{
	"id": "06bcc9c3-dc11-4dcf-a54b-e979ec8c66f8",
	"created_at": "2026-04-06T00:13:26.268713Z",
	"updated_at": "2026-04-10T03:24:23.965665Z",
	"deleted_at": null,
	"sha1_hash": "76edc1baa22f2f216e0827690af356075b15735c",
	"title": "SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2079779,
	"plain_text": "SQUIRRELWAFFLE Leverages malspam to deliver Qakbot,\r\nCobalt Strike\r\nBy Cisco Talos\r\nPublished: 2021-10-26 · Archived: 2026-04-05 13:56:28 UTC\r\nTuesday, October 26, 2021 08:00\r\nBy Edmund Brumaghin, Mariano Graziano and Nick Mavis.\r\nExecutive summary\r\nRecently, a new threat, referred to as \"SQUIRRELWAFFLE\" is being spread more widely via spam campaigns,\r\ninfecting systems with a new malware loader. This is a malware family that's been spread with increasing\r\nregularity and could become the next big player in the spam space.\r\nSQUIRRELWAFFLE provides threat actors with an initial foothold onto systems and their network environments\r\nthat can then be used to facilitate further compromise or additional malware infections depending on how\r\nadversaries choose to attempt to monetize their access. In many cases, these infections are also being used to\r\ndeliver and infect systems with other malware like Qakbot and the penetration-testing tool Cobalt Strike. Let's\r\ntake a look at how this new threat operates and the volume and characteristics of the malicious email campaigns\r\nassociated with it. Organizations should be aware of this threat, as it will likely persist across the threat landscape\r\nfor the foreseeable future.\r\nEmail campaigns\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 1 of 15\n\nThe email threat landscape is constantly changing as new threats emerge or existing threats evolve over time. Over\r\nthe past few years, Emotet has been one of the primary threats being delivered via malicious spam campaigns as\r\nwe have previously described in detail several times. Following law enforcement disruption of the Emotet botnets,\r\nwe've been waiting for another threat to fill the void left by Emotet's exit.\r\nBeginning in mid-September 2021, we observed malspam campaigns being used to deliver malicious Microsoft\r\nOffice documents that function as the initial stage of the infection process and are used to infect systems with\r\nSQUIRRELWAFFLE. Similar to what has been observed in previous threats like Emotet, these campaigns appear\r\nto be leveraging stolen email threads, as the emails themselves appear to be replies to existing email threads. As\r\nshown below, these emails typically contain hyperlinks to malicious ZIP archives being hosted on attacker-controlled web servers.\r\nThe language targeted by the reply messages typically matches the language used in the original email thread,\r\ndemonstrating that there is some localization taking place dynamically. While the majority of the emails were\r\nwritten in English, the use of other languages across these campaigns highlight that this threat is not limited to a\r\nspecific geographic region. Across the malicious email campaigns we have observed being used to deliver\r\nSQUIRRELWAFFLE, the top five languages used are as follows:\r\nConsistent with other threats also leveraging stolen email threads, we observed some inconsistencies in how the\r\nattacker chooses which email chains to hijack. In the following example, the attacker was observed replying to an\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 2 of 15\n\nextortion email message, which is likely ineffective in convincing the recipient to access the content in the body of\r\nthe email.\r\nSince the emergence of SQUIRRELWAFFLE, we have observed steady malicious email campaign activity\r\nassociated with this threat. Below is a graph illustrating the volumetric trajectory of these campaigns between\r\nSept. 1 and Oct. 15, 2021.\r\nWhile the volume associated with these campaigns is not yet reaching the same level seen previously with threats\r\nlike Emotet, it appears to be fairly consistent and may increase over time as the adversaries infect more users and\r\nincrease the size of their botnet. The campaigns themselves feature several similar characteristics to the campaigns\r\npreviously seen associated with established threats like Emotet. Due to the prevalence of these campaigns,\r\norganizations should be aware of SQUIRRELWAFFLE and the way it could be used by attackers to further\r\ncompromise corporate networks.\r\nIn all of these cases, the emails are designed to trick the potential victim into accessing the included hyperlink to\r\ndownload a malicious ZIP archive. Malicious Microsoft Office files are inside the archives, which initiate the\r\ninfection process as described below.\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 3 of 15\n\nInfection process\r\nWhen the victim accesses the hyperlink contained in the initial malicious spam message, they are sent a ZIP\r\narchive containing a malicious Office document. While these documents have varied across campaigns, in all\r\ncases, they are either Microsoft Word documents or Microsoft Excel spreadsheets. These documents contain the\r\nmalicious code responsible for retrieving and executing the next stage component, in this case, the\r\nSQUIRRELWAFFLE payload.\r\nAcross all of the malspam campaigns observed, the distribution of DOC versus XLS was roughly 50/50.\r\nIn all of the campaigns observed, the distribution URLs that are used to host the malicious ZIP archives contain\r\nLatin words and follow a URL structure similar to the following example:\r\nabogados-en-medellin[.]com/odit-error/assumenda[.]zip\r\nWe've observed that, in many cases, there are separate ZIP archives being hosted in different directories on the\r\nsame domain at any given point in time. Inside of the ZIP archives, the malicious Office documents often follow a\r\nnaming convention similar to the examples below:\r\nchart-1187900052.xls\r\ndiagram-127.doc\r\ndiagram_1017101088.xls\r\nspecification-1001661454.xls\r\nSince these campaigns began, we observed several variations in the way the documents function, so will describe\r\ntwo of the most common infection chains we observed in September. This threat is actively evolving, and during\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 4 of 15\n\nour research into SQUIRRELWAFFLE, we observed the distribution campaigns' shift to almost exclusively using\r\nMicrosoft Excel spreadsheets for this purpose.\r\nMalicious Word documents\r\nAs previously described, the initial malicious Office document format used across many of the early email\r\ncampaigns was a Microsoft Word document. In this case it was made to appear as if it was associated with\r\nDocuSign, a popular document sharing and signing platform that is often used for a variety of purposes related to\r\nofficial transactions.\r\nIn this particular case, the document contains malicious macros that initiate the SQUIRRELWAFFLE infection\r\nprocess if enabled by the victim. These macros are AutoOpen() and reference a macro function that contains the\r\nmajority of the malicious code. Below is an example of one of these malicious functions present in one of the\r\nsamples analyzed.\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 5 of 15\n\nAs can be observed in the previous code, the macros leverage string reversal as a way to slightly obfuscate the\r\ncontents of the code. This macro is responsible for writing a VBS script to %PROGRAMDATA% and then\r\nexecuting it. The contents of the malicious script can be seen in the following screenshot.\r\nThis script is responsible for the retrieval of the SQUIRRELWAFFLE payload itself from one of the five\r\nhardcoded URLs present in the script. In this case, SQUIRRELWAFFLE is delivered to the victim's system as a\r\nmalicious DLL that is then executed using rundll32.exe.\r\nMalicious Excel spreadsheets  \r\nMany of the campaigns were observed using malicious Excel spreadsheets rather than Word documents.\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 6 of 15\n\nThese spreadsheets contain malicious Excel4 macros that are responsible for retrieving and executing the\r\nSQUIRRELWAFFLE payload. Below is an example of one of these macros that has been cleaned up to improve\r\nreadability.\r\nSimilar to what was observed with the Word document lures, these macros contain three hardcoded URLs that\r\nhost the DLL associated with SQUIRRELWAFFLE. Once retrieved, the DLL is executed via ShellExecuteA and\r\nregsvr32.exe, thus infecting the system. The ZIP archives and associated maldocs are rotated across emails,\r\nresulting in large quantities of unique samples. However, the SQUIRRELWAFFLE distribution URLs appear to be\r\nfairly common across samples for a given email campaign.\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 7 of 15\n\nCampaign timeline and variations\r\nWe believe the earliest files used in these campaigns were submitted to public malware repositories on Sept. 10,\r\n2021. The campaign volume began to ramp up on Sept. 13, 2021 and has been characterized by daily spam runs\r\nobserved since then.\r\nIn analyzing these campaigns, we observed some interesting characteristics associated with the infection chain.\r\nThe URL structure of the SQUIRRELWAFFLE distribution servers appears somewhat tied to the daily campaigns,\r\nand rotates every few days. For example, the following table shows the variance in the URL landing pages seen\r\nover a period of several days.\r\nThis rotation is also reflected in the maldoc macros themselves, with the macro function names and hashes\r\nrotating at the same time. This is reflected in the table below, which shows some of the macro function names,\r\nhashes and the corresponding campaign landing pages used by the macros to retrieve the SQUIRREWAFFLE\r\nDLL files observed across some of the initial malspam campaigns.\r\nThese characteristics confirm that these documents are likely being crafted using an automated builder. In more\r\nrecent campaigns, the Microsoft Excel spreadsheets were crafted to make static analysis with tools like\r\nXLMDeobfuscator less effective.\r\nDISTRIBUTION INFRASTRUCTURE\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 8 of 15\n\nThese malware distribution campaigns appear to be taking advantage of previously compromised web servers,\r\nprimarily running versions of the WordPress content management system (CMS). Across the distribution servers\r\nwe analyzed prior to host/domain suspension, the most prevalent version was WordPress 5.8.1.\r\nIn one case, we also identified a SQL dump related to an AZORult panel present on the same host being used as a\r\nC2 server by SQUIRRELWAFFLE. As is often the case with vulnerable servers exposed to the internet, it is\r\nunclear whether this panel was being administered by the same threat actor or if the server had simply been\r\ncompromised by multiple unrelated entities.\r\nOne of the distribution servers also appeared to have had ANTIBOT deployed by adversaries on Sept. 8, 2021,\r\nshortly before the SQUIRRELWAFFLE distribution campaigns initially launched that made use of this server.\r\nANTIBOT is a set of scripts commonly used as a component of phishing kits and can help actors evade analysis.\r\nThis popular add-on will block access to the contents of their web servers if the HTTP/HTTPS requests originate\r\nfrom an IP address that is not determined to be a potential victim but is instead associated with automated analysis\r\nplatforms, security research organizations, or other locations that attackers may want to avoid. When HTTP\r\nrequests are received, the requestor is checked against several lists of IPs, ASN names and other artifacts. If any of\r\nthe information matches, the server responds with an HTTP 404 status code. Below is an example of the logic\r\nused by this process. Note that the contents of each array have been redacted, as they are prohibitively long and\r\ncould not be included in the screenshot. Typically, they contain large lists of IP addresses, network provider strings\r\nand more.\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 9 of 15\n\nCombined with the IP blocklist present across many SQUIRRELWAFFLE DLLs, this demonstrates an effort to\r\nmake the infrastructure more resilient and difficult to analyze. By limiting the ability for systems to retrieve\r\nmalicious components, adversaries may more effectively evade large-scale automated analysis. Over time, the\r\ndistribution infrastructure has become significantly more aggressive at restricting access to the malicious\r\ncomponents and is employing techniques, like geographic-based filtering, to prevent analysis and tracking.\r\nSQUIRRELWAFFLE LOADER\r\nThe SQUIRRELWAFFLE payload that is dropped on infected systems is a PE DLL that is executed using either\r\nrundll32.exe or regsvr32.exe depending on the maldoc used to initiate the infection process. Here's an example of\r\nthe syntax used to execute the payload using rundll32.exe, specifying the entry point:\r\ncmd.exe /c rundll32.exe C:\\ProgramData\\[DLL FILENAME],ldrExecuting the DLL directly without specifying\r\nthe required parameter will likely not result in successful execution of the payload and may allow it to evade\r\nautomated dynamic analysis platforms.\r\nThe DLLs primarily function as a malware loader, enabling the infections to be used to deploy additional\r\nmalware. SQUIRRELWAFFLE infections have been observed to coincide with Qakbot and Cobalt Strike\r\ninstallations following the initial compromise of the endpoint. The DLL also features an IP blocklist as part of its\r\nconfiguration that is used to attempt to further evade automated analysis platforms and security research\r\norganizations.\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 10 of 15\n\nThe operation of the DLL is fairly straightforward. The most interesting functionality is used to encode and\r\ndecode information to facilitate communications between the victim system and the C2 infrastructure. Below is a\r\nscreenshot of the decompiled function responsible for this process.\r\nAdditional information regarding the C2 protocol used by the malware can be found in the following section.\r\nCommand and control (C2)\r\nThe malware attempts to communicate with a C2 over HTTP POST requests containing obfuscated data:\r\nThe data present in these communications has been obfuscated using XOR and then Base64-encoded. The URL\r\nused by the victim to POST data to the C2 server consists of a random one- to 28-character alphanumeric string,\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 11 of 15\n\nfollowed by the IP address of the victim's system. The URL in the previous HTTP POST request can be\r\ndeobfuscated to the following:\r\nThe body of the HTTP POST request contains information about the victim system. The data sent to the C2\r\nincludes:\r\n%APPDATA% configuration.\r\nThe hostname of the system.\r\nThe username of the victim.\r\nThe Workstation configuration of the system.\r\nThis information is retrieved using getenv, GetComputerNameW, GetUserNameW, and NetWkstaGetInfo()\r\nrespectively. An example of the deobfuscated request body of an example HTTP POST is shown below.\r\nThe C2 server will respond to these requests with a status code as well as the previously sent beacon information.\r\nThe response body is obfuscated using the same method as previously described. An example response from C2 is\r\nshown below.\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 12 of 15\n\nThis C2 channel is also used to deliver secondary payloads at the discretion of the attacker.\r\nCONCLUSION\r\nA new malware loader named \"SQUIRRELWAFFLE\" has recently emerged in the threat landscape. This threat is\r\nprimarily delivered via malicious spam email campaigns and features several interesting characteristics that\r\norganizations should be aware of. These infections are also used to facilitate the delivery of additional malware\r\nsuch as Qakbot and Cobalt Strike, two of the most common threats regularly observed targeting organizations\r\naround the world. While this threat is relatively new, the distribution campaigns, infrastructure, and C2\r\nimplementations feature several interesting techniques that are similar to those seen from other more established\r\nthreats. Organizations should continue to employ comprehensive defense-in-depth security controls to ensure that\r\nthey can prevent, detect, or respond to SQUIRRELWAFFLE campaigns that may be encountered in their\r\nenvironments.\r\nCOVERAGE\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 13 of 15\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.The following Snort SIDs have been released to detect this threat: 58277 -\r\n58281.\r\nThe following ClamAV signatures have been released to detect this threat:\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 14 of 15\n\nDoc.Downloader.SquirrelWaffle09210-9895192-0\r\nXls.Downloader.SquirrelWaffle20921-9895790-0\r\nXls.Downloader.SquirrelWaffle1021-9903731-0\r\nORBITAL QUERIES\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here.\r\nINDICATORS OF COMPROMISE (IOCS)\r\nThe following indicators of compromise have been observed associated with these malware campaigns.\r\nDomains\r\nA list of domains observed being used in these malware campaigns can be found here.\r\nHashes (SHA256)\r\nA list of SHA256 file hashes associated with malicious components of these malware campaigns can be found\r\nhere.\r\nSource: https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nhttps://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html"
	],
	"report_names": [
		"squirrelwaffle-emerges.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434406,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76edc1baa22f2f216e0827690af356075b15735c.pdf",
		"text": "https://archive.orkl.eu/76edc1baa22f2f216e0827690af356075b15735c.txt",
		"img": "https://archive.orkl.eu/76edc1baa22f2f216e0827690af356075b15735c.jpg"
	}
}