COOKIEBAG is a malware family referenced in Mandiant’s APT1 malware corpus as one of the backdoors used for threat tracking and correlation. In the provided content, it is not behaviorally described beyond its inclusion as an APT1-associated malware family and an example used in import-hash (imphash) analysis. The content states that COOKIEBAG had an imphash of 4cec0085b43f40b4743dc218c585f2ec, with 79 imports and 10 matched samples in Mandiant’s February 2013 APT1 dataset. The broader context indicates Mandiant used imphash-based clustering to identify related malware samples and additional variants attributable to the same threat group when corroborated with further analysis. No specific infection vector, persistence mechanism, command-and-control behavior, targeted industries, operating system scope, or additional indicators of compromise for COOKIEBAG are directly provided in the content beyond the family name and the imphash value 4cec0085b43f40b4743dc218c585f2ec.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.
No news coverage yet. Advisories and community discussion only.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.