MalwareUsed by 1 actor

Resident

Resident is a backdoor malware family referenced by Cisco Talos as having significant code and functional overlaps with WarmCookie (also known as BadSpace). High-confidence similarities reported between Resident and WarmCookie include identical RC4 decryption implementations, similar mutex management using GUID-like mutex strings, and similar persistence mechanisms. Talos assessed these overlaps as indicating likely shared authorship, with possible links to the TA866 threat actor. The provided content does not describe Resident’s full standalone infection vector or complete capability set directly, but it does establish Resident as a backdoor malware related in development lineage to WarmCookie.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA866

Its infection chains and functionality highlight notable development links to Resident backdoor, indicating possible shared authorship by TA866.

via contagiodump blogcontagiodump.blogspot.com

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

security online infoNews

Oct 24, 2024

New WarmCookie/BadSpace Malware Targets Organizations

A backdoor malware family that shares notable code/function-level similarities with WarmCookie (e.g., RC4 implementation, mutex management, persistence mechanisms), suggesting shared development lineage.

contagiodump blogNews

Oct 23, 2024

contagio: 2024-10-23 WarmCookie/BadSpace - APT TA866 - Samples

Resident is a backdoor malware family noted here for code and functional similarities with WarmCookie, including RC4 implementation, mutex handling, startup logic, and persistence via scheduled tasks.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.