Skip to main content


Home Squirrelwaffle

Squirrelwaffle

Also known as: DatopLoader

Category: Malware

Type: Dropper/loader

Platform: Windows

Variants: -

Damage potential: Squirrelwaffle is primarily used to drop other malicious payloads, such as QakBot and Cobalt Strike, onto infected systems. These payloads can lead to significant damage, including data theft, remote device access and control, additional malware installation, surveillance, keylogging, financial loss, data exfiltration, and system disruption.

Overview

Squirrelwaffle is a type of malware known as a dropper or loader that targets Windows devices. It spreads through spam emails containing malicious Microsoft Office documents. When the recipient opens one of these documents and enables macros (a set of commands that automate tasks in Office programs), a malicious script is triggered. This script contacts a predetermined command-and-control (C2) server to download the malware.

Possible symptoms

Possible symptoms of a Squirrelwaffle infection include:

  • Slow system performance due to the malware consuming resources.
  • Sudden system crashes.
  • Device overheating (typically due to excessive background processes).
  • Unusual network traffic (such as data transmissions to unknown command and control servers).
  • Unexpected prompts asking for permissions or admin access.
  • Frequent browser redirects to unfamiliar websites.
  • Unauthorized financial transactions or suspicious account activity.
  • Changes in settings (this may involve disabled security features).

Sources of infection

Squirrelwaffle primarily spreads through phishing campaigns that deliver malicious Microsoft Office documents via spam emails. These phishing campaigns often leverage stolen email threads, making the emails appear as replies to existing conversations. These emails typically contain hyperlinks to malicious ZIP archives hosted on attacker-controlled web servers.

When victims click the hyperlink in the initial malicious email, they are directed to download a ZIP archive containing a malicious Office document. These documents, which can be either Microsoft Word or Excel files, contain the malicious code needed to retrieve and execute the next stage of the attack, which is the Squirrelwaffle payload. Squirrelwaffle operators may also use DocuSign to trick users into enabling macros in these Office files.

Protection

To protect your device, always accept update notifications from your antivirus software or any reputable malware protection app on your device. Additionally, consider these measures to safeguard your device and personal information even further:

  • Regularly update your software. Squirrelwaffle is known to target security vulnerabilities. Keep your software updated to protect your devices from the latest cybersecurity threats.
  • Be wary of phishing emails. If you receive an email that seems suspicious or urges you to click on a link or download a file, act with caution.
  • Disable macros by default in Microsoft Office documents. Set your Microsoft Office programs to disable macros by default and only enable them if you are sure the document is safe and from a trusted source.

    • Open Word or Excel.
    • Go to "File" and select "Options."
    • In the "Trust center" section, click "Trust center settings."
    • In the "Macro settings" section, select "Disable all macros with notification."
    • Click "OK" to save your settings.
  • Use filtering tools to scan incoming emails for malicious content. These tools can help prevent phishing emails from reaching your inbox and reduce the risk of accidentally downloading malware. Most email providers offer built-in filtering options, which you can enable in your email settings.
  • Use NordVPN’s Threat Protection Pro™. Available on Windows, NordVPN’s Threat Protection Pro™ feature scans the files you download for malware.

Squirrelwaffle removal

First, disconnect your device from the network to prevent the malware from communicating with its C&C servers. Then, use reputable antivirus or anti-malware software to run a full system scan. Follow the steps provided by the software to quarantine and remove the malware.

If the antivirus software cannot fully remove Squirrelwaffle, consider manually deleting any associated malicious files. This process can be risky and complex, so ensure you follow a trusted guide or seek professional help.

If the malware persists, consider performing a factory reset on your Windows device. Before you do this, back up any important data — such as photos and documents — to ensure you don’t lose anything valuable. Squirrelwaffle removal on Windows can be complicated, so if you’re unsure what to do next or the malware persists, seek help from an experienced IT professional or cybersecurity expert.