Threat Actors Using Squirrelwaffle Loader to Deploy Qakbot & Cobalt Strike Malware

A new threat emerged recently in the wild that drops malware like Qakbot and Cobalt Strike onto worked out systems and networks; this brand-new threat is called as “Squirrelwaffle” and danger stars are actively spreading Squirrelwaffle through several harmful email campaigns.

Quickly after the interruption of the widely used botnet, Emotet by the police, Squirrelwaffle became an alternative to Emotet. The first signs of this brand-new danger appeared in September 2021, and the circulation volumes reached a peak at the end of that month.

Email Campaigns & & Languages Used


% APPDATA% configuration.
The hostname of the system.
The username of the victim.
The Workstation setup of the system.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity updates.

Additionally, it is possible that Squirrelwaffle is a revamped version of Emotet by the members who left the police; or it might be a new effort by other hazard actors who are attempting the fill deep space left behind by Emotet.

As soon as done, after that from one of the five hardcoded URLs, it fetches Squirrelwaffle in DLL type to deliver it onto the endangered system. Now, here, at this moment, if the Squirrelwaffle in DLL form is successfully provided onto the victims system, then utilizing rundll32.exe the harmful DLL is carried out.

Attack process.

So, the professionals of Cisco Talos have prompted all the security specialists and organizations to remain familiar with the new TTPs used by the danger actors.

According to the report “A malicious.doc or.xls accessory is generally connected to an e-mail that connects to harmful ZIP archives hosted on attacker-controlled web servers and runs malware retrieval code on opening.”.

In order to technique recipients into enabling the macros within MS Office Suite, threat actors utilize DocuSign as bait.

After finishing all the phases, the Squirrelwaffle loader deploys malware like Qakbot and Cobalt Strike. For post-exploitation tasks after deploying beacons, the threat actors utilize the split versions of Cobalt Strike to get access to compromised gadgets from another location.

In addition to stolen reply-chain email campaigns in English, but, the spammers also utilize emails in the following languages:-.

As part of the attack, string reversal is utilized to obfuscate the code, which then composes a VBS script to the %PROGRAMDATA% directory site, and then executes it.

With a C2 over HTTP POST requests containing obfuscated information, the malware attempts to interact, and the body of the HTTP POST demand consists of the following details about the victim system:-.