Warmcookie

WarmCookie, also known as BadSpace, is a sophisticated two-stage "lightweight backdoor" malware that emerged in April 2024. Distributed primarily through malspam and malvertising campaigns, notably one called REF6127, the malware initiates its infection chain via email lures—typically invoice-related and job agency themes—that direct victims to malicious JavaScript-hosting servers. Once executed, these scripts retrieve the WarmCookie payload, embedding itself in the system with persistence and allowing the attackers to maintain consistent access within the compromised environment. The malware uses several tactics to avoid detection, including leveraging Task Scheduler for persistence and employing string obfuscation. The code of WarmCookie overlaps significantly with a sample previously reported by eSentire, suggesting it may be an update to malware that has been in circulation since 2022. Both use identical RC4 implementations and mutex management, often employing GUID-like strings for mutexes. However, WarmCookie does contain differing functionality, such as retrieving victim info and screenshot recording, which allows for monitoring victims and further deploying more damaging payloads like ransomware. The latest samples observed show that WarmCookie is evolving, with updates to its persistence mechanism, command structure, and sandbox detection capabilities. Researchers at Elastic Security Labs have noted several changes to the C2 commands supported by the malware in the latest WarmCookie samples analyzed. One notable new command receives a DLL from C2, assigns it a temporary filename, and executes it. Meanwhile, the command to remove persistence and the malware itself has been removed. This suggests that the creators of WarmCookie are continually refining their tactics to increase the malware's effectiveness and resilience, posing a significant ongoing threat to cybersecurity.