Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

SquirrelWaffle

147
Global rank
95 infographic chevron month
Month rank
77 infographic chevron week
Week rank
0
IOCs

SquirrelWaffle is a dropper that distributes Qbot and Cobalt Strike, in addition to other malware families. It leverages malicious documents that are part of compromised emails to drop second-level payloads to affected devices.

Dropper
Type
Unknown
Origin
8 September, 2021
First seen
1 September, 2025
Last seen

How to analyze SquirrelWaffle with ANY.RUN

Dropper
Type
Unknown
Origin
8 September, 2021
First seen
1 September, 2025
Last seen

IOCs

URLs
http://com.co/WHe08obY
http://astetinternational.com/arW5e44Y7vzO
http://vicamtaynam.com/VtyiHAft
http://snsvidyapeeth.in/aXmo2Dr3
http://razisystem.ir/MqvvkX0cWvn
http://com.br/qQofZMaJm
http://dancongnghe.xyz/yRByhX6J3REI
http://com.br/PGYpETW7
http://co.za/3GilA8Eo3r
http://iconskw.com/cqdPtAbZ
http://ebookchuyennganh.com/v9PMvQDxHK8W
http://vscm.in/V3tYKxDz
http://avyanshglobal.com/6pYjPlqf
http://org.in/rWA02HQY4
http://alsader.net/BHdQaiQ9rt
http://trinitytesttubebaby.com/QR2JvfE3Sv
http://primahills-online.com/ypCiZn7tMx
http://apexbiotech.net/VQgunQ4t5Ue
http://sukmabali.com/ZXxcLYs3rzRQ
http://alkimia-prod.com/nT0imyzmo
Last Seen at

Recent blog posts

post image
MSSP Growth Guide: Scaling Threat Detection f...
watchers 748
comments 0
post image
Major Cyber Attacks in August 2025: 7-Stage T...
watchers 1864
comments 0
post image
How to Enrich IOCs with Actionable Threat Con...
watchers 1196
comments 0

What is SquirrelWaffle malware?

Discovered in September 2021, SquirrelWaffle is a loader/dropper malware strain designed to infect systems with malicious payloads. Security professionals speculate that it emerged as a replacement for Emotet after law enforcement dismantled the notorious botnet. It remains unclear whether the same group is responsible for this new threat, or if a different crew has stepped in to capitalize on the void left by the infamous malware.

The Squirrelwaffle payload, a PE DLL, is dropped on infected systems and executed using either rundll32.exe or regsvr32.exe, depending on the maldoc initiating the infection process. For instance, the payload can be executed using rundll32.exe with the following syntax: cmd.exe /c rundll32.exe C:\ProgramData[DLL FILENAME],ldr.

Primarily functioning as a malware loader, the DLL allows for deploying additional malware, with Qbot and Cobalt Strike installations often observed following the initial compromise. The DLL contains an IP blocklist in its configuration to further evade automated analysis platforms and security research organizations.

One of the the DLL's functionalities involves encoding and decoding information to enable communication between the victim system and the C2 infrastructure. The malware communicates with the C2 over HTTP POST requests containing obfuscated data, which is XOR-obfuscated and Base64-encoded.

The URL used for victim-C2 communication comprises a random alphanumeric string and the victim's IP address. The HTTP POST request body contains information about the victim system, such as %APPDATA% configuration, host name, username, and workstation configuration.

The C2 server responds with a status code and the previously sent beacon information obfuscated using the same method. This C2 channel can also deliver secondary payloads as per the attacker's discretion.

It is also worth noting that threat actors use compromised web servers, primarily running WordPress 5.8.1, for file distribution and deploy "antibot" scripts to avoid white-hat detection.

Analyzing SquirrelWaffle malware in ANY.RUN

ANY.RUN's cloud-based interactive sandbox facilitates seamless analysis of SquirrelWaffle samples for malware analysts. The platform efficiently compiles and displays execution data in accessible formats while gathering artifacts and Indicators of Compromise (IOCs) in real time.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Due to the specific traits inside its POST requests, SquirrelWaffle may be detected by network activity. On the screenshot below, loader was detected by a Suricata rule.

SquirrelWaffle’s network activity The SquirrelWaffle’s network activity with a detected loader

SquirrelWaffle malware execution

In order to be as inconspicuous as possible, Squirrelwaffle execution flow is simple. The loader often sneaks into the systems after a user opens a malicious document. Then the payload is downloaded, and it starts execution. While active, Squirrelwaffle connects to the Command & Control server to download the next-step payload.

Checked out a sample we've analyzed.

SquirrelWaffle’s malware configuration Malware configuration extracted from SquirrelWaffle

SquirrelWaffle malware distribution

SquirrelWaffle is primarily delivered through malicious documents in phishing campaigns, often employing stolen reply-chain attacks for distribution. This method involves hijacking an existing account to send phishing emails, rather than fabricating an account or creating a new one.

This technique boasts a high success rate, as it is challenging to defend against. By gaining access to email history, adversaries can craft convincing messages and continue existing conversation. This leaves few discernible phishing indicators. Researchers note that SquirrelWaffle-distributing emails are well-composed, and the attackers adeptly mimic the style of prior correspondence, regardless of the language.

While the malware predominantly targets English-speaking users, campaigns in French, German, Dutch, and Polish have also been detected — though they account for less than 30% of the total volume at the time of writing.

The malicious emails typically contain hyperlinks to infected ZIP archives hosted on attacker-controlled servers. These emails usually include a malicious .doc or .xls attachment, which triggers the execution of malware-retrieving code when opened.

The attackers fake the DocuSign signing platform, persuading recipients to enable macros in their MS Office suite. The embedded code employs string reversal for obfuscation, creates a VBS script in %PROGRAMDATA%, and then executes it.

This process retrieves Squirrelwaffle from one of five hardcoded URLs and delivers it as a DLL file to the compromised system. Subsequently, the Squirrelwaffle loader deploys malware such as Qakbot or the often-misused penetration testing tool, Cobalt Strike.

Conclusion

In the wake of Emotet's disruption, it was inevitable that threat actors would devise a substitute. It may be premature to declare SquirrelWaffle as the definitive replacement, but it possesses the fundamental attributes needed to potentially become the next prominent dropper and assume Emotet's role.

We recommend that organizations and researchers examine the TTPs (tactics, techniques, and procedures) utilized by this malware operation while it is still in the (relatively) early stages of gaining traction.

HAVE A LOOK AT

Meduza Stealer screenshot
Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels.
Read More
Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More
Keylogger screenshot
Keylogger
keylogger
A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.
Read More
BlackMoon screenshot
BlackMoon
blackmoon
BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More