Skip to content

T1539 Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.6

There are several examples of malware targeting cookies from web browsers on the local system.32 Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on User Execution by tricking victims into running malicious JavaScript in their browser.71

There are also open source frameworks such as Evilginx2 and Muraena that can gather session cookies through a malicious proxy (e.g., Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.45

After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.

Item Value
ID T1539
Sub-techniques
Tactics TA0006
Platforms Linux, Office Suite, SaaS, Windows, macOS
Version 1.5
Created 08 October 2019
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G1044 APT42 APT42 has used custom malware to steal login and cookie data from common browsers.38
S0657 BLUELIGHT BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.19
S0631 Chaes Chaes has used a script that extracts the web session cookie and sends it to the C2 server.18
S0492 CookieMiner CookieMiner can steal Google Chrome and Apple Safari browser cookies from the victim’s machine. 12
S1111 DarkGate DarkGate attempts to steal Opera cookies, if present, after terminating the related process.26
S0568 EVILNUM EVILNUM can harvest cookies and upload them to the C2 server.16
G0120 Evilnum Evilnum can steal cookies and session information from browsers.35
S0531 Grandoreiro Grandoreiro can steal the victim’s cookies to use for duplicating the active session from another device.10
G0094 Kimsuky Kimsuky has used malware, such as TRANSLATEXT, to steal and exfiltrate browser cookies.1732
G0030 Lotus Blossom Lotus Blossom has used publicly-available tools to steal cookies from browsers such as Chrome.37
G1014 LuminousMoth LuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.31
S1213 Lumma Stealer Lumma Stealer has harvested cookies from various browsers.302928
S1146 MgBot MgBot includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers.24
S0650 QakBot QakBot has the ability to capture web session cookies.1415
S1148 Raccoon Stealer Raccoon Stealer attempts to steal cookies and related information in browser history.27
S1240 RedLine Stealer RedLine Stealer has stolen browser cookies and settings.20212223
G0034 Sandworm Team Sandworm Team used information stealer malware to collect browser session cookies.33
G1015 Scattered Spider Scattered Spider retrieves browser cookies via Raccoon Stealer.34
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 stole Chrome browser cookies by copying the Chrome profile directories of targeted users.39
S1140 Spica Spica has the ability to steal cookies from Chrome, Firefox, Opera, and Edge browsers.13
G1033 Star Blizzard Star Blizzard has used EvilGinx to steal the session cookies of victims directed to
phishing domains.36
S0467 TajMahal TajMahal has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications.3
S1201 TRANSLATEXT TRANSLATEXT has exfiltrated updated cookies from Google, Naver, Kakao or Daum to the C2 server.17
S0658 XCSSET XCSSET uses scp to access the ~/Library/Cookies/Cookies.binarycookies file.25
S1207 XLoader XLoader can capture web session cookies and session information from victim browsers.11

Mitigations

ID Mitigation Description
M1047 Audit Implement auditing for authentication activities and user logins to detect the use of stolen session cookies. Monitor for impossible travel scenarios and anomalous behavior that could indicate the use of compromised session tokens or cookies.
M1032 Multi-factor Authentication Deploy hardware-based token (e.g., YubiKey or FIDO key), which incorporates the target login domain as part of the negotiation protocol, will prevent session cookie theft through proxy methods.
M1021 Restrict Web-Based Content Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface.
M1054 Software Configuration Configure browsers or tasks to regularly delete persistent cookies.
M1051 Update Software Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
M1017 User Training Train users to identify aspects of phishing attempts where they’re asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets.

References

  1. Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious Bookmarks. Retrieved January 2, 2024. 

  2. Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. 

  3. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  4. Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019. 

  5. Orrù, M., Trotta, G.. (2019, September 11). Muraena. Retrieved October 14, 2019. 

  6. Tiago Pereira. (2023, November 2). Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”. Retrieved January 2, 2024. 

  7. Microsoft Incident Response. (2022, November 16). Token tactics: How to prevent, detect, and respond to cloud token theft. Retrieved December 26, 2023. 

  8. OWASP CheatSheets Series Team. (n.d.). Session Management Cheat Sheet. Retrieved December 26, 2023. 

  9. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. 

  10. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025. 

  11. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. 

  12. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024. 

  13. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  14. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  15. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved November 17, 2024. 

  16. Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024. 

  17. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  18. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  19. Alexandre Cote Cyr. (2024, November 8). Life on a crooked RedLine: Analyzing the infamous infostealer’s backend. Retrieved September 17, 2025. 

  20. George Glass. (2024, August 14). REDLINESTEALER Malware Driving the Initial Access Broker Market. Retrieved September 17, 2025. 

  21. Proofpoint Threat Insight Team, Jeremy H, Axel F. (2020, March 16). New Redline Password Stealer Malware. Retrieved September 17, 2025. 

  22. Splunk Threat Research Team. (2023, June 1). Do Not Cross The ‘RedLine’ Stealer: Detections and Analysis. Retrieved September 17, 2025. 

  23. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024. 

  24. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  25. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024. 

  26. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. 

  27. Buddy Tancio, Fe Cureg, and Jovit Samaniego, Trend Micro. (2025, January 30). Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response. Retrieved March 22, 2025. 

  28. Cara Lin, Fortinet. (2024, January 8). Deceptive Cracked Software Spreads Lumma Variant on YouTube. Retrieved March 22, 2025. 

  29. Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025. 

  30. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  31. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025. 

  32. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024. 

  33. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024. 

  34. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  35. CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024. 

  36. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025. 

  37. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024. 

  38. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.