{ "id": "24e84bf8-d750-44b5-8288-958ca551744d", "created_at": "2026-04-06T00:13:01.717058Z", "updated_at": "2026-04-10T03:34:42.769989Z", "deleted_at": null, "sha1_hash": "a1f6f56cea1ffccfc61be577fdecb7ca9af2997f", "title": "Threat Spotlight: WarmCookie/BadSpace", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2264600, "plain_text": "Threat Spotlight: WarmCookie/BadSpace\r\nBy Edmund Brumaghin\r\nPublished: 2024-10-23 · Archived: 2026-04-05 18:48:41 UTC\r\nWednesday, October 23, 2024 06:02\r\nWarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly\r\nconducted malspam and malvertising campaigns. \r\nWarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as\r\nCSharp-Streamer-RAT and Cobalt Strike. \r\nPost-compromise intrusion activity associated with WarmCookie overlaps with previously observed\r\nactivity we attribute to TA866.  \r\nWe assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.  \r\nWhat is WarmCookie? \r\nWarmCookie, also known as BadSpace, is a malware family that has been distributed since at least April 2024.\r\nThroughout 2024, we have observed several distribution campaigns conducted using a variety of lure themes to\r\nentice victims to take actions that result in malware infection.  \r\nThese campaigns typically rely on malspam or malvertising to initiate the infection process that results in the\r\ndelivery of WarmCookie. WarmCookie offers a variety of useful functionality for adversaries including payload\r\ndeployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to\r\nuse on systems once initial access has been gained to facilitate longer-term, persistent access within compromised\r\nnetwork environments.  \r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 1 of 13\n\nIn previously analyzed intrusion activity involving WarmCookie, we have observed that it is used as an initial\r\npayload and that CSharp-Streamer-RAT and Cobalt Strike were delivered following the initial WarmCookie\r\ninfection.  \r\nWhile analyzing the campaigns, intrusion activity, and infrastructure associated with WarmCookie over the course\r\nof 2024, we also identified multiple overlaps with activity conducted by TA866 in 2023. \r\nTypical infection chains \r\nAs previously mentioned, we have observed WarmCookie campaigns being conducted since at least April 2024.\r\nThese campaigns rely on malspam or malvertising to facilitate the delivery of malicious content.  \r\nIn the case of malspam, we have observed consistent use of invoice-related and job agency themes that entice\r\nvictims to access hyperlinks present in either the email body, or within attached documents, such as PDFs.  \r\nExamples of common message subjects observed in campaigns conducted between April and August 2024 are\r\nlisted below. \r\nUnited Rentals Inc: Invoice# [0-9]{9}\\-[0-9]{3}  \r\nInvoice and Remittance\r\nIn a recent campaign conducted in August, the messages contained PDF attachments. The attachment filenames\r\nwere randomized but typically use the following format. \r\nAttachment_[0-9]{3}\\-[0-9]{3}\\.pdf\r\nWhile there have been variations over time, below is a representative example of one of these emails and the\r\nassociated PDF attachment. \r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 2 of 13\n\nWarmCookie emails and attachments.\r\nThe PDFs contain hyperlinks that direct victims to web servers hosting malicious JavaScript files that continue the\r\ninfection process. \r\nWe have also observed WarmCookie campaigns leveraging infrastructure associated with traffic distribution and\r\nmalware delivery systems. In one early campaign, we observed the use of the LandUpdates808 cluster of\r\ninfrastructure described here. In observed cases, malicious JavaScript downloaders were being hosted at the\r\nfollowing paths on servers associated with the LandUpdates808 cluster of web servers. \r\n/wp-content/upgrade/update[.]php\r\nRegardless of whether the delivery stage of the attack was conducted via malspam or malvertising, an obfuscated\r\nJavaScript downloader is delivered that is responsible for continuing the infection process. We have observed the\r\nuse of ZIP archives to compress the JavaScript file and the delivery of the JavaScript file directly from the\r\ndistribution infrastructure.  \r\nWhen executed, it deobfuscates and executes a PowerShell command that uses Bitsadmin to retrieve and execute\r\nthe WarmCookie DLL using syntax, like that shown below. \r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 3 of 13\n\nPowerShell execution.\r\nWe have observed a relatively small number of distribution servers hosting WarmCookie DLLs compared to the\r\ninfrastructure used in earlier stages of the infection chain.  \r\nWarmCookie \r\nThe main WarmCookie payload has been extensively analyzed in prior reporting here and here. While performing\r\nthis research, newly observed WarmCookie samples were reported on social media during September 2024. We\r\nobserved significant additions and changes in this latest version that demonstrate the threat actor is continuing to\r\nimprove their tooling.  \r\nWe observed changes to the way the malware is executed and how persistence is achieved on infected systems. As\r\ndescribed in prior reporting, the malware is typically delivered and executed as a PE DLL or a PE EXE. If the\r\npayload is in the DLL format, it is typically executed with specific command-line parameters that determine\r\nwhether persistence should be achieved.  \r\nIn previous WarmCookie samples the execution was consistent with the following: \r\nrundll32.exe \u003cDLL_Filename\u003e,Start /p\r\nIn the latest samples analyzed, this command-line syntax has been modified as follows: \r\nrundll32.exe \u003cDLL_Filename\u003e,Start /u\r\nAdditionally, the user agent used during C2 communications in previous WarmCookie samples featured\r\nextraneous spaces not consistent with normal user agent strings seen in the wild. This allowed for easy detection\r\nof WarmCookie C2 activity via network traffic inspection. In the latest WarmCookie samples, this mistake has\r\nbeen corrected. Below is a comparison between the old and new user agent strings used during C2\r\ncommunications. \r\nOld User Agent: \r\nMozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)\r\nNew User Agent: \r\nMozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0\r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 4 of 13\n\nWe also observed the inclusion of a new self-updating mechanism that would enable an attacker to dynamically\r\ndeliver updates to WarmCookie via the C2 server, however, this functionality did not appear to be fully\r\nimplemented in the analyzed sample at the time. \r\nIn the latest sample, changes were made to the sandbox detection mechanism present in the malware where some\r\nchecks present in previous versions have been removed. \r\nWarmCookie sandbox detection.\r\nSeveral changes to the C2 commands supported by the malware have also been made in the latest WarmCookie\r\nsamples analyzed. The command to remove persistence and the malware itself has been deleted. New commands\r\nhave been added as follows: \r\nCommand 0x8: Supports the creation of a DLL file received from the C2 server that is assigned a\r\ntemporary filename and then executed by WarmCookie.   \r\nCommand 0xA: Appears to be a prepared update command, it is like Command 0x8, but adds hardcoded\r\nparameters to the DLL:  \r\nC:\\Windows\\System32\\rundll32.exe \u003ctmpfilename.dll\u003e Start /update\r\nCommand 0xB: Supports moving the malware to a temporary file name and location and deletes the\r\npreviously scheduled task. It prepends the string ‘dat’ to the temporary filename. It also exits the C2 loop,\r\nleading to termination of the malware process. \r\nDuring the malware’s initialization and startup phase, the /update parameter of the Command 0xA is checked\r\nto determine if the parameter was set. Regardless of the result of this check, the same function is executed, as\r\nshown below. \r\nWarmCookie update parameter. \r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 5 of 13\n\nAnalysis suggests that the malware will continue to evolve moving forward as the threat actor continues to\r\nimprove on it and adds additional functionality as needed. \r\nLinks to past intrusion activity \r\nWhile analyzing the distribution campaigns, infrastructure used, and post-compromise intrusion activity\r\nassociated with WarmCookie, we identified multiple overlaps with previously observed malicious activity.  \r\nIn earlier WarmCookie distribution campaigns, threat actors relied on lures that appear as if they were associated\r\nwith talent/job search agencies. As mentioned here, the lure documents and landing pages associated with this\r\ncampaign are like those used by distributors of Ursnif in past campaigns.  \r\nWhile analyzing intrusion activity associated with WarmCookie, we observed the deployment of CSharp-Streamer-RAT as a follow-on payload following the initial system compromise. CSharp-Streamer-RAT is a full-featured remote access trojan that offers robust functionality as described here.  \r\nIn this case, the sample reached out to a C2 server that was configured to use an SSL certificate that appeared to\r\nhave been programmatically generated with several fields randomly populated. Using Regular Expressions to\r\nidentify other servers with similar SSL characteristics, we identified three additional C2 servers, all previously\r\nassociated with CSharp-Streamer-RAT samples. One of these C2 servers was observed being used by a CSharp-Streamer-RAT sample we identified in a previous intrusion that we assess with high confidence was conducted by\r\nTA866.  \r\nThe screenshot below shows the relevant fields present within the SSL certificate associated with the CSharp-Streamer-RAT C2 server observed in previous intrusion activity we attribute to TA866.  \r\nPrevious CSharp-Streamer-RAT C2 SSL certificate.\r\nBelow is an example of one of the SSL certificates associated with the CSharp-Streamer-RAT C2 server observed\r\nin recent WarmCookie intrusion activity. \r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 6 of 13\n\nRecent CSharp-Streamer-RAT C2 SSL certificate.\r\nBased on analysis of the system involved in this prior intrusion activity, we assess with high confidence that\r\nTA866/Asylum Ambuscade deployed CSharp-Streamer-RAT while directly operating on the system leading up to,\r\nduring, and after its deployment. In the recent WarmCookie case, we also assess with high confidence that the\r\nattacker who deployed WarmCookie also deployed CSharp-Streamer-RAT following the initial compromise.\r\nWarmCookie vs. Resident backdoor \r\nAs referenced here, and in prior reporting, TA866/Asylum Ambuscade has been observed delivering a post-compromise implant called Resident backdoor in prior intrusion activity. Prior reporting on WarmCookie has\r\nalluded to observed links between Resident backdoor and WarmCookie.\r\nWe performed a code and function level analysis of Resident backdoor samples from previous intrusion activity\r\nand WarmCookie samples from September 2024 and observed several notable similarities in the way core\r\nfunctionality has been implemented across both malware families. WarmCookie appears to contain much of the\r\nsame functionality as Resident backdoor but has been significantly extended to support additional functionality.  \r\nWe assess that both were likely developed by the same entity based on the following analysis findings: \r\nThe RC4 implementation is consistent across both malware families. \r\nThe RC4 string decryption function implementation is consistent across both malware families. \r\nMutex management is performed consistently across both malware families. \r\nBoth malware families use GUID-like strings for the mutex. \r\nThe way in which various functions were constructed and the coding conventions used is consistent. \r\nThe definition of scheduled tasks to achieve persistence is consistent. \r\nBoth malware families wait one minute before executing the scheduled task. \r\nThe directory, file schema and parameters are similar in both malware families.  \r\nThe initial startup logic and command line parameter implementation are similar. \r\nCode similarity analysis \r\nWe conducted a similarity analysis of the code execution flow between both Resident backdoor and a recent\r\nWarmCookie sample that was shared on social media. We observed consistent implementation of core\r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 7 of 13\n\nfunctionality across both as well as consistent use of coding conventions across both malware families. \r\nTask Scheduler implementation \r\nIf the malware is initially executed without supplying any parameters, both Resident and WarmCookie first\r\ndetermine if the initially launched application was a PE DLL or an PE EXE. Depending on the result, they either\r\ncreate a filename with the extension “ .dll \" or “ .exe \". Also based on the results of this test, they both create a\r\nscheduled task via the Windows Task Scheduler, which spawns a copy of the malware after waiting for 60\r\nseconds. In the case that the initially launched application was a PE DLL, rundll32.exe is used to launch the\r\nmalware. In the case of a PE EXE file, it is executed directly.  \r\nThey both attempt this in the %ALLUSERSPROFILE% directory, if that fails, they try it again in %ALLDATA%\r\ndirectory. \r\nWarmCookie startup parameters.\r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 8 of 13\n\nWarmCookie persistence mechanism.\r\nResident backdoor startup parameters.\r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 9 of 13\n\nResident backdoor persistence mechanism.\r\nResident backdoor persistence mechanism (cont’d).\r\nThe overall startup logic is also the same in both Resident backdoor and WarmCookie. At the beginning of the\r\nstartup process both check to determine if the malware was executed with a command line switch. In the case of\r\nthe Resident backdoor, it is ‘ /p ’; in the case of WarmCookie it is ‘ /u ’. This parameter tells the application\r\nwhether it is the first instance of itself or if the running version is the former copied version, which was previously\r\nmade persistent via the Task Scheduler. This prevents multiple scheduled tasks from being created once the\r\nmalware has achieved persistence.  \r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 10 of 13\n\nWarmCooke startup logic.\r\nResident backdoor startup logic.\r\nOne slight difference is that Resident uses the hardcoded string ‘ RtlUpd ’ to generate the filename for the\r\nscheduled task, whereas WarmCookie uses a hardcoded list of company names and randomly selects one, as\r\nshown below: \r\nWarmCookie filename list.\r\nBased on our analysis of Resident backdoor and WarmCookie, we assess that they were likely developed by the\r\nsame entity. While there are significant overlaps in the code and functionality implementations across Resident\r\nbackdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support\r\ncompared to Resident backdoor. Additionally, while WarmCookie has typically been deployed as an initial access\r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 11 of 13\n\npayload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the\r\ndeployment of several other components such as WasabiSeed, Screenshotter and AHK Bot.  \r\nGiven the differences in functionality and where each is encountered in the attack lifecycle, we classify Resident\r\nand WarmCookie as separate malware families that have been developed by the same threat actor. \r\nCoverage \r\nWays our customers can detect and block this threat are listed below. \r\n Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them. \r\nAdditional protection with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. \r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 12 of 13\n\nThe following Snort rule(s) have been developed to detect activity associated with this malicious activity.  \r\nSnort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150,\r\n64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162. \r\nSnort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045,\r\n301046, 301047, 301048, 301049, 301050.  \r\nThe following ClamAV signatures have been developed to detect activity associated with this malicious activity.  \r\nJs.Downloader.Agent-10022279-0  \r\nVbs.Downloader.Agent-10022291-0  \r\nWin.Trojan.WasabiSeed-10022304-0  \r\nJs.Trojan.Screenshotter-10022306-0  \r\nJs.Trojan.Agent-10022307-0  \r\nWin.Trojan.Lazy-10022308-0  \r\nWin.Trojan.Screenshotter-10022309-0  \r\nPUA.Win.Tool.NetPing-10022493-0  \r\nWin.Malware.CobaltStrike-10022494-0  \r\nPUA.Win.Tool.AutoHotKey-10022305-1  \r\nPUA.Win.Tool.RemoteUtilities-9869515-0  \r\nPUA.Win.Tool.AdFind-9962378-0   \r\nTxt.Downloader.AHKBot-10024463-0  \r\nPs1.Malware.CobaltStrike-10024466-0  \r\nWin.Infostealer.Rhadamanthys-10024467-0  \r\nTxt.Infostealer.Rhadamanthys-10024468-0  \r\nWin.Backdoor.Agent-10025011-0  \r\nVbs.Trojan.Screenshotter-10025015-0  \r\nWin.Malware.Warmcookie-10036688-0 \r\nWin.Malware.CSsharpStreamer-10036641-0 \r\nIndicators of Compromise \r\nIndicators of compromise associated with WarmCookie/BadSpace activity can be found in our GitHub repository\r\nhere. \r\nSource: https://blog.talosintelligence.com/warmcookie-analysis/\r\nhttps://blog.talosintelligence.com/warmcookie-analysis/\r\nPage 13 of 13\n\ncommunications. Old User Agent: \nMozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)\nNew User Agent: \nMozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0\n Page 4 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.talosintelligence.com/warmcookie-analysis/" ], "report_names": [ "warmcookie-analysis" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59d91b6f-bccf-4ae4-a14c-028b198848b6", "created_at": "2023-03-10T02:01:52.119563Z", "updated_at": "2026-04-10T02:00:03.36177Z", "deleted_at": null, "main_name": "TA866", "aliases": [], "source_name": "MISPGALAXY:TA866", "tools": [ "Screenshotter", "AHK Bot", "WasabiSeed" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434381, "ts_updated_at": 1775792082, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a1f6f56cea1ffccfc61be577fdecb7ca9af2997f.pdf", "text": "https://archive.orkl.eu/a1f6f56cea1ffccfc61be577fdecb7ca9af2997f.txt", "img": "https://archive.orkl.eu/a1f6f56cea1ffccfc61be577fdecb7ca9af2997f.jpg" } }