Threat Actors Using Squirrelwaffle Loader to Deploy Qakbot & Cobalt Strike Malware

A brand-new danger emerged just recently in the wild that drops malware like Qakbot and Cobalt Strike onto worked out networks and systems; this new threat is dubbed as “Squirrelwaffle” and threat stars are actively spreading Squirrelwaffle through a number of harmful e-mail campaigns.

Soon after the interruption of the widely utilized botnet, Emotet by the law enforcement firms, Squirrelwaffle became an alternative to Emotet. The very first signs of this brand-new danger appeared in September 2021, and the distribution volumes reached a peak at the end of that month.

Email Campaigns & & Languages Used

It is possible that Squirrelwaffle is a revamped variation of Emotet by the members who got away the law enforcement; or it may be a brand-new attempt by other threat stars who are attempting the fill the space left behind by Emotet.

Attack procedure.

According to the report “A malicious.doc or.xls attachment is normally connected to an email that connects to harmful ZIP archives hosted on attacker-controlled web servers and runs malware retrieval code on opening.”.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity updates.

In order to trick receivers into enabling the macros within MS Office Suite, hazard stars use DocuSign as bait.

So, the professionals of Cisco Talos have actually prompted all the security professionals and companies to remain knowledgeable about the new TTPs used by the risk actors.


As part of the attack, string turnaround is utilized to obfuscate the code, which then composes a VBS script to the %PROGRAMDATA% directory, and after that executes it.

In addition to taken reply-chain e-mail projects in English, but, the spammers likewise utilize emails in the following languages:-.

After completing all the stages, the Squirrelwaffle loader releases malware like Qakbot and Cobalt Strike. For post-exploitation jobs after releasing beacons, the risk stars use the split variations of Cobalt Strike to acquire access to jeopardized devices from another location.

As soon as done, after that from one of the 5 hardcoded URLs, it fetches Squirrelwaffle in DLL kind to provide it onto the endangered system. Now, here, at this point, if the Squirrelwaffle in DLL type is successfully delivered onto the victims system, then utilizing rundll32.exe the destructive DLL is performed.

With a C2 over HTTP POST demands including obfuscated data, the malware tries to interact, and the body of the HTTP POST demand includes the following information about the victim system:-.

% APPDATA% configuration.
The hostname of the system.
The username of the victim.
The Workstation configuration of the system.