StoatWaffle Propose Change

StoatWaffle Malware is a lightweight JavaScript-based backdoor trojan active since at least October 2025 that enables persistent, stealthy remote control over infected systems by continuously beaconing to a command-and-control server approximately every 5 seconds. The First-Stage Module performs host fingerprinting — collecting hostname, MAC address, operating system details, and the complete Node.js process environment (process.env), which frequently contains cloud credentials, API keys, and CI/CD secrets — and executes attacker-supplied payloads via eval(). The Second-Stage Module additionally collects the victim's public IP address, spawns attacker-supplied payloads as isolated detached child processes using the local Node.js runtime, and supports process ID tracking, remote agent UUID and session token updates, and an operator-controlled kill-switch that terminates all tracked child processes and self-exits on command. Both modules suppress SIGHUP signals and hide spawned process windows to reduce visibility, report errors to the C2 server via a dedicated telemetry endpoint, and together allow attackers to steal secrets, deliver additional payloads, execute arbitrary commands, and maintain ongoing process-level control with the privileges of the compromised user.

References

There is no Yara-Signature yet.