Threat Actors Using Squirrelwaffle Loader to Deploy Qakbot & Cobalt Strike Malware

Quickly after the interruption of the widely utilized botnet, Emotet by the police, Squirrelwaffle became an alternative to Emotet. The very first signs of this new danger appeared in September 2021, and the distribution volumes reached a peak at the end of that month.

A new danger emerged just recently in the wild that drops malware like Qakbot and Cobalt Strike onto negotiated systems and networks; this brand-new risk is dubbed as “Squirrelwaffle” and danger actors are actively spreading Squirrelwaffle through numerous harmful e-mail campaigns.

Email Campaigns & & Languages Used

After finishing all the stages, the Squirrelwaffle loader releases malware like Qakbot and Cobalt Strike. For post-exploitation tasks after deploying beacons, the danger actors use the cracked variations of Cobalt Strike to get to compromised devices from another location.

As soon as done, after that from one of the 5 hardcoded URLs, it brings Squirrelwaffle in DLL type to provide it onto the endangered system. Now, here, at this moment, if the Squirrelwaffle in DLL kind is effectively delivered onto the victims system, then utilizing rundll32.exe the harmful DLL is performed.

As part of the attack, string reversal is utilized to obfuscate the code, which then writes a VBS script to the %PROGRAMDATA% directory, and after that performs it.


In order to technique receivers into making it possible for the macros within MS Office Suite, danger stars utilize DocuSign as bait.

% APPDATA% configuration.
The hostname of the system.
The username of the victim.
The Workstation configuration of the system.

In addition to stolen reply-chain e-mail projects in English, but, the spammers likewise utilize e-mails in the following languages:-.

With a C2 over HTTP POST requests containing obfuscated information, the malware tries to interact, and the body of the HTTP POST request includes the following information about the victim system:-.

It is possible that Squirrelwaffle is a revamped variation of Emotet by the members who escaped the law enforcement; or it might be a new effort by other danger stars who are attempting the fill the void left behind by Emotet.

According to the report “A malicious.doc or.xls accessory is normally connected to an email that connects to destructive ZIP archives hosted on attacker-controlled web servers and runs malware retrieval code on opening.”.

So, the experts of Cisco Talos have actually prompted all the security experts and companies to remain knowledgeable about the brand-new TTPs used by the risk actors.

Attack procedure.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.