A new malware family named WarmCookie, also known as BadSpace, has been actively distributed through malspam and malvertising campaigns since April 2024.
According to a blog post from Cisco Talos published on October 23, the malware facilitates persistent access to compromised networks and has been observed as an initial payload, often leading to the deployment of additional malware such as CSharp-Streamer-RAT and Cobalt Strike.
WarmCookie: Infection Vectors and Functionality
WarmCookie campaigns use a variety of lure themes, such as job offers or invoices, to entice victims into clicking malicious links. These campaigns frequently deliver WarmCookie via email attachments or embedded hyperlinks that initiate the infection process.
The malware itself offers extensive functionality, including command execution, screenshot capture and payload deployment, making it a valuable tool for maintaining long-term control of compromised systems.
Links to TA866 and Resident Backdoor
The analysis also links WarmCookie to a threat group known as TA866, which has been active since 2023. WarmCookie shares similarities with another malware family known as Resident backdoor, which has previously been deployed in TA866 campaigns.
Read more about this threat actor: TA866 Resurfaces in Targeted OneDrive Campaign
Researchers noted overlaps in core functionality and coding conventions, suggesting that both malware families were likely developed by the same entity.
“While there are significant overlaps in the code and functionality implementations across Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support compared to Resident backdoor,” Cisco Talos clarified.
“Additionally, while WarmCookie has typically been deployed as an initial access payload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the deployment of several other components such as WasabiSeed, Screenshotter and AHK Bot.”
Evolution of WarmCookie Malware
WarmCookie’s infection chain typically starts with malicious JavaScript downloaders delivered through either malspam or malvertising. Once executed, these scripts retrieve the WarmCookie payload, allowing the attackers to maintain persistent access within the compromised environment.
The latest samples observed by Cisco Talos show that WarmCookie is evolving, with updates to its persistence mechanism, command structure and sandbox detection capabilities.
“Several changes to the C2 commands supported by the malware have also been made in the latest WarmCookie samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added,” the firm explained.
The researchers expect WarmCookie to continue evolving as threat actors refine its functionality. Its connection to TA866 and the similarities with Resident backdoor highlight a continued effort to build and maintain sophisticated tools for long-term cyber espionage and exploitation.