Skip to content

T1539 Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.1

There are several examples of malware targeting cookies from web browsers on the local system.23 There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.45

After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.

Item Value
ID T1539
Tactics TA0006
Platforms Google Workspace, Linux, Office 365, SaaS, Windows, macOS
Permissions required User
Version 1.2
Created 08 October 2019
Last Modified 28 July 2021

Procedure Examples

ID Name Description
S0657 BLUELIGHT BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.7
S0631 Chaes Chaes has used a script that extracts the web session cookie and sends it to the C2 server.8
S0492 CookieMiner CookieMiner can steal Google Chrome and Apple Safari browser cookies from the victim’s machine. 13
S0568 EVILNUM EVILNUM can harvest cookies and upload them to the C2 server.9
G0120 Evilnum Evilnum can steal cookies and session information from browsers.15
S0531 Grandoreiro Grandoreiro can steal the victim’s cookies to use for duplicating the active session from another device.14
G1014 LuminousMoth LuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.16
S0650 QakBot QakBot has the ability to capture web session cookies.1011
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 stole Chrome browser cookies by copying the Chrome profile directories of targeted users.17
S0467 TajMahal TajMahal has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications.2
S0658 XCSSET XCSSET uses scp to access the ~/Library/Cookies/Cookies.binarycookies file.12


ID Mitigation Description
M1032 Multi-factor Authentication A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.6
M1054 Software Configuration Configure browsers or tasks to regularly delete persistent cookies.
M1017 User Training Train users to identify aspects of phishing attempts where they’re asked to enter credentials into a site that has the incorrect domain for the application they are logging into.


ID Data Source Data Component
DS0022 File File Access
DS0009 Process Process Access


  1. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  2. Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. 

  3. Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019. 

  4. Orrù, M., Trotta, G.. (2019, September 11). Muraena. Retrieved October 14, 2019. 

  5. Gretzky, K.. (2018, July 26). Evilginx 2 - Next Generation of Phishing 2FA Tokens. Retrieved October 14, 2019. 

  6. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  7. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  8. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. 

  9. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  10. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  11. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  12. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. 

  13. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. 

  14. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  15. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  16. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.