How to remove the Warmcookie Backdoor Malware

This page is dedicated to educating victims on what Warmcookie does and to its removal. A big thank you for the security researchers who made their information public, including Elastic and Esentire. Without the notice they gave everyone, we wouldn’t be able to address Warmcookie.

There is a removal guide for Warmcookie further down the page. 

We urge you to read the rest of the article so you are aware what it’s doing to you and how to protect yourself from it. We highlighted in bold any information we believe you need to read. 

What is Warmcookie?

Warmcookie is a backdoor Trojan that recently caused a stir in cybersecurity circles. It has been around since at least late April 2024, but only gained notoriety now. There are some older, more unrefined attempts before April, but they are not as dangerous and you are unlikely to come across them. 

Warmcookie Malware

Warmcookie immediately starts deploying additional payloads once on an infected PC, classifying it as a backdoor. In simplest terms, that’s a trojan existing to infect you with more malware, which it attempts to download almost immediately. Warmcookie starts capturing screenshots and collecting any sensitive information it can get specifically for these purposes. Around every 10 seconds it attempts to send the collected data to the server of the criminals who determine what further to infect you with. 

At that point we can not state the exact effects Warmcookie will have on your network and PC since this can vary depending on the type of device – whether it’s work or home related. But unlike milder cases of trojans, Warmcookie already monitors you from the beginning. This means almost universally, a keylogger is installed after the trojan’s initial recon sessions. From then on it activates further malicious activities which take advantage of scheduled tasks running with system privileges.

How Dangerous is Warmcookie?

The harm Warmcookie causes is significant. It specifically targets manufacturing, commercial, and healthcare enterprises, be it small businesses or larger networks. Such malware operations are always centered on extracting the most money they can from victims, so the Warmcookie will attempt to cause the most damage it can. 

Screenshot of the Warmcookie malware detections on VirusTotal
The Warmcookie malware detections on VirusTotal

The trojan encrypts its strings making any generic analysis challenging, which further complicates things. It’s very difficult to point out what exactly it does because it actively obfuscates its activities from any security tools. That’s how it manages to remain undetected by Windows Defender and less refined anti-malware programs. 

The most dangerous thing about Warmcookie is that it can gain elevated privileges and override user permissions without any notice. This access enables it to execute commands with system-level authority. Such threats are always the hardest to remove since the trojan tries to hide away from you anyway. Even if you find its files there will be a general period of paranoia if Warmcookie will reinfect you or not.

Considering Warmcookie can act as a keylogger, this is especially troubling with very severe implications. Every key you press, including passwords, credit card numbers, and personal messages, can be recorded and sent to the attacker. Such a breach can make work devices outright inoperable since you can’t use sensitive information on them. If for example, your entire network is infected with it, Warmcookie can lead to huge data loss. 

The attackers can impersonate victims if they have access to personal information. Imagine a scenario where you find out you have a new bank accounts, a loan, or you are linked to another fraudulent activity. We don’t want to scare you further with this statement. We just want you to be aware you are in a serious situation.

Warmcookie’s Distribution Campaign

Warmcookie infiltrates systems through imaginative and convincing phishing email campaigns with job-related themes. Typically this means presenting itself as a recruiting firm which sends you a link to a landing page. This page, crafted to look legitimate, prompts users to download a document after solving a CAPTCHA. This simple interaction initiates the download of Warmcookie.

For example, one such email includes a PDF attachment that directs the user to domains like refxsap[.]com (this is just an example). Depending on the user’s geolocation, this domain either redirects to a JavaScript payload or displays a TeamViewer installer page. In reality the dangerous downloads are hosted on compromised WordPress websites.

To more technically-minded people:
If you open the JavaScript attachment, it downloads and executes an MSI file. The first such installer often drops a Visual Basic Script (VBS) file under the ProgramData/Cis folder. This file contacts the C2 server with the infected machine’s serial number and retrieves additional downloads. The script then enters a loop every 9368 milliseconds and attempts further installs.

The MSI files are usually three per instance and include tools or scripts to take screenshots of the host. Namely, we noticed AutoHotKey scripts, AutoIt, Python scripts, and i_view32.exe. 

The phishing campaign Warmcookie uses is called the  Resident and showcases how sophisticated cybercriminals can get over several iterations. Warmcookie uses PowerShell commands to execute scripts from attacker-hosted domains. The campaign is named after the custom backdoor retrieved from sessions with the command and control (C2) server. It often uses fake OneDrive attachments that lead to a page hosting the JavaScript payload, delivered through drive-by downloads. Such downloads can also infect you with tools like the Rhadamanthys stealer.

Warmcookie Removal Challenges

You need to prioritize its removal ASAP to avoid severe consequences. The first step in this order is to determine when exactly you were infected. Was it through a phishing email or through a message sent to you by another contact? If it occurred recently, you should first immediately disconnect the device from your network and internet.

Removing Warmcookie itself is very challenging because it is built on persistence mechanisms. It sets up a scheduled task that runs every ten minutes with the purpose of restoring and reactivating Warmcookie even if you delete it. It uses a dynamic API loading and custom string decryption to achieve this. Additionally, Warmcookie wipes decrypted strings from memory immediately after use to evade memory signature scans. 


Type Trojan
Detection Tool

Remove Warmcookie Malware

To try and remove Warmcookie quickly you can try this:

  1. Go to your browser’s settings and select More Tools (or Add-ons, depending on your browser).
  2. Then click on the Extensions tab.
  3. Look for the Warmcookie extension (as well as any other unfamiliar ones).
  4. Remove Warmcookie by clicking on the Trash Bin icon next to its name.
  5. Confirm and get rid of Warmcookie and any other suspicious items.

If this does not work as described please follow our more detailed Warmcookie removal guide below.

If you have a Windows virus, continue with the guide below.

If you have a Mac virus, please use our How to remove Ads on Mac guide.

If you have an Android virus, please use our Android Malware Removal guide.

If you have an iPhone virus, please use our iPhone Virus Removal guide.

Some of the steps may require you to exit the page. Bookmark it for later reference.
Next, Reboot in Safe Mode (use this guide if you don’t know how to do it).

Step1 Uninstall the Warmcookie app and kill its processes

The first thing you must try to do is look for any sketchy installs on your computer and uninstall anything you think may come from Warmcookie . After that, you’ll also need to get rid of any processes that may be related to the unwanted app by searching for them in the Task Manager.

Note that sometimes an app, especially a rogue one, may ask you to install something else or keep some of its data (such as settings files) on your PC – never agree to that when trying to delete a potentially rogue software. You need to make sure that everything is removed from your PC to get rid of the malware. Also, if you aren’t allowed to go through with the uninstallation, proceed with the guide, and try again after you’ve completed everything else.

  • Uninstalling the rogue app
  • Killing any rogue processes

Type Apps & Features in the Start Menu, open the first result, sort the list of apps by date, and look for suspicious recently installed entries.

Click on anything you think could be linked to Warmcookie , then select uninstall, and follow the prompts to delete the app.

delete suspicious Warmcookie apps

Press Ctrl + Shift + Esc, click More Details (if it’s not already clicked), and look for suspicious entries that may be linked to Warmcookie .

If you come across a questionable process, right-click it, click Open File Location, scan the files with the free online malware scanner shown below, and then delete anything that gets flagged as a threat.

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.
    Delete Warmcookie files and quit its processes.

    After that, if the rogue process is still visible in the Task Manager, right-click it again and select End Process.

    Step2 Undo Warmcookie changes made to different system settings

    It’s possible that Warmcookie has affected various parts of your system, making changes to their settings. This can enable the malware to stay on the computer or automatically reinstall itself after you’ve seemingly deleted it. Therefore, you need to check the following elements by going to the Start Menu, searching for them, and pressing Enter to open them and to see if anything has been changed there without your approval. Then you must undo any unwanted changes made to these settings in the way shown below:

    • DNS
    • Hosts
    • Startup
    • Task
    • Services
    • Registry

    Type in Start Menu: View network connections

    Right-click on your primary network, go to Properties, and do this:

    Undo DNS changes made by Warmcookie

    Type in Start Menu: C:\Windows\System32\drivers\etc\hosts

    Delete Warmcookie IPs from Hosts

    Type in the Start Menu: Startup apps

    Disable Warmcookie startup apps

    Type in the Start Menu: Task Scheduler

    Delete Warmcookie scheduled tasks

    Type in the Start Menu: Services

    Disable Warmcookie services

    Type in the Start Menu: Registry Editor

    Press Ctrl + F to open the search window

    Clear the Registry from Warmcookie items

    Protecting yourself from Warmcookie

    Start by monitoring for suspicious PowerShell downloads and executions via Windows scripts. Warmcookie uses PowerShell to initiate its infection – if you block these, it can’t regenerate. Implement tools that detect and block unusual scheduled task creations from unfamiliar processes.

    Use and update security software immediately if you are not technically minded enough to do everything on your own. Employ and VirusTotal to identify and avoid malicious URLs linked to phishing campaigns.

    If you are on a team, educate your the others about clicking on unknown links in emails and social media, even from known contacts. 

    About the author


    Nathan Bookshire

    Leave a Comment