WARMCOOKIE Resurfaces After Takedown: New Variant Adds Stealth Handlers, Uses Expired C2 Certificates

The WARMCOOKIE backdoor has resurfaced with new features, expanded infrastructure, and updated delivery mechanisms, according to a new analysis from Elastic Security Labs. Despite disruption attempts during Europol’s Operation Endgame in May 2025, researchers confirm that the malware is still being actively deployed through malvertising and spam campaigns.

WARMCOOKIE was first detailed in the summer of 2024, when it appeared in phishing campaigns disguised as job offers. Since then, Elastic has tracked its continuous evolution. This demonstrates how the malware has shifted from isolated phishing lures to a broader MaaS ecosystem, extending its reach.

One of the most notable updates to WARMCOOKIE involves the addition of new command handlers. Elastic reports: “During our analysis of the new variant of WARMCOOKIE, we identified four new handlers introduced … providing quick capabilities to launch executables, DLLs, and scripts.”

The malware can now execute PE files, DLLs (including via the Start export), and PowerShell scripts, enhancing its versatility and persistence mechanisms.

To improve stealth, recent versions of WARMCOOKIE rely on string banks—lists of legitimate company names—to disguise scheduled tasks and file paths. The report explains: “Another change observed was the adoption of using a list of legitimate companies for the folder paths and scheduled task names … This is done for defense evasion purposes, allowing the malware to relocate to more legitimate-looking directories.”

Instead of using hardcoded paths, the malware randomly selects company names at runtime, making detection harder for defenders.

Elastic’s team has also identified new metadata markers within samples. “Since our initial publication … WARMCOOKIE samples have included a campaign ID field. This field is used by operators as a tag or marker providing context … around the infection, such as the distribution method.”

Alongside campaign IDs, embedded RC4 keys appear to differentiate operator groups. Certain RC4 keys correspond to unique capabilities—such as one build that exclusively used PowerShell handlers—suggesting customized builds per affiliate or operator.

In perhaps the most striking finding, Elastic uncovered reused and expired SSL certificates across WARMCOOKIE’s command-and-control (C2) infrastructure. The report highlights: “Our hypothesis is that the certificate … is possibly a default certificate used for the WARMCOOKIE back-end. Note … this certificate is expired. However, new (and reused) infrastructure continues to be initialized using this expired certificate.”

Despite international law enforcement action, WARMCOOKIE has continued to evolve, with new handlers, evasion tricks, campaign IDs, and resilient infrastructure. Elastic warns that, “Over the last year, the developer has continued to make updates and changes, suggesting it will be around for some time to come. Based on its selective usage, it continues to remain under the radar.”

Related Posts:

• New WarmCookie/BadSpace Malware Targets Organizations
• Operation Endgame: Global Takedown Disrupts Major Ransomware Malware Infrastructure
• CastleBot: The New MaaS Framework Fueling Info-Stealer & Ransomware Attacks
• “DanaBleed” Flaw Exposes DanaBot’s Inner Workings for Three Years
• Windows Security Alert: Secure Boot Certificates Expiring in 2026, Update Now