLLUTIUM EU Sp z.o.o. N/A\r\n45.134.174[.]18 SOLLUTIUM EU Sp z.o.o. N/A\r\nhttps://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure\r\nPage 5 of 8\n\nIP Address ASN Domain(s)\r\n45.134.173[.]22 Virtual Systems LLC N/A\r\n176.97.124[.]203 Virtual Systems LLC N/A\r\n45.134.174[.]137 SOLLUTIUM EU Sp z.o.o.\r\nadbs.info.tntseminars[.]com\r\nmx1.info.tntseminars[.]com\r\n91.222.173[.]245 SOLLUTIUM EU Sp z.o.o. N/A\r\n195.66.213[.]160 SOLLUTIUM EU Sp z.o.o. N/A\r\n45.134.174[.]135 SOLLUTIUM EU Sp z.o.o. mx1.info.ukshowroom[.]com\r\n31.42.177[.]38 SOLLUTIUM EU Sp z.o.o. N/A\r\n185.254.198[.]219 Virtual Systems LLC\r\ndig-authentic.ipq[.]co\r\nReverse DNS:\r\nabrushofchange[.]org\r\n45.134.174[.]254 SOLLUTIUM EU Sp z.o.o.\r\nReverse DNS:\r\ndedicated.vsys[.]host\r\n91.222.173[.]140 SOLLUTIUM EU Sp z.o.o. N/A\r\n91.205.2[.]219 SOLLUTIUM EU Sp z.o.o. N/A\r\n45.11.59[.]230 SOLLUTIUM EU Sp z.o.o. N/A\r\n195.66.213[.]243 SOLLUTIUM EU Sp z.o.o. N/A\r\n45.134.174[.]136 SOLLUTIUM EU Sp z.o.o.\r\nmx1.info.toelicking[.]com\r\nReverse DNS:\r\nrrfqm[.]site\r\n45.134.174[.]134 SOLLUTIUM EU Sp z.o.o.\r\nadbs.info.ultimacomputers[.]com\r\nmx1.info.ultimacomputers[.]com\r\nReverse DNS:\r\nsavemo[.]shop\r\n45.134.174[.]73 SOLLUTIUM EU Sp z.o.o.\r\nmx5.mailer.reasonablish[.]com\r\nReverse DNS:\r\nduplified.com[.]co\r\n45.134.173[.]21 Virtual Systems LLC N/A\r\nTable 1: Shared SSH key IPs \u0026 domains.\r\nhttps://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure\r\nPage 6 of 8\n\nOne of the IPs in the above table, 91.222.173[.]140, hosted within the SOLLUTIUM EU Sp z.o.o. ASN, has been\r\nflagged as a DarkGate C2 server with two recent files--Notepad++.exe and upd_1602649.msix--actively\r\ncommunicating with the IP.\r\nFigure 5: Overview of the suspected DarkGate C2 IP in Hunt\r\nGiven that WarmCookie has been observed in tandem with other known malware families, the presence of a\r\nDarkGate C2 within this infrastructure may not be entirely surprising. Still, this finding raises intriguing questions\r\nfor further investigation, which we leave as an exercise for our readers.\r\nConclusion\r\nIn conclusion, our analysis of WarmCookie's updated infrastructure has uncovered key indicators, linked servers,\r\nand potential overlaps with other malware like DarkGate. While we've shared substantial findings that provide a\r\ndeeper look into this evolving threat, we're withholding the full detection query to continue monitoring this\r\nactivity.\r\nWhile not a major player in the malware landscape, WarmCookie remains worth monitoring for its potential to\r\ngain more traction among threat actors.\r\nThank you for reading, and stay tuned for future updates as we continue tracking this and related threats.\r\nNetwork Observables\r\nIP Address ASN Host Country Last Seen\r\n38.180.91[.]117 Cogent Communications US 2024-10-03\r\nhttps://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure\r\nPage 7 of 8\n\nIP Address ASN Host Country Last Seen\r\n91.222.173[.]91 SOLLUTIUM EU Sp z.o.o. US 2024-09-29\r\n178.209.52[.]166 Nine Internet Solutions AG CH 2024-10-03\r\n185.49.68[.]139 Leaseweb Deutschland GmbH DE 2024-09-23\r\n185.161.251[.]26 GLOBAL CONNECTIVITY SOLUTIONS LLP DE 2024-09-25\r\n194.71.107[.]41 EDIS GmbH BG\r\n194.87.45[.]138 GLOBAL INTERNET SOLUTIONS LLC ES\r\nSource: https://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure\r\nhttps://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure"
	],
	"report_names": [
		"from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434132,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c3cf270000a4be5c760b9a54f348e1a0a18f6c9.pdf",
		"text": "https://archive.orkl.eu/7c3cf270000a4be5c760b9a54f348e1a0a18f6c9.txt",
		"img": "https://archive.orkl.eu/7c3cf270000a4be5c760b9a54f348e1a0a18f6c9.jpg"
	}
}