Cybercriminals are using fake browser updates to spread the WarmCookie backdoor malware in a new campaign targeting users in France.

Browsers are a crucial component of modern business IT and are used almost continuously throughout the day. Whether its placing orders for stock, updating customer portals, or researching your competitors, your employees will be utilizing apps such as Chrome, Edge, and Firefox. And it’s this essential nature of browsers which makes them the perfect target for threat actors. WarmCookie was first detected in 2023, when fake OneDrive attachments were used to deploy its payload, and has recently resurfaced in France. Backdoor attacks have the potential to cause major damage to your IT infrastructures and data security, so it’s vital that you’re aware of how these attacks work.

The Basics of the WarmCookie Attack

The WarmCookie malware campaign targets its victims by concealing itself as fake browser or application updates. When a user visits a compromised website, they’re advised to download what, for all intents and purposes, looks like an update for popular browsers such as Chrome or essential Browser tools like Java. Some of the websites involved in the WarmCookie attack appear to be compromised websites, yet some seem manufactured to promote the downloading of browser updates.

Regardless of the type of website involved, instead of downloading a genuine update, the user will only be able to download the WarmCookie malware. Once this malware is activated, it opens a backdoor into the user’s system, this allows the attackers to carry out a wide range of malicious activities. Primarily, WarmCookie seeks to steal sensitive information such as login credentials, but it also focuses on executing remote commands and downloading further strains of malware onto the infected system.

So far, the campaign appears to have limited its activities to targeting PC users in France. WarmCookie is also renowned for being stealthy and evasive, which enables it to remain undetected on systems for long periods. This allows the attackers to access compromised systems at their own pace, increasing the risk of more severe damage. Therefore, due to this silent and persistent operation, WarmCookie should be classified as a highly dangerous piece of malware.

Avoid the Dangers of Malicious Downloads

Thankfully, you don’t have to become one of WarmCookie’s victims as it’s relatively simple to avoid. With a little education, you can equip yourself and your staff with the best practices to deflect any malicious download threats:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Russian hackers are using a fake PDF decryption tool to trick innocent PC users into downloading Spica, a new strain of malware.

Discovered by Google’s Threat Analysis Group (TAG), Spica is a backdoor malware which has not been identified previously. It’s believed that the malware is the result of ColdRiver, a Russian hacking team with a proven track record in deploying malware. The attack, as with so many contemporary threats, is delivered by email and relies on malicious PDF files. Now, with close to 350 billion emails sent per day in 2023, it’s clear that email is hugely popular. And it’s estimated there are 2.5 trillion PDF files currently in circulation. Therefore, the chances of your business running into a similar attack is high.

The Threat of Spica

The Spica attack begins when the threat actors send a series of PDF files to their targets. Using phishing email techniques, they attempt to trick the targets into believing that these have been sent by legitimate contacts. These files appear encrypted and, if the target bites, they will email back to say they can’t open the files. This is where the threat actors are able to launch their payload.

By sending a malicious link back to the target, the threat actors can trick them into downloading what they claim is a decryption tool. However, this executable tool – going under the name of Proton-decryptor.exe – is far from helpful. Instead, it will provide backdoor access to the target’s PC. With this access in place, the malware can communicate with a control-and-command server to receive further instructions.

And Spica comes loaded with a wide range of weaponry. As well as being capable of launching internal shell commands on the infected PC, it’s also programmed to steal browser cookies, send and receive files, and create a persistent presence on the machine. Google believes that there are multiple variants of Spica, and the current targets of the malware seem to be high ranking officials in non-governmental organizations and former members of NATO governments.

Shielding Yourself from the Threat of Spica

While your organization may not be listed high on ColdRiver’s target list, the attack methods are familiar and could easily be launched against you at some point in the future. Therefore, it’s in your best interests to integrate the following advice into your cybersecurity measures:

  • Check for spelling/grammar errors: phishing emails are prone to poor grammar and spelling, especially when they originate from non-English speakers. Accordingly, poorly composed emails should be scrutinized closely. Also, watch out for generic and unusual greetings such as “Dear customer” as these may indicate that the email is part of a mass-campaign against unknown targets.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More