WARMCOOKIE (also known as BadSpace) is a Windows backdoor malware first observed in April 2024, primarily distributed through recruitment-themed phishing campaigns and fake browser update prompts. Designed for initial network access and persistence, it enables threat actors to deploy additional payloads like ransomware or Cobalt Strike.
Two-Stage Execution:
1. DLL Deployment:
• Downloaded via PowerShell/BITS transfer
• Installs to C:\ProgramData\RtlUpd\RtlUpd.dll
• Persistence via Task Scheduler with System privileges
2. Core Backdoor:
• Custom RC4 encryption (key 24de21a8dc08434c) with Base64 encoding
• CRC32 checksum verification for C2 communication
• Anti-analysis checks (VM detection)
Network Communication:
• Hardcoded IP addresses (e.g., 185.49.69.41)
• HTTP requests with encrypted data in cookie parameters