Threat Actors Using Squirrelwaffle Loader to Deploy Qakbot & Cobalt Strike Malware

Quickly after the disruption of the widely utilized botnet, Emotet by the law enforcement firms, Squirrelwaffle became an option to Emotet. The very first signs of this new threat appeared in September 2021, and the distribution volumes reached a peak at the end of that month.

A brand-new hazard emerged recently in the wild that drops malware like Qakbot and Cobalt Strike onto negotiated systems and networks; this brand-new risk is called as “Squirrelwaffle” and danger stars are actively spreading Squirrelwaffle through a number of harmful email campaigns.

Email Campaigns & & Languages Used

Moreover, it is possible that Squirrelwaffle is a revamped variation of Emotet by the members who left the law enforcement; or it might be a brand-new effort by other danger actors who are attempting the fill the void left behind by Emotet.

In addition to taken reply-chain email campaigns in English, but, the spammers also utilize emails in the following languages:-.

% APPDATA% configuration.
The hostname of the system.
The username of the victim.
The Workstation configuration of the system.

With a C2 over HTTP POST demands including obfuscated information, the malware attempts to interact, and the body of the HTTP POST request consists of the following details about the victim system:-.

As part of the attack, string reversal is used to obfuscate the code, which then composes a VBS script to the %PROGRAMDATA% directory, and then performs it.

Once done, after that from one of the 5 hardcoded URLs, it fetches Squirrelwaffle in DLL form to deliver it onto the endangered system. Now, here, at this moment, if the Squirrelwaffle in DLL type is effectively provided onto the victims system, then using rundll32.exe the harmful DLL is executed.

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity updates.

According to the report “A malicious.doc or.xls accessory is usually connected to an e-mail that connects to harmful ZIP archives hosted on attacker-controlled web servers and runs malware retrieval code on opening.”.

Attack process.

So, the experts of Cisco Talos have actually urged all the security specialists and organizations to remain knowledgeable about the new TTPs used by the hazard actors.

In order to technique recipients into allowing the macros within MS Office Suite, threat stars utilize DocuSign as bait.


After finishing all the stages, the Squirrelwaffle loader releases malware like Qakbot and Cobalt Strike. For post-exploitation tasks after deploying beacons, the hazard actors utilize the split variations of Cobalt Strike to gain access to compromised devices from another location.