article featured image


Penetration testers prefer Cobalt Strike when trying to replicate how cybercriminal tools would look when assaulting an organization’s network.

Unfortunately, hackers adapted to it, and Cobalt became a popular second-stage payload for a variety of malware families.

Squirrelwaffle, a new threat that provides supporting actors with an initial footing and a mechanism to spread malware onto compromised devices and networks, has been discovered in the wild.

The new virus spreads through spam campaigns, with the most recent efforts releasing Qakbot and Cobalt Strike.

Squirrelwaffle is one of the technologies that surfaced as an Emotet substitute immediately after the widely used botnet was disrupted by law enforcement.

The New Threat Surfaced in September 2021

While the spam campaign predominantly leverages English-language stolen reply-chain email campaigns, the threat actors also use emails in French, German, Dutch, and Polish.

These emails usually contain links to malicious ZIP packages located on attacker-controlled web domains, as well as a malicious.doc or.xls attachment that, when viewed, executes malware-retrieving code.

As explained by BleepingComputer, the perpetrators utilize the DocuSign signature tool as bait to lure recipients into activating macros in their MS Office suite on various papers tested and evaluated by Talos researchers.


This activity retrieves Squirrelwaffle from one of the five hardcoded URLs and installs it on the infected machine as a DLL file.


The Squirrelwaffle loader subsequently installs malware such as Qakbot or Cobalt Strike, a frequently used penetration testing tool.

To avoid discovery and analysis, Squirrelwaffle includes an IP blocklist populated with well-known security research organizations.

Squirrelwaffle communicates with the C2 infrastructure using HTTP POST requests that are encrypted (XOR+Base64).

To facilitate the file distribution element of their activities, the threat actors use previously compromised web servers, with the majority of these sites running WordPress 5.8.1.

The adversaries use “antibot” software on these systems to assist avoid white-hat discovery and analysis.

Researchers from Talos believe that Squirrelwaffle might be Emotet resurrected by individuals who eluded law enforcement or other threat actors.

If you liked this article, follow us on LinkedInTwitterYouTubeFacebookand Instagram to keep up to date with everything we post.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.


can you elaborate this statement “To avoid discovery and analysis, Squirrelwaffle includes an IP blocklist populated with well-known security research organizations.”
What feature uses this malware to block access, what are you referring with “IP blocklist” and how can this issue be bypassed?

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo