{
  "name": "WARMCOOKIE One Year Later: New Features and Fresh Insights",
  "slug": "warmcookie-one-year-later-new-features-and-fresh-insights",
  "description": "The WARMCOOKIE backdoor continues to evolve, with ongoing updates and new infections observed. Recent developments include new handlers for executing various file types, a string bank for defense evasion, and code optimizations. A campaign ID field has been added, providing context for operators. Infrastructure analysis reveals a default SSL certificate potentially used for WARMCOOKIE back-ends. Despite disruption attempts, the backdoor remains active in malvertising and spam campaigns. The malware's selective usage and continuous updates suggest its persistence as a threat, highlighting the need for enhanced organizational protection measures.",
  "published": "2025-10-06T06:03:28+00:00",
  "created_at": "2025-10-06T06:03:28+00:00",
  "modified_at": "2025-10-06T09:33:23+00:00",
  "created_at_opencti": "2025-10-06T06:03:28+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-10-06",
    "backdoor",
    "castlebot",
    "malware-as-a-service",
    "warmcookie"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "65d12e2b-dc5a-47a0-93cd-232b6fc9e93c",
        "name": "CastleBot",
        "slug": "castlebot"
      },
      {
        "id": "legacy:malware:8b0db59783308dcc",
        "name": "WARMCOOKIE",
        "slug": "warmcookie"
      }
    ],
    "attack_patterns": [
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ]
  },
  "external_refs": [
    "https://www.elastic.co/security-labs/revisiting-warmcookie",
    "https://otx.alienvault.com/pulse/68e377d0b3f8991035cc2a27"
  ]
}