Advisory June 13, 2024

New WarmCookie Backdoor

The Obrela TI Team

A new widely used backdoor has been observed known by the name WarmCookie backdoor.  WarmCookie backdoor is a purpose-built Windows malware that is distributed through phishing emails.


The backdoor campaign, identified as REF6127, targets individuals using themes related to recruitment and job opportunities. Attackers craft their bait based on the victims’ current employers, tempting them with potential new job offers. They then send phishing emails to the victims, which include links purportedly leading to internal systems where job descriptions can be viewed. Clicking the link initiates the deployment of WarmCookie by running PowerShell.

WarmCookie is an initial backdoor tool used to infiltrate victim networks, gathering victim information, capturing screenshots, fingerprinting a machine and deploying additional payloads. Its code shares similarities with a previously identified sample, but the latest version poses a greater threat. Once initial access is gained, attackers can proceed to deploy more destructive payloads, such as ransomware. The backdoor also performs anti-analysis checks to avoid detection.

The campaign is ongoing with threat actors actively sending phishing emails to their victims.


To protect against the backdoor, it is recommended to take the following measures:

  • Implement strong email filtering solutions to detect and block phishing emails.
  • Conduct Security Awareness Trainings to educate employees about phishing attacks, particularly those involving job offers or recruitment. Teach users to identify suspicious email characteristics, such as misspellings, generic greetings, and urgent requests.
  • Regularly update operating systems, applications, and security software.
  • Adopt the principle of least privilege (PoLP) for user accounts.
  • Restrict access to sensitive resources based on job roles and responsibilities.
  • Segregate critical systems from less secure network areas.
  • Restrict lateral movement within the network to prevent attackers from easily accessing sensitive data.
  • Deploy intrusion detection systems (IDS) and security information and event management (SIEM) solutions, and monitor network traffic for suspicious activity and indicators of compromise (IoCs).
earth and shield - Advisory image
Advisory Image