Squirrelwaffle (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.squirrelwaffle (Back to overview)

Squirrelwaffle

aka: DatopLoader

VTCollection

According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.

References

2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin

2022-02-15 ⋅ Sophos ⋅ Matthew Everts, Stephen McNally
Vulnerable Exchange server hit by Squirrelwaffle and financial fraud
Squirrelwaffle

2022-01-11 ⋅ Cybereason ⋅ Chen Erlich, Daichi Shimabukuro, Niv Yona, Ofir Ozer, Omri Refaeli
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle

2021-11-29 ⋅ Certitude ⋅ Peter Wagner
Unpatched Exchange Servers distribute Phishing Links (SquirrelWaffle)
Squirrelwaffle

2021-11-26 ⋅ Twitter (@jhencinski) ⋅ Jon Hencinski
Twitter Thread on weelky MDR recap from expel.io
GootKit Squirrelwaffle

2021-11-19 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Mohamed Fahmy, Sherif Magdy
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle

2021-11-18 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle

2021-11-11 ⋅ SentinelOne ⋅ Niranjan Jayanand
Is SquirrelWaffle the New Emotet? How to Detect the Latest MalSpam Loader
Squirrelwaffle

2021-11-11 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: SquirrelWaffle Takes a Bite Out of Victim's Bank Accounts
Squirrelwaffle

2021-11-10 ⋅ McAfee ⋅ Kiran Raj
The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.
Squirrelwaffle

2021-11-09 ⋅ MinervaLabs ⋅ Minerva Labs
A New DatopLoader Delivers QakBot Trojan
QakBot Squirrelwaffle

2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2021-10-08 ⋅ 0ffset Blog ⋅ Chuong Dong
SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle

2021-10-07 ⋅ Netskope ⋅ Ghanashyam Satpathy, Gustavo Palazolo
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle

2021-10-03 ⋅ Github (0xjxd) ⋅ Joel Dönne
SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-10-01 ⋅ 0ffset Blog ⋅ Chuong Dong
SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle

2021-09-28 ⋅ Zscaler ⋅ Avinash Kumar, Brett Stone-Gross
Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-09-28 ⋅ Twitter (@Max_Mal_) ⋅ Max Malyutin
Tweet on how to debug SquirrelWaffle
Squirrelwaffle

2021-09-27 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff
Live Coding A Squirrelwaffle Malware Config Extractor
Squirrelwaffle

2021-09-27 ⋅ Cynet ⋅ Max Malyutin
A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle

2021-09-21 ⋅ Medium elis531989 ⋅ Eli Salem
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle

2021-09-18 ⋅ Security Soup Blog ⋅ Ryan Campbell
“Squirrelwaffle” Maldoc Analysis
Squirrelwaffle

2021-09-17 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle

Yara Rules

[TLP:WHITE] win_squirrelwaffle_auto (20260504 | Detects win.squirrelwaffle.)

rule win_squirrelwaffle_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.squirrelwaffle."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a01 41 84c0 75f9 6a00 2bce 8bb564f7ffff }
            // n = 7, score = 700
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   6a00                 | push                0
            //   2bce                 | sub                 ecx, esi
            //   8bb564f7ffff         | mov                 esi, dword ptr [ebp - 0x89c]

        $sequence_1 = { 0f434508 8d8d40ffffff 6a02 50 }
            // n = 4, score = 700
            //   0f434508             | cmovae              eax, dword ptr [ebp + 8]
            //   8d8d40ffffff         | lea                 ecx, [ebp - 0xc0]
            //   6a02                 | push                2
            //   50                   | push                eax

        $sequence_2 = { 85c0 751a 50 8b8540ffffff 8d8d40ffffff 6a02 8b4004 }
            // n = 7, score = 700
            //   85c0                 | test                eax, eax
            //   751a                 | jne                 0x1c
            //   50                   | push                eax
            //   8b8540ffffff         | mov                 eax, dword ptr [ebp - 0xc0]
            //   8d8d40ffffff         | lea                 ecx, [ebp - 0xc0]
            //   6a02                 | push                2
            //   8b4004               | mov                 eax, dword ptr [eax + 4]

        $sequence_3 = { 33f6 0f1f4000 0f1f840000000000 833d????????10 bb???????? }
            // n = 5, score = 700
            //   33f6                 | xor                 esi, esi
            //   0f1f4000             | nop                 dword ptr [eax]
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]
            //   833d????????10       |                     
            //   bb????????           |                     

        $sequence_4 = { 83ceff 8b55e8 83fa10 0f8278000000 8b4dd4 42 }
            // n = 6, score = 700
            //   83ceff               | or                  esi, 0xffffffff
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   83fa10               | cmp                 edx, 0x10
            //   0f8278000000         | jb                  0x7e
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   42                   | inc                 edx

        $sequence_5 = { 8d45ed c7855cf7ffff00000000 c78560f7ffff0f000000 c6854cf7ffff00 3bf0 740f 2bc6 }
            // n = 7, score = 700
            //   8d45ed               | lea                 eax, [ebp - 0x13]
            //   c7855cf7ffff00000000     | mov    dword ptr [ebp - 0x8a4], 0
            //   c78560f7ffff0f000000     | mov    dword ptr [ebp - 0x8a0], 0xf
            //   c6854cf7ffff00       | mov                 byte ptr [ebp - 0x8b4], 0
            //   3bf0                 | cmp                 esi, eax
            //   740f                 | je                  0x11
            //   2bc6                 | sub                 eax, esi

        $sequence_6 = { c645c400 8d4dd4 ff75c4 6a08 e8???????? e9???????? }
            // n = 6, score = 700
            //   c645c400             | mov                 byte ptr [ebp - 0x3c], 0
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   ff75c4               | push                dword ptr [ebp - 0x3c]
            //   6a08                 | push                8
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_7 = { c785c0f6ffff00000000 c785c4f6ffff0f000000 c685b0f6ffff00 c645fc22 }
            // n = 4, score = 700
            //   c785c0f6ffff00000000     | mov    dword ptr [ebp - 0x940], 0
            //   c785c4f6ffff0f000000     | mov    dword ptr [ebp - 0x93c], 0xf
            //   c685b0f6ffff00       | mov                 byte ptr [ebp - 0x950], 0
            //   c645fc22             | mov                 byte ptr [ebp - 4], 0x22

        $sequence_8 = { 89956cf9ffff ff15???????? 83c408 898580f7ffff }
            // n = 4, score = 700
            //   89956cf9ffff         | mov                 dword ptr [ebp - 0x694], edx
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8
            //   898580f7ffff         | mov                 dword ptr [ebp - 0x880], eax

        $sequence_9 = { 7230 83fa10 8db5b0f6ffff 8d4112 0f43b5b0f6ffff }
            // n = 5, score = 700
            //   7230                 | jb                  0x32
            //   83fa10               | cmp                 edx, 0x10
            //   8db5b0f6ffff         | lea                 esi, [ebp - 0x950]
            //   8d4112               | lea                 eax, [ecx + 0x12]
            //   0f43b5b0f6ffff       | cmovae              esi, dword ptr [ebp - 0x950]

    condition:
        7 of them and filesize < 147456
}

Download all Yara Rules

Squirrelwaffle Propose Change

References

Yara Rules

Squirrelwaffle