Threat Actors Using Squirrelwaffle Loader to Deploy Qakbot & Cobalt Strike Malware

Soon after the disturbance of the commonly utilized botnet, Emotet by the law enforcement agencies, Squirrelwaffle emerged as an option to Emotet. The very first signs of this brand-new risk appeared in September 2021, and the circulation volumes reached a peak at the end of that month.

A brand-new hazard emerged recently in the wild that drops malware like Qakbot and Cobalt Strike onto negotiated systems and networks; this brand-new danger is called as “Squirrelwaffle” and hazard stars are actively spreading out Squirrelwaffle through a number of malicious e-mail projects.

Email Campaigns & & Languages Used

As part of the attack, string reversal is utilized to obfuscate the code, which then writes a VBS script to the %PROGRAMDATA% directory site, and after that executes it.


After finishing all the phases, the Squirrelwaffle loader deploys malware like Qakbot and Cobalt Strike. For post-exploitation tasks after deploying beacons, the danger stars use the cracked versions of Cobalt Strike to acquire access to compromised devices remotely.

In order to technique receivers into enabling the macros within MS Office Suite, danger stars use DocuSign as bait.

% APPDATA% configuration.
The hostname of the system.
The username of the victim.
The Workstation setup of the system.

According to the report “A malicious.doc or.xls accessory is generally connected to an e-mail that links to destructive ZIP archives hosted on attacker-controlled web servers and runs malware retrieval code on opening.”.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

In addition to taken reply-chain email projects in English, but, the spammers likewise use emails in the following languages:-.

It is possible that Squirrelwaffle is a revamped version of Emotet by the members who got away the law enforcement; or it may be a brand-new effort by other hazard stars who are trying the fill the space left behind by Emotet.

Attack process.

With a C2 over HTTP POST demands consisting of obfuscated information, the malware attempts to communicate, and the body of the HTTP POST demand includes the following details about the victim system:-.

When done, after that from one of the 5 hardcoded URLs, it brings Squirrelwaffle in DLL type to deliver it onto the endangered system. Now, here, at this moment, if the Squirrelwaffle in DLL form is successfully delivered onto the victims system, then using rundll32.exe the malicious DLL is executed.

The specialists of Cisco Talos have urged all the security professionals and organizations to stay mindful of the new TTPs utilized by the danger stars.