Daniel StepanicSeth Goodwin

WARMCOOKIE One Year Later: New Features and Fresh Insights

A year later: Elastic Security Labs re-examines the WARMCOOKIE backdoor.

10 min readMalware Analysis
WARMCOOKIE One Year Later: New Features and Fresh Insights

Revisiting WARMCOOKIE

Elastic Security Labs continues to track developments in the WARMCOOKIE codebase, uncovering new infrastructure tied to the backdoor. Since our original post, we have been observing ongoing updates to the code family and continued activity surrounding the backdoor, including new infections and its use with emerging loaders. A recent finding by the IBM X-Force team highlighted a new Malware-as-a-Service (MaaS) loader, dubbed CASTLEBOT, distributing WARMCOOKIE.

In this article, we will review new features added to WARMCOOKIE since its initial publication. Following this, we’ll present the extracted configuration information from various samples.

Key takeaways

  • The WARMCOOKIE backdoor is actively developed and distributed
  • Campaign ID, a recently added marker, sheds light on targeting specific services and platforms
  • WARMCOOKIE operators appear to receive variant builds distinguished by their command handlers and functionality
  • Elastic Security Labs identified a default certificate that can be used to track new WARMCOOKIE C2 servers

WARMCOOKIE recap

We first published research about WARMCOOKIE in the summer of 2024, detailing its functionality and how it was deployed through recruiting-themed phishing campaigns. Since then, we have observed various development changes to the malware, including the addition of new handlers, a new campaign ID field, code optimization, and evasion adjustments.

WARMCOOKIE’s significance was highlighted in May 2025, during Europol’s Operation Endgame, in which multiple high-profile malware families, including WARMCOOKIE, were disrupted. Despite this, we are still seeing the backdoor being actively used in various malvertising and spam campaigns.

WARMCOOKIE updates

Handlers

During our analysis of the new variant of WARMCOOKIE, we identified four new handlers introduced in the summer of 2024, providing quick capabilities to launch executables, DLLs, and scripts:

  • PE file execution
  • DLL execution
  • PowerShell script execution
  • DLL execution with Start export

The most recent WARMCOOKIE builds we have collected contain the DLL/EXE execution functionality, with PowerShell script functionality being much less prevalent. These capabilities leverage the same function by passing different arguments for each file type. The handler creates a folder in a temporary directory, writing the file content (EXE / DLL / PS1) to a temporary file in the newly created folder. Then, it executes the temporary file directly or uses either rundll32.exe or PowerShell.exe. Below is an example of PE execution from procmon.

String bank

Another change observed was the adoption of using a list of legitimate companies for the folder paths and scheduled task names for WARMCOOKIE (referred to as a “string bank”). This is done for defense evasion purposes, allowing the malware to relocate to more legitimate-looking directories. This approach uses a more dynamic method (a list of companies to use as folder paths, assigned at malware runtime) as opposed to hardcoding the path into a static location, as we observed with previous variants (C:\ProgramData\RtlUpd\RtlUpd.dll).

The malware uses GetTickCount as a seed for the srand function to randomly select a string from the string bank.

The following depicts an example of a scheduled task showing the task name and folder location:

By searching a few of these names and descriptions, our team found that this string bank is sourced from a website used to rate and find reputable IT/Software companies.

Smaller changes

In our last write-up, WARMCOOKIE passed a command-line parameter using /p to determine if a scheduled task needs to be created; this parameter has been changed to /u. This appears to be a small, but additional change to break away from previous reporting.

In this new variant, WARMCOOKIE now embeds 2 separate GUID-like mutexes; these are used in combination to better control initialization and synchronization. Previous versions only used one mutex.

Another noticeable improvement in the more recent versions of WARMCOOKE is code optimization. The implementation seen below is now cleaner with less inline logic which makes the program optimized for readability, performance, and maintainability.

Clustering configs

Since our initial publication in July 2024, WARMCOOKIE samples have included a campaign ID field. This field is used by operators as a tag or marker providing context to the operators around the infection, such as the distribution method. Below is an example of a sample with a campaign ID of traffic2.

Based on the extracted configurations of samples in the last year, we hypothesize that the embedded RC4 key can be used to distinguish between operators using WARMCOOKIE. While unproven, we observed from various samples that some patterns started to emerge based on clustering the RC4 key.

By using the RC4 key, we can see overlap in campaign themes over time, such as the build using RC4 key 83ddc084e21a244c, which leverages keywords such as bing, bing2, bing3,and aws for campaign mapping. An interesting note, as it relates to these build artifacts, is that some builds contain different command handlers/functionality. For example, the build using the RC4 key 83ddc084e21a244c is the only variant we have observed that has PowerShell script execution capabilities, while most recent builds contain the DLL/EXE handlers.

Other campaign IDs appear to use terms such as lod2lod, capo, or PrivateDLL. For the first time, we saw the use of embedded domains versus numeric IP addresses in WARMCOOKIE from a sample in July 2025.

WARMCOOKIE infrastructure overview

After extracting the infrastructure from these configurations, one SSL certificate stands out. Our hypothesis is that the certificate below is possibly a default certificate used for the WARMCOOKIE back-end.

Issuer     
    C=AU, ST=Some-State, O=Internet Widgits Pty Ltd 
Not Before     
    2023-11-25T02:46:19Z
Not After
    2024-11-24T02:46:19Z  
Fingerprint (SHA1)     
    e88727d4f95f0a366c2b3b4a742950a14eff04a4
Fingerprint (SHA256)
    8c5522c6f2ca22af8db14d404dbf5647a1eba13f2b0f73b0a06d8e304bd89cc0

Certificate details

Note the “Not After” date above shows that this certificate is expired. However, new (and reused) infrastructure continues to be initialized using this expired certificate. This is not entirely new infrastructure, but rather a reconfiguration of redirectors to breathe new life into existing infrastructure. This could indicate that the campaign owners are not concerned with the C2 being discovered.

Conclusion

Elastic Security Labs continues to observe WARMCOOKIE infections and the deployment of new infrastructure for this family. Over the last year, the developer has continued to make updates and changes, suggesting it will be around for some time to come. Based on its selective usage, it continues to remain under the radar. We hope that by sharing this information, organizations will be better equipped to protect themselves from this threat.

Malware and MITRE ATT&CK

Elastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that advanced persistent threats use against enterprise networks.

Tactics

Tactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.

Techniques

Techniques represent how an adversary achieves a tactical goal by performing an action.

Detecting malware

Prevention

YARA

Elastic Security has created the following YARA rules to identify this activity.

Observations

The following observables were discussed in this research.

ObservableTypeNameReference
87.120.126.32ipv4-addrWARMCOOKIE C2 Server
storsvc-win[.]comdomainWARMCOOKIE C2 Server
85.208.84.220ipv4-addrWARMCOOKIE C2 Server
109.120.137.42ipv4-addrWARMCOOKIE C2 Server
195.82.147.3ipv4-addrWARMCOOKIE C2 Server
93.152.230.29ipv4-addrWARMCOOKIE C2 Server
155.94.155.155ipv4-addrWARMCOOKIE C2 Server
87.120.93.151ipv4-addrWARMCOOKIE C2 Server
170.130.165.112ipv4-addrWARMCOOKIE C2 Server
192.36.57.164ipv4-addrWARMCOOKIE C2 Server
83.172.136.121ipv4-addrWARMCOOKIE C2 Server
45.153.126.129ipv4-addrWARMCOOKIE C2 Server
170.130.55.107ipv4-addrWARMCOOKIE C2 Server
89.46.232.247ipv4-addrWARMCOOKIE C2 Server
89.46.232.52ipv4-addrWARMCOOKIE C2 Server
185.195.64.68ipv4-addrWARMCOOKIE C2 Server
107.189.18.183ipv4-addrWARMCOOKIE C2 Server
192.36.57.50ipv4-addrWARMCOOKIE C2 Server
62.60.238.115ipv4-addrWARMCOOKIE C2 Server
178.209.52.166ipv4-addrWARMCOOKIE C2 Server
185.49.69.102ipv4-addrWARMCOOKIE C2 Server
185.49.68.139ipv4-addrWARMCOOKIE C2 Server
149.248.7.220ipv4-addrWARMCOOKIE C2 Server
194.71.107.41ipv4-addrWARMCOOKIE C2 Server
149.248.58.85ipv4-addrWARMCOOKIE C2 Server
91.222.173.219ipv4-addrWARMCOOKIE C2 Server
151.236.26.198ipv4-addrWARMCOOKIE C2 Server
91.222.173.91ipv4-addrWARMCOOKIE C2 Server
185.161.251.26ipv4-addrWARMCOOKIE C2 Server
194.87.45.138ipv4-addrWARMCOOKIE C2 Server
38.180.91.117ipv4-addrWARMCOOKIE C2 Server
c7bb97341d2f0b2a8cd327e688acb65eaefc1e01c61faaeba2bc1e4e5f0e6f6eSHA-256WARMCOOKIE
9d143e0be6e08534bb84f6c478b95be26867bef2985b1fe55f45a378fc3ccf2bSHA-256WARMCOOKIE
f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659SHA-256WARMCOOKIE
5bca7f1942e07e8c12ecd9c802ecdb96570dfaaa1f44a6753ebb9ffda0604cb4SHA-256WARMCOOKIE
b7aec5f73d2a6bbd8cd920edb4760e2edadc98c3a45bf4fa994d47ca9cbd02f6SHA-256WARMCOOKIE
e0de5a2549749aca818b94472e827e697dac5796f45edd85bc0ff6ef298c5555SHA-256WARMCOOKIE
169c30e06f12e33c12dc92b909b7b69ce77bcbfc2aca91c5c096dc0f1938fe76SHA-256WARMCOOKIE

References

The following were referenced throughout the above research:

Share this article

XFacebookLinkedInReddit