{
	"id": "a094988f-fe14-4d01-b451-bb4c3899a270",
	"created_at": "2026-04-06T00:15:57.185661Z",
	"updated_at": "2026-04-10T03:24:24.168984Z",
	"deleted_at": null,
	"sha1_hash": "5df55b33f549a008d9e408e810ab74625c1b41c7",
	"title": "SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 168146,
	"plain_text": "SquirrelWaffle: New Malware Loader Delivering Cobalt Strike\r\nand QakBot\r\nBy Gustavo Palazolo\r\nPublished: 2021-10-07 · Archived: 2026-04-05 15:24:11 UTC\r\nCo-authored by Gustavo Palazolo and Ghanashyam Satpathy\r\nSummary\r\nIn September of 2021, a new malware family named SquirrelWaffle joined the threat landscape. It spread through\r\nmalicious Microsoft Office documents attached in spam emails. \r\nThe infection flow starts with a ZIP file that contains the malicious Office document. When the file is opened by\r\nthe victim, the malicious VBA macros download SquirrelWaffle DLL, which eventually leads to deploying\r\nanother threat, such as CobaltStrike or QakBot.\r\nIn this blog post, we will analyze two variants of the malicious Office documents that deliver SquirrelWaffle. We\r\nwill also analyze the final SquirrelWaffle payload and how the last stage URLs are being protected inside the\r\nbinary.\r\nSquirrelWaffle Office Documents\r\nWe have identified two variants used to deliver SquirrelWaffle, a Microsoft Word document and a Microsoft Excel\r\nspreadsheet. \r\nSquirrelWaffle malicious documents\r\nMalicious Word Document\r\nThe first variant is a malicious Microsoft Word file that mimics a DocuSign document, asking the victim to click\r\n“Enable Editing” and “Enable Content” to view the content. \r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 1 of 21\n\nSquirrelWaffle malicious Word document\r\nThe file contains several VBA macros, including junk code. The main routine lies in a function named “eFile”,\r\nwhich is executed by the “AutoOpen” functionality.\r\nMalicious VBA function\r\nAside from all the junk added by the developer, we can see two important pieces of data when we open the VBA\r\neditor: a PowerShell script and a batch script that executes the PowerShell script. \r\nThese routines are kept inside the text property of Visual Basic Control instead of in a regular VBA module. The\r\npurpose is to evade AV detection.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 2 of 21\n\nMalicious code inside the Word file\r\nLooking at the “eFile” function, we can see that both PowerShell and the batch script are created in the user’s\r\nAppData directory, respectively named “www.ps1” and “www.txt”.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 3 of 21\n\nVBA function creating payloads in disk\r\nThis behavior can be observed with Procmon.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 4 of 21\n\nVBA function dropping payloads in disk.\r\nLater, the VBA code executes the batch script, using the Windows “cscript.exe” binary.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 5 of 21\n\nMalicious batch script executed by the malicious document.\r\nLooking at those files closely, we can see that the PowerShell script is responsible for downloading SquirrelWaffle\r\nDLL using five distinct URLs, likely to add more resilience to the process. \r\nThe downloaded DLLs are saved into “C:\\ProgramData\\” and named “www[N].dll” where [N] is a number from 1\r\nto 5.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 6 of 21\n\nPowerShell script that downloads SquirrelWaffle DLL.\r\nAnd the batch script, which is executed by the malicious document, is responsible for executing the PowerShell\r\nscript and the SquirrelWaffe payload DLL.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 7 of 21\n\nBatch script that is executed by the malicious document.\r\nOnce downloaded, the DLL is executed through “rundll32.exe”, which calls an exported function named “ldr”.\r\nBoth “cscript.exe” and “rundll32.exe” are legitimate files from Windows, used by this sample to connect to the\r\nC\u0026C servers and to download and execute the next stage payloads. This technique is known as Living-off-the-Land (LoL), which consists of using legitimate binaries to perform malicious activities. We have already covered\r\nother malware families that employ this technique, such as BazarLoader.\r\nBatch script executing SquirrelWaffle DLL.\r\nMalicious Excel Document\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 8 of 21\n\nThe second variant identified by Netskope is a malicious Microsoft Excel file, containing a fake message that also\r\ntries to deceive the victim into clicking the “Enable Editing” and “Enable Content” buttons.\r\nMalicious Microsoft Excel document, delivering SquirrelWaffle.\r\nThe file uses Excel 4.0 (XML) macros that are obfuscated and spread across many hidden sheets in the document.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 9 of 21\n\nHidden sheets inside the malicious Excel file.\r\nThe developer also changed the font color to hide the code, which can be revealed when we change the font\r\nproperty as shown below.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 10 of 21\n\nHidden code inside the hidden sheet.\r\nWhen the Macros are executed, the obfuscated code is written into seven different cells, containing many calls to\r\nWindows APIs.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 11 of 21\n\nMalicious code inside the malicious Excel document.\r\nSimply put, this code contacts three different URLs to download SquirrelWaffle DLL, which is saved into\r\n“C:\\Datop\\test[N].test”, where [N] is null or a number (1 and 2). The DLL is then executed through Windows\r\n“ShellExecuteA” API.\r\nSquirrelWaffle DLL\r\nRegardless of the variants we described, the goal is to download and execute SquirrelWaffle DLL. In this section,\r\nwe will analyze a payload identified on September 17, 2021, named “www2.dll”.\r\nThe file uses a custom packer to hide the main payload. The unpacking process is not very complex: The first step\r\nthe code does is load and execute a shellcode.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 12 of 21\n\nSquirrelWaffle packer loading a shellcode in memory.\r\nOnce running, the shellcode unpacks the payload compressed with aPlib, which is commonly used by malware to\r\ncompress files or configurations. The data is then decompressed into a new memory location, and the unpacked\r\nDLL is eventually executed.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 13 of 21\n\nSquirrelWaffle payload DLL being decompressed.\r\nOnce unpacked and decompressed, we can dump the bytes into the disk to analyze the file in a disassembler. The\r\npayload is a 32-bit DLL likely compiled on September 17, 2021, although this information can’t be 100% reliable.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 14 of 21\n\nUnpacked SquirrelWaffle DLL.\r\nLooking at the DLL exports, we can see the function (“ldr”) that is called by the batch script we’ve shown earlier\r\nin this post.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 15 of 21\n\nSquirrelWaffle “ldr” export function.\r\nThe main goal of SquirrelWaffle is to download and execute additional malware. The developers included a\r\nfeature that hides important strings in the binary, like the C2 server list. \r\nBy looking at the PE “.rdata” section, we can find the encrypted information, along with the decryption key.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 16 of 21\n\nSquirrelWaffle encrypted data.\r\nTo decrypt the data, the malware uses a simple rolling XOR algorithm.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 17 of 21\n\nSquirrelWaffle data decryption block.\r\nWe created a simple Python script that is able to decrypt the data from SquirrelWaffle samples, by implementing\r\nthe same logic. The script can be found in our Github repository.\r\nThere are two major blocks of encrypted data. The first one is a large list of IP addresses, as shown below.\r\nPart of decrypted data from the analyzed SquirrelWaffle payload.\r\nThis list is used by the malware as a blocklist, likely to avoid the malware from being analyzed by sandboxes. The\r\nsecond list contains the payload URLs, which SquirrelWaffle uses to download additional malware.\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 18 of 21\n\nSquirrelWaffle payload URLs.\r\nThe SquirrelWaffle sample from this campaign was downloading a CobaltStrike beacon, using “.txt” as an\r\nextension.\r\nCobaltStrike beacon downloaded by SquirrelWaffle.\r\nAside from CobaltStrike, SquirrelWaffle was also found delivering QakBot, which is a modular banking trojan\r\nand information stealer, active since 2007.\r\nConclusion\r\nSquirrelWaffle is a new malware loader that is being used to deliver Cobalt Strike and QakBot. The infection\r\nvector occurs through spam emails with malicious Office documents that eventually downloads SquirrelWaffle\r\nDLL.\r\nAlthough this malware was spotted delivering Cobalt Strike and QakBot so far, we are continuously monitoring\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 19 of 21\n\nthis threat as it can be used by more malware families. Netskope Advanced Threat Protection provides proactive\r\ncoverage against zero-day samples including APT and other malicious Office documents using both our ML and\r\nheuristic-based static analysis engines, as well as our cloud sandbox. The following screenshot shows the\r\ndetection for fb41f8ce9d34f5ceb42b3d59065f63533d4a93557f9353333cbc861e3aff1f09 , indicating it was detected\r\nby Netskope Advanced Heuristic Analysis.\r\nProtection\r\nNetskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat\r\nindicators and payloads. \r\nNetskope Threat Protection\r\nVB:Trojan.Valyria.5292\r\nNetskope Advanced Threat Protection provides proactive coverage against this threat.\r\nGen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis\r\nGen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 20 of 21\n\nIOCs\r\nSHA256 Hashes\r\nInfected “.doc” fb41f8ce9d34f5ceb42b3d59065f63533d4a93557f9353333cbc861e3aff1f09\r\nInfected “.xls” 2f3371880117f0f8ff9b2778cc9ce57c96ce400afa8af8bfabbf09cb138e8a28\r\nSquirrelWaffle DLL 00d045c89934c776a70318a36655dcdd77e1fedae0d33c98e301723f323f234c\r\nCobaltStrike Beacon 3c280f4b81ca4773f89dc4882c1c1e50ab1255e1975372109b37cf782974e96f\r\nThe full list of IOCs, the script that decrypts SquirrelWaffle configuration, and a Yara rule can be found in our\r\nGithub repository.\r\nSource: https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot\r\nPage 21 of 21\n\nSquirrelWaffle Once unpacked and payload DLL decompressed, being decompressed. we can dump the bytes into the disk to analyze the file in a disassembler. The\npayload is a 32-bit DLL likely compiled on September 17, 2021, although this information can’t be 100% reliable.\n   Page 14 of 21    \n\n https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot  \nSquirrelWaffle encrypted data.  \nTo decrypt the data, the malware uses a simple rolling XOR algorithm.\n   Page 17 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot"
	],
	"report_names": [
		"squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434557,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5df55b33f549a008d9e408e810ab74625c1b41c7.pdf",
		"text": "https://archive.orkl.eu/5df55b33f549a008d9e408e810ab74625c1b41c7.txt",
		"img": "https://archive.orkl.eu/5df55b33f549a008d9e408e810ab74625c1b41c7.jpg"
	}
}