SYMBOLCOMMON_NAMEaka. SYNONYMS
win.warmcookie (Back to overview)

WarmCookie

aka: Badspace, Carrotstick, QUICKBIND
VTCollection    

WarmCookie is backdoor that is capable of executing commands reading/writing files and capturing screenshots. It communicates with a command and control (C&C) server via HTTP to receive further instructions and exfiltrate stolen data. It is commonly distributed through phishing campaigns and malicious downloads, targeting unsuspecting users to infiltrate systems undetected.

References
2025-09-30ElasticElastic
WARMCOOKIE One Year Later: New Features and Fresh Insights
WarmCookie
2025-07-14SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2025
Coper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT WarmCookie XWorm
2025-01-30Recorded FutureInsikt Group
TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base
Rhysida KongTuke MintsLoader Broomstick Remcos Rhysida WarmCookie
2025-01-22VertexSavage
Categorizing Software with Code Families
WarmCookie
2024-10-23Cisco TalosEdmund Brumaghin, Holger Unterbrink, Jordyn Dunk, Nicole Hoffman
Highlighting TA866/Asylum Ambuscade Activity Since 2021
WasabiSeed Cobalt Strike csharp-streamer RAT Resident Rhadamanthys WarmCookie
2024-10-23Cisco TalosEdmund Brumaghin, Holger Unterbrink, Jordyn Dunk, Nicole Hoffman
Threat Spotlight: WarmCookie/BadSpace
Cobalt Strike csharp-streamer RAT WarmCookie
2024-10-17Hunt.ioHunt.io
From Warm to Burned: Shedding Light on Updated WarmCookie Infrastructure
WarmCookie
2024-10-03GitHub (dstepanic)Daniel Stepanic
Getting Cozy with Milk and WARMCOOKIES
WarmCookie
2024-09-30X (@GenThreatLabs)Gen Threat Labs
Tweet on FAKEUPDATES pushing WARMCOOKIE backdoor via compromised websites targeting France
FAKEUPDATES WarmCookie
2024-07-26SecurityIntelligenceGolo Mühr, Joe Fasulo
Hive0137 and AI-supplemented malware distribution
WarmCookie XWorm Hive0137
2024-07-26DarktraceDarkTrace
Disarming the WarmCookie Backdoor: Darktrace’s Oven-Ready Solution
WarmCookie
2024-06-12ElasticDaniel Stepanic
Dipping into Danger: The WARMCOOKIE backdoor
WarmCookie
2024-06-12GdataAnna Lvova, Karsten Hahn
New backdoor BadSpace delivered by high-ranking infected websites
WarmCookie
2024-05-23Github (x-junior)Mohamed Ashraf
String Decryptor for WarmCookie
WarmCookie
2024-05-23Github (x-junior)Mohamed Ashraf
IDA Script for WarmCookie
WarmCookie
2024-05-13Emerging ThreatsKevin Ross
SIGS: W32/Badspace.Backdoor
WarmCookie
2024-05-08ElasticElastic
Elastic Security - WarmCookie YARA Rule
WarmCookie
2023-06-15eSentireRussianPanda
eSentire Threat Intelligence Malware Analysis: Resident Campaign
Cobalt Strike Resident Rhadamanthys WarmCookie
Yara Rules
[TLP:WHITE] win_warmcookie_auto (20260504 | Detects win.warmcookie.)
rule win_warmcookie_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.warmcookie."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.warmcookie"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8709060000 4183fe03 0f87ff050000 4585f6 0f850a020000 }
            // n = 5, score = 900
            //   0f8709060000         | mov                 dword ptr [esp + 0x28], 0x80
            //   4183fe03             | mov                 dword ptr [esp + 0x20], 3
            //   0f87ff050000         | inc                 ecx
            //   4585f6               | mov                 ecx, 0
            //   0f850a020000         | inc                 ecx

        $sequence_1 = { 85c0 0f88c0060000 8d0480 8d4441d0 418902 0fb74502 }
            // n = 6, score = 900
            //   85c0                 | mov                 edx, 0x80000000
            //   0f88c0060000         | ja                  0x60f
            //   8d0480               | inc                 ecx
            //   8d4441d0             | cmp                 esi, 3
            //   418902               | ja                  0x605
            //   0fb74502             | inc                 ebp

        $sequence_2 = { 8944242c 48b8fffffffffdffffff 4889842480000000 31c0 6689842488000000 0fb706 897c2478 }
            // n = 7, score = 900
            //   8944242c             | mov                 dword ptr [esp + 0x30], 0
            //   48b8fffffffffdffffff     | mov    dword ptr [esp + 0x28], 0x80
            //   4889842480000000     | mov                 dword ptr [esp + 0x20], 3
            //   31c0                 | inc                 ecx
            //   6689842488000000     | mov                 ecx, 0
            //   0fb706               | inc                 ecx
            //   897c2478             | mov                 eax, 7

        $sequence_3 = { 41b902000000 41b800000000 ba00000000 4889c1 }
            // n = 4, score = 900
            //   41b902000000         | mov                 ecx, eax
            //   41b800000000         | mov                 dword ptr [esp + 0x28], 0x80
            //   ba00000000           | mov                 dword ptr [esp + 0x20], 3
            //   4889c1               | inc                 ecx

        $sequence_4 = { 48c744243000000000 c744242880000000 c744242003000000 41b900000000 41b807000000 ba00000080 4889c1 }
            // n = 7, score = 900
            //   48c744243000000000     | mov    dword ptr [ebp + esi*8], eax
            //   c744242880000000     | inc                 esp
            //   c744242003000000     | mov                 eax, dword ptr [esi]
            //   41b900000000         | inc                 ebp
            //   41b807000000         | test                eax, eax
            //   ba00000080           | je                  0x1b
            //   4889c1               | mov                 eax, 0xa

        $sequence_5 = { 0f8e1bffffff 01d0 89430c e9???????? 4157 }
            // n = 5, score = 900
            //   0f8e1bffffff         | mov                 eax, 7
            //   01d0                 | mov                 edx, 0x80000000
            //   89430c               | dec                 eax
            //   e9????????           |                     
            //   4157                 | mov                 ecx, eax

        $sequence_6 = { 415c c3 55 4157 4156 4155 4154 }
            // n = 7, score = 900
            //   415c                 | inc                 ecx
            //   c3                   | mov                 ecx, 2
            //   55                   | inc                 ecx
            //   4157                 | mov                 eax, 0
            //   4156                 | mov                 edx, 0
            //   4155                 | dec                 eax
            //   4154                 | mov                 ecx, eax

        $sequence_7 = { ba19000000 488b4c2438 ff15???????? 85c0 }
            // n = 4, score = 700
            //   ba19000000           | movzx               eax, al
            //   488b4c2438           | mov                 edx, 0x19
            //   ff15????????         |                     
            //   85c0                 | dec                 eax

        $sequence_8 = { 4883ec28 e8???????? 3dff2f0000 0f97c0 0fb6c0 }
            // n = 5, score = 700
            //   4883ec28             | dec                 eax
            //   e8????????           |                     
            //   3dff2f0000           | sub                 esp, 0x28
            //   0f97c0               | cmp                 eax, 0x2fff
            //   0fb6c0               | seta                al

        $sequence_9 = { 85c0 7409 488b442428 48c1e814 }
            // n = 4, score = 600
            //   85c0                 | dec                 eax
            //   7409                 | mov                 ecx, eax
            //   488b442428           | call                ebx
            //   48c1e814             | test                eax, eax

        $sequence_10 = { 488d4c0301 4801c9 e8???????? 4889c3 4885c0 }
            // n = 5, score = 600
            //   488d4c0301           | test                eax, eax
            //   4801c9               | inc                 dx
            //   e8????????           |                     
            //   4889c3               | mov                 dword ptr [esp + ecx + 0x20], ecx
            //   4885c0               | inc                 edx

        $sequence_11 = { ba18000000 4889c1 ffd3 85c0 }
            // n = 4, score = 600
            //   ba18000000           | cmp                 eax, 0x2fff
            //   4889c1               | seta                al
            //   ffd3                 | movzx               eax, al
            //   85c0                 | mov                 edx, 0x18

        $sequence_12 = { 488b01 ff9080000000 85c0 7815 }
            // n = 4, score = 600
            //   488b01               | test                eax, eax
            //   ff9080000000         | je                  0xd
            //   85c0                 | dec                 eax
            //   7815                 | mov                 eax, dword ptr [esp + 0x28]

        $sequence_13 = { ff15???????? 25ff0f0000 8d88b80b0000 ff15???????? }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   25ff0f0000           | dec                 eax
            //   8d88b80b0000         | shr                 eax, 0x14
            //   ff15????????         |                     

        $sequence_14 = { ff5010 b9e8030000 ff15???????? 83ef01 }
            // n = 4, score = 600
            //   ff5010               | jne                 0x213
            //   b9e8030000           | inc                 ecx
            //   ff15????????         |                     
            //   83ef01               | mov                 esi, 1

        $sequence_15 = { 4b8d1c00 4889d9 e8???????? 4989d8 488944f500 }
            // n = 5, score = 500
            //   4b8d1c00             | dec                 eax
            //   4889d9               | mov                 eax, dword ptr [ecx]
            //   e8????????           |                     
            //   4989d8               | call                dword ptr [eax + 0x80]
            //   488944f500           | test                eax, eax

        $sequence_16 = { 488905???????? 448b06 4585c0 7416 b80a000000 }
            // n = 5, score = 500
            //   488905????????       |                     
            //   448b06               | js                  0x19
            //   4585c0               | and                 eax, 0xfff
            //   7416                 | lea                 ecx, [eax + 0xbb8]
            //   b80a000000           | dec                 ebx

        $sequence_17 = { 488d542470 b901010000 ff15???????? 85c0 }
            // n = 4, score = 300
            //   488d542470           | sbb                 esi, esi
            //   b901010000           | and                 esi, 0xfffffffe
            //   ff15????????         |                     
            //   85c0                 | je                  0x18f

        $sequence_18 = { 750b 488b4c2460 488b01 ff5068 488b4c2468 }
            // n = 5, score = 300
            //   750b                 | push                edi
            //   488b4c2460           | dec                 ebp
            //   488b01               | test                edx, edx
            //   ff5068               | je                  0x192
            //   488b4c2468           | inc                 ecx

        $sequence_19 = { 6642894c0c20 ffc2 4f8d0c00 410fb70c19 6685c9 75d8 4863c2 }
            // n = 7, score = 300
            //   6642894c0c20         | inc                 ecx
            //   ffc2                 | mov                 eax, dword ptr [edx]
            //   4f8d0c00             | test                eax, eax
            //   410fb70c19           | js                  0x6c8
            //   6685c9               | lea                 eax, [eax + eax*4]
            //   75d8                 | cmp                 ax, 9
            //   4863c2               | ja                  0x613

        $sequence_20 = { ff15???????? b906000000 ba04000000 85c0 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   b906000000           | mov                 eax, dword ptr [edx]
            //   ba04000000           | test                eax, eax
            //   85c0                 | js                  0x6cb

        $sequence_21 = { 1bc9 41d1e8 81e12083b8ed 4133c8 8bc1 2401 }
            // n = 6, score = 300
            //   1bc9                 | test                esi, esi
            //   41d1e8               | jne                 0x21d
            //   81e12083b8ed         | jle                 0xffffff21
            //   4133c8               | add                 eax, edx
            //   8bc1                 | mov                 dword ptr [ebx + 0xc], eax
            //   2401                 | inc                 ecx

        $sequence_22 = { 83e2fc 83c224 89542450 83c2fc }
            // n = 4, score = 300
            //   83e2fc               | inc                 ecx
            //   83c224               | cmp                 esi, 3
            //   89542450             | ja                  0x609
            //   83c2fc               | inc                 ebp

        $sequence_23 = { 488bcf e8???????? 488b6c2460 488bce e8???????? 488b7c2468 8bc3 }
            // n = 7, score = 300
            //   488bcf               | dec                 eax
            //   e8????????           |                     
            //   488b6c2460           | mov                 dword ptr [esp + 0x30], 0
            //   488bce               | mov                 dword ptr [esp + 0x28], 0x80
            //   e8????????           |                     
            //   488b7c2468           | mov                 dword ptr [esp + 0x20], 3
            //   8bc3                 | inc                 ecx

    condition:
        7 of them and filesize < 331776
}
Download all Yara Rules