{ "id": "134878b2-fab7-409d-a4e1-61ad85d590c5", "created_at": "2026-04-06T00:08:53.693751Z", "updated_at": "2026-04-10T03:36:48.279903Z", "deleted_at": null, "sha1_hash": "7fd9108cf3bf888817f4b6a03915b1fbd341c896", "title": "StoatWaffle, malware used by WaterPlum", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1284906, "plain_text": "StoatWaffle, malware used by WaterPlum\r\nBy NTTセキュリティ・ジャパン株式会社\r\nPublished: 2026-03-17 · Archived: 2026-04-05 20:43:51 UTC\r\nIn this blog post, we share our analysis of the StoatWaffle malware newly adopted by WaterPlum\r\nThis article is English version of \"WaterPlumが使用するマルウェアStoatWaffleについて\" translated by Ryu\r\nHiyoshi, NSJ SOC analyst.\r\nThe original article is authored by NSJ SOC analyst Rintaro Koike.\r\nIntroduction\r\nWaterPlum is regarded as an attacking group related to North Korea. They are known to have been operating\r\nContagious Interview attacking campaign. WaterPlum can be classified into multiple clusters (or teams), and\r\namong them, activity by Team 8 (also known as Moralis or Modilus family) has been observed.\r\nIn Contagious Interview campaign, Team 8 has been mainly using OtterCookie. Starting around December 2025,\r\nTeam 8 started using new malware. We named this malware StoatWaffle.\r\nIn this article, we'll introduce the latest attacking flow for WaterPlum Team 8 and in deep analysis result of\r\nStoatWaffle, new malware that they started using just recently.\r\nAttack Flow\r\nhttps://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/\r\nPage 1 of 8\n\nTeam 8 leverages a project related to blockchain as a decoy. This malicious repository contains .vscode\r\ndirectory that contains tasks.json file. If a user opens and trusts this malicious reporitory with VSCode, it reads\r\nthis tasks.json file.\r\ntasks.json file contains a key runOn in runOptions . The corresponding value for this key is folderOpen in\r\nthis malicious repository and a designated task is executed as soon as opening this directory with VSCode.\r\nThis task is configured so that it downloads data from a Web application on Vercel regardless of executing OS.\r\nThough we assume that executing OS is windows in this article, the essential behaviors are the same for any OS.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/\r\nPage 2 of 8\n\nThe data downloaded from Vercel is executed by cmd.exe. The initial data is very simple downloader that\r\ndownloads and executes subsequent batch file, vscode-bootstrap.cmd.\r\nFirst, vscode-bootstrap.cmd checks whether Node.js is installed in the executing environment. If not, it downloads\r\nNode.js from official web site and installs it.\r\nIt then downloads env.npl and package.json, and executes env.npl using Node.js.\r\nStoatWaffle\r\nLoader\r\nhttps://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/\r\nPage 3 of 8\n\nenv.npl launched by vscode-bootstrap.cmd is an initial downloader of StoatWaffle. It connects\r\n/api/errorMessage on C2 server every 5 seconds and executes retrieved message as Node.js code if returned\r\nstatus is error.\r\nDuring our investigation, the JSON data below was downloaded about 5 minitus after env.npl started polling with\r\nC2 server.\r\nThe Node.js code downloaded by env.npl was second downloader of StoatWaffle. Same as initial one, it regularly\r\ncommunicates with C2 server and executes retrieved code.\r\nThe second downloader connects /api/handleErrors on same C2 server every 5 seconds. It executes messages\r\nincluded in the response from C2 server as Node.js code.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/\r\nPage 4 of 8\n\nDuring our investigation, we observed that downloading and execution of Stealer and RAT module of StoatWaffle\r\nas soon as the launch of second downloader.\r\nStealer Module\r\nStealer module thefts credentials stored on Web browsers and designated browser extension data and uploads them\r\nto C2 server.\r\nIf the victim browser was Chromium family, it steals browser extension data (Appendix) besides stored\r\ncredentials.\r\nhttps://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/\r\nPage 5 of 8\n\nIf the victim browser was Firefox, it steals browser extension data besides stored credentials. It reads\r\nextensions.json and gets the list of browser extension names, then checks whether designated keyword is included.\r\nIf the victim OS was macOS, it also steals Keychain database.\r\nThe stolen files are copied to temporary directory on victim OS with random name and uploaded to /upload on\r\nC2 server subsequently.\r\nBesides credential theft, it also investigates the installed software on victim host and submit it to /uploadsecond .\r\nInterestingly, the Stealer module checks whether executing environment is WSL or not. If so, it gets Windows user\r\nprofile and converts it to Linux path with wslpath. This allows an attacker to access Windows data from Node.js\r\non WSL.\r\nRAT Module\r\nRAT module regularly communicates with C2 server, execute commands when it get response from\r\n/api/hsocketNext and submit its execution results to /api/hsocketResult .\r\nhttps://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/\r\nPage 6 of 8\n\nThe table below describes implemented commands.\r\nSummary\r\nIn this article, we introduced StoatWaffle, new malware that WaterPlum Team 8 newly started to use. StoatWaffle\r\nis a modular malware implemeted by Node.js and it has Stealer and RAT modules. WaterPlum is continuously\r\ndeveloping new malware and updating existing ones. We think it necessary to pay close attention to their\r\nactivities.\r\nIoC\r\n185[.]163.125.196\r\n147[.]124.202.208\r\n163[.]245.194.216\r\nhttps://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/\r\nPage 7 of 8\n\n66[.]235.168.136\r\n87[.]236.177.9\r\nSource: https://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/\r\nhttps://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/" ], "report_names": [ "stoatwaffle_malware_en" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434133, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7fd9108cf3bf888817f4b6a03915b1fbd341c896.pdf", "text": "https://archive.orkl.eu/7fd9108cf3bf888817f4b6a03915b1fbd341c896.txt", "img": "https://archive.orkl.eu/7fd9108cf3bf888817f4b6a03915b1fbd341c896.jpg" } }