Insights, news, education and announcements from PolySwarm

BadSpace Backdoor

Written by The Hivemind | Jun 25, 2024 5:23:38 PM

Executive Summary

BadSpace, also known as WarmCookie, is a novel backdoor delivered via a multistage attack leveraging infected websites.

Key Takeaways

  • BadSpace, also known as WarmCookie, is a novel backdoor delivered via a multistage attack leveraging infected websites. 
  • The threat actors behind BadSpace often infect WordPress sites and inject the malicious code into the index page or into the JavaScript libraries. 
  • In some cases, the website shows a window with a fake Google Chrome update that drops the malware file or JScript file onto the victim machine. 
  • Infrastructure and TTPs used appear to overlap with that of SocGholish.

What is BadSpace?

BadSpace, also known as WarmCookie, is a novel backdoor delivered via a multistage attack leveraging infected websites. G DATA recently reported on BadSpace.

The threat actors behind BadSpace are using legitimate but compromised websites to deliver the malware. When a user visits one of the infected websites, the site sets a cookie to track if the user has visited the page before. If the visit is the user’s first, a URL is constructed with query parameters including the device type, IP, referrer, user agent, domain, and location. The code on the site then sends a GET request to the URL. The response is a payload.

The threat actors behind BadSpace often infect WordPress sites and inject the malicious code into the index page or into the JavaScript libraries. In some cases, the website shows a window with a fake Google Chrome update that drops the malicious file or JScript file onto the victim machine.

The JScript file goes through a multi-step de-obfuscation process before ultimately constructing a PowerShell downloader. The PowerShell code then downloads BadSpace, and after a ten second pause, executes the file using rundll32.exe.

BadSpace, which targets Windows devices, is an obfuscated PE32+ DLL that is not packed. It has several features that point to at least a mild degree of sophistication, including persistence and anti-sandboxing capabilities. When BadSpace initially communicates with the C2, it sends a cookie containing encrypted information about the victim machine. This information includes the machine name, DNS domain, OS version, username, and an RC4 key that is hard coded and unique for each sample. The hardcoded RC4 key is used to encrypt C2 communication. BadSpace has basic functionality for interacting with the victim machine, including but not limited to the ability to take a screenshot, execute cmd command, read and write files, and delete scheduled task persistence.

G DATA noted the C2 used in these attacks has also been used by SocGholish. Additionally, the use of fake updates and JS files are known SocGholish TTPs. 


PolySwarm has multiple samples associated with this activity.










You can use the following CLI command to search for all BadSpace samples in our portal:

$ polyswarm link list -f BadSpace


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at | Check out our blog | Subscribe to our reports.