{
	"id": "b80cd04f-ae83-4831-9af3-15f75f646a4d",
	"created_at": "2026-04-06T00:13:06.333128Z",
	"updated_at": "2026-04-10T13:12:25.412007Z",
	"deleted_at": null,
	"sha1_hash": "761e84aa9115e34e5a5a87e14d249d2b3c891772",
	"title": "SquirrelWaffle Malware: Infection Methods and Protection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2326707,
	"plain_text": "SquirrelWaffle Malware: Infection Methods and Protection\r\nBy Niranjan Jayanand\r\nPublished: 2021-11-11 · Archived: 2026-04-05 13:04:23 UTC\r\nSince early September, SentinelLabs has been tracking the rapid rise of a new malware loader that previous researchers have\r\ndubbed “SquirrelWaffle”. The tool has been utilized in multiple global attacks since then and is being likened to Emotet in\r\nthe way it is being used to conduct massive malspam campaigns.\r\nIn this post, we explain how SquirrelWaffle works, what to look out for and how to protect your business from the latest\r\nmalspam loader.\r\nSquirrelWaffle is a recent malware loader that is distributed through malspam – malicious spam mail – with the purpose of\r\ninfecting a device with second-stage malware such as cracked copies of the red teaming tool Cobalt Strike and QakBot, a\r\nwell-known malware that started life as a simple banking trojan but has since evolved into a multi-functional framework\r\nwith RAT (Remote Access Trojan)-like capabilities.\r\nResearchers have noted how the infection chain may begin with an email reply chain attack, in which a threat actor neither\r\ninserts themselves as a new correspondent nor attempts to spoof someone else’s email address. Instead, the attacker sends\r\nthe malicious SquirrelWaffle email from a hijacked account belonging to one of the participants. Since the attacker has\r\naccess to the whole thread, they can tailor their malspam message to fit the context of an ongoing conversation. Given that\r\nthe recipient likely already trusts the sender, there’s an increased likelihood of the target opening the maldoc or clicking the\r\nlink. Email reply chain attacks were a hallmark of Emotet campaigns and contributed a great deal to its success.\r\nSquirrelWaffle first appeared in early September and defenders have noticed an uptick in incidences of infection since then.\r\nSentinelLabs researchers have also noticed that the malware drops unique payloads even from the same infection chain and\r\nthat file path patterns are continuing to evolve.\r\nHow Does SquirrelWaffle Infect Devices?\r\nInitial delivery of SquirrelWaffle as a first stage loader often comes courtesy of a phishing email with either a malicious MS\r\nWord or Excel attachment or embedded link leading to a zip-compressed malicious document download. These maldocs\r\ncontain VBS macros which execute PowerShell to retrieve and launch the SquirrelWaffle loader.\r\nhttps://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/\r\nPage 1 of 5\n\nThe initial SquirrelWaffle files are written to disk as prescribed by the malicious PowerShell script responsible for their\r\nretrieval. For example, early clusters of malicious documents dropped SquirrelWaffle using this set of file names:\r\nC:\\Datop\\test.test\r\nC:\\Datop\\test1.test\r\nC:\\Datop\\test2.test\r\nSquirrelWaffle infection following the launch of a poisoned Excel file\r\nImportantly, no two runs of the same malicious document will produce the same SquirrelWaffle payloads. On each\r\nexecution, the payloads written to disk will have unique hashes.\r\n\"C:\\Users\\\u003credact\u003e\\AppData\\Local\\Temp\\Temp1_natusut-1501184.zip\\grade-2086577786.xls\"\r\nC:\\Datop\\test.test - 8d7089f17bd5706309d7c6986fdd1140d6c5b4b2\r\nC:\\Datop\\test1.test - 52452f6f0ab73531fe54935372d9c34eb50653d8\r\n\"C:\\Users\\\u003credact\u003e\\OneDrive - folder, Inc\\Desktop\\grade-2086577786.xls\"\r\nC:\\Datop\\test.test - bce0e9e1c6d2e7b12648ef316748191f10ed8582\r\nC:\\Datop\\test1.test - 8ba7694017d1cea1d4b73f39479726478df88b20\r\n\"C:\\Users\\\\OneDrive - folder, Inc\\Desktop\\grade-2086577786.xls\"\r\nC:\\Datop\\test.test - 8aec96029b83d3b226c8c83dd90f48946ee97001\r\nC:\\Datop\\test1.test - 8262cd7029f943a7b6199b5a6c51ec19e085c3b7\r\nSquirrelWaffle has been observed using more conventional file name patterns as well, such as those with .dll extensions:\r\nww1.dll\r\nww2.dll\r\nww3.dll\r\nww4.dll\r\nww5.dll\r\nhttps://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/\r\nPage 2 of 5\n\nIn early November, we observed yet another pattern, indicating that the malware authors are continually iterating:\r\n good.good\r\n good1.good\r\n good2.good\r\nSquirrelWaffle Shares Code With Other Attack Frameworks\r\nSquirrelWaffle, in common with many other malware samples, uses a custom crypter. Doing so is attractive for many\r\nreasons, not the least of which are obfuscation and anti-analysis to prevent researchers from developing strong indicators of\r\ncompromise for detection.\r\nResearchers have shown that SquirrelWaffle uses the same custom crypter as other well-known attack frameworks including\r\nUrsnif, Hancitor and Zloader. This is used, among other things, to hide the malware’s Command and Control (C2) URL.\r\nUpon infection, SquirrelWaffle can download a Cobalt Strike payload with .txt extension and execute using the\r\nWinExec function. The other likely payload that may be downloaded by current SquirrelWaffle infections is Qakbot.\r\nBelow we can see process injection into explorer.exe from a SquirrelWaffle infection.\r\nhttps://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/\r\nPage 3 of 5\n\nIf infected with Qakbot, the malware will attempt to extract email data from the host.\r\nFrom the above image, we can see the C:\\Users\\\u003cuser\u003e\\EmailStorage_\u003chostname\u003e_\u003cusername\u003e_\u003ctimestamp\u003e pattern. The\r\n“collector_log.txt” contains a record of the malware’s enumeration and exfiltration process.\r\nHow To Protect Against SquirrelWaffle\r\nThe SentinelOne platform detects and protects all customers against SquirrelWaffle infection. In the video demonstration\r\nbelow, we set the agent policy to ‘Detect Only’ to observe the infection in action. In ordinary circumstances, customers\r\nwould use the Protect policy to prevent execution.\r\nhttps://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/\r\nPage 4 of 5\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nConclusion\r\nCybercriminals are quick to come up with new loaders to team up with other groups that will help deliver a variety of\r\npayloads to achieve maximum financial gain. SquirrelWaffle is the latest such loader, currently being used to deliver Cobalt\r\nStrike and Qakbot but which can easily pivot to dropping any payload the operators wish. While SquirrelWaffle is certainly\r\nnot yet anywhere near as prevalent as Emotet in its heyday, all the hallmarks are there of a campaign and infrastructure\r\nlooking to grow.\r\nIf you would like to know more about how SentinelOne can protect your business against SquirrelWaffle and other threats,\r\ncontact us for more information or request a free demo.\r\nExample SHA1 Hashes\r\n8d7089f17bd5706309d7c6986fdd1140d6c5b4b2\r\n52452f6f0ab73531fe54935372d9c34eb50653d8\r\nbce0e9e1c6d2e7b12648ef316748191f10ed8582\r\n8ba7694017d1cea1d4b73f39479726478df88b20\r\n8aec96029b83d3b226c8c83dd90f48946ee97001\r\n8262cd7029f943a7b6199b5a6c51ec19e085c3b7\r\nSource: https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/\r\nhttps://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/"
	],
	"report_names": [
		"is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434386,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/761e84aa9115e34e5a5a87e14d249d2b3c891772.pdf",
		"text": "https://archive.orkl.eu/761e84aa9115e34e5a5a87e14d249d2b3c891772.txt",
		"img": "https://archive.orkl.eu/761e84aa9115e34e5a5a87e14d249d2b3c891772.jpg"
	}
}