S1030: Squirrelwaffle
Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.[1][2]
Analyst context for executives and security teams
Squirrelwaffle matters because ATT&CK describes it as a Windows malware loader seen in spam email campaigns that can deliver additional malware, including Cobalt Strike and QakBot. For leaders, the practical issue is not just the loader itself: it represents an email-to-endpoint intrusion path where a user action can lead to follow-on tooling, discovery, command-and-control, ingress tool transfer, and potential exfiltration over the same channel.
Executive priority
Prioritize Squirrelwaffle as a readiness test for phishing resilience, Windows endpoint visibility, and incident escalation around malware loaders. Executives should ask whether email security, endpoint detection, PowerShell and command-shell monitoring, web egress visibility, and IR playbooks can connect the initial phish to later-stage behaviors such as discovery, tool transfer, and C2. This is useful for budget and audit conversations because ATT&CK provides no official detection text here, so coverage must be proven through local telemetry and control validation rather than assumed from signatures.
Technical view
For SOC and IR teams, validate the full behavior chain supported by the relationships: spearphishing attachment/link and user execution; Windows script and shell execution via PowerShell, cmd, and Visual Basic; proxy execution through Regsvr32 and Rundll32; obfuscation through packing, encoded/encrypted files, decoding, and standard encoding; host discovery for users, system information, and network configuration; web-protocol C2; ingress tool transfer; custom archiving; and exfiltration over C2. Because Squirrelwaffle is described as a loader, detections should avoid focusing only on a single file hash or family name and should instead correlate email, process, file, and network evidence around a suspicious delivery-to-execution sequence.
Likely telemetry
- Email gateway and mail security logs for spearphishing attachments and links
- Endpoint process creation telemetry for PowerShell, cmd.exe, Visual Basic-related execution, regsvr32.exe, and rundll32.exe
- Command-line arguments and parent-child process relationships on Windows endpoints
- File creation, download, archive, packing, encoding, and decoding indicators where available
- Endpoint security alerts and malware analysis metadata for packed or encoded files
Detection direction
- Validate correlation from email delivery to user execution rather than treating phishing, endpoint execution, and outbound traffic as separate alert classes.
- Tune detections for suspicious use of PowerShell, Windows Command Shell, Visual Basic, Regsvr32, and Rundll32, with attention to unusual parents, command-line content, network access, and file loads.
- Review coverage for obfuscated, packed, encrypted, or encoded files because the related techniques indicate evasion of simple signature-based detection.
- Monitor discovery commands and system/user/network enumeration occurring shortly after a suspicious email-open or file/link execution event.
- Use web egress analytics to identify unusual outbound communications and potential encoded C2 traffic, while accounting for high false-positive volume in normal HTTP/S traffic.
Mitigation priorities
- Start with phishing controls and user-execution reduction: harden email attachment and link handling, and ensure awareness and reporting processes are operational.
- Strengthen Windows endpoint controls for script interpreters and trusted binary proxy execution, especially PowerShell, cmd.exe, Visual Basic, regsvr32.exe, and rundll32.exe.
- Improve egress governance and monitoring for web-protocol command-and-control and external tool transfer paths.
- Ensure endpoint logging captures process command lines, parent-child relationships, file activity, and network connections needed to reconstruct the chain.
- Prepare IR playbooks for loader incidents that require rapid scoping for secondary payloads, discovery activity, C2, and possible exfiltration.
Analyst notes and limits
The ATT&CK object identifies Squirrelwaffle as a Windows loader first seen in September 2021 and used in spam campaigns to deliver additional malware. Relationship context gives the most useful defensive shape: phishing-based initial access, user execution, Windows scripting and proxy execution, obfuscation, discovery, web C2, tool transfer, collection/archive behavior, and exfiltration over C2. Treat it as a coverage model for loader-driven intrusions, not as proof of current activity or exposure in any specific environment.
Official ATT&CK detection guidance is not provided for S1030, and the supplied data does not include indicators, procedures, campaign timing beyond first-seen context, prevalence, affected organizations, or confirmed current exploitation. Platform support for the malware itself is Windows; related techniques list broader platforms, but those should not be interpreted as Squirrelwaffle platform support without additional evidence. Local telemetry and case evidence are required to confirm detection coverage or incident impact.
Squirrelwaffle
Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | Squirrelwaffle can collect the user name from a compromised host.CitationZScaler Squirrelwaffle Sep 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Squirrelwaffle has used malicious VBA macros in Microsoft Word documents and Excel spreadsheets that execute an `AutoOpen` subroutine.CitationZScaler Squirrelwaffle Sep 2021CitationNetskope Squirrelwaffle Oct 2021 |
| Enterprise | T1082 | System Information Discovery | Squirrelwaffle has gathered victim computer information and configurations.CitationZScaler Squirrelwaffle Sep 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Squirrelwaffle has exfiltrated victim data using HTTP POST requests to its C2 servers.CitationZScaler Squirrelwaffle Sep 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Squirrelwaffle has been distributed through phishing emails containing a malicious URL.CitationZScaler Squirrelwaffle Sep 2021 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Squirrelwaffle has been executed using `regsvr32.exe`.CitationZScaler Squirrelwaffle Sep 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm.CitationZScaler Squirrelwaffle Sep 2021CitationNetskope Squirrelwaffle Oct 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Squirrelwaffle has relied on victims to click on a malicious link send via phishing campaigns.CitationZScaler Squirrelwaffle Sep 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Squirrelwaffle has downloaded and executed additional encoded payloads.CitationZScaler Squirrelwaffle Sep 2021CitationNetskope Squirrelwaffle Oct 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Squirrelwaffle has been distributed via malicious Microsoft Office documents within spam emails.CitationNetskope Squirrelwaffle Oct 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Squirrelwaffle has encoded its communications to C2 servers using Base64.CitationZScaler Squirrelwaffle Sep 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Squirrelwaffle has used HTTP POST requests for C2 communications.CitationZScaler Squirrelwaffle Sep 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Squirrelwaffle has relied on users enabling malicious macros within Microsoft Excel and Word attachments.CitationZScaler Squirrelwaffle Sep 2021CitationNetskope Squirrelwaffle Oct 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Squirrelwaffle has been obfuscated with a XOR-based algorithm.CitationZScaler Squirrelwaffle Sep 2021CitationNetskope Squirrelwaffle Oct 2021 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Squirrelwaffle has been packed with a custom packer to hide payloads.CitationZScaler Squirrelwaffle Sep 2021CitationNetskope Squirrelwaffle Oct 2021 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | Squirrelwaffle has encrypted collected data using a XOR-based algorithm.CitationZScaler Squirrelwaffle Sep 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Squirrelwaffle has used PowerShell to execute its payload.CitationZScaler Squirrelwaffle Sep 2021CitationNetskope Squirrelwaffle Oct 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Squirrelwaffle has used `cmd.exe` for execution.CitationNetskope Squirrelwaffle Oct 2021 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Squirrelwaffle has contained a hardcoded list of IP addresses to block that belong to sandboxes and analysis platforms.CitationZScaler Squirrelwaffle Sep 2021CitationNetskope Squirrelwaffle Oct 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Squirrelwaffle has been executed using `rundll32.exe`.CitationZScaler Squirrelwaffle Sep 2021CitationNetskope Squirrelwaffle Oct 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Squirrelwaffle has collected the victim’s external IP address.CitationZScaler Squirrelwaffle Sep 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f2d18944fcba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ZScaler Squirrelwaffle Sep 2021
Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
Open source URL -
[2]
Netskope Squirrelwaffle Oct 2021
Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
Open source URL -
[3]
mitre-attack S1030Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.