New Stealthy 'StoatWaffle' Malware Uses Visual Studio Code for Hacking

Post Views: 7

Malicious Visual Studio Code Projects Used to Spread Advanced Stealing Malware

A North Korea-linked hacking group has been using malicious Visual Studio Code projects to spread advanced malware that can steal credentials and enable remote access. This tactic highlights the increasing risk in developer environments and the evolving nature of global cyber campaigns.

The Malware: StoatWaffle

The malware, known as StoatWaffle, is a multi-stage tool that operates through a structured infection chain. It begins by distributing repositories disguised as legitimate development projects, often with themes related to blockchain technologies.

According to researchers, “StoatWaffle leverages the ‘tasks.json’ auto-run feature in Visual Studio Code, allowing code execution when the project folder is opened.”

This approach leverages the “tasks.json” auto-run feature in Visual Studio Code, allowing code execution when the project folder is opened. As a result, the infection process is both discreet and effective, as it bypasses traditional execution prompts.

The Infection Chain

The malware operates through multiple stages, each designed to maintain persistence and expand its capabilities. The first stage involves a Node.js-based loader that connects repeatedly to a command-and-control server, executing instructions received remotely.

A second stage retrieves payloads from web-hosted infrastructure, including services such as Vercel, and executes them using system-level commands.

Data Theft and Remote Access

StoatWaffle also includes a stealer module that extracts sensitive information from infected systems. This module targets browser-stored credentials, extension data, and information related to installed software.

If the victim uses Chromium-based browsers, the malware collects both stored credentials and browser extension data. In the case of Firefox, it extracts similar data sets by accessing browser-specific storage files.

According to researchers, “The collected information is then transmitted back to the attackers’ command-and-control servers.”

The collected information is then transmitted back to the attackers’ command-and-control servers.

Remote Access Trojans

Another module functions as a remote access trojan (RAT), enabling attackers to execute commands on infected machines and retrieve outputs. These capabilities allow for both comprehensive data theft and sustained remote control.

Link to Team 8

Researchers have linked StoatWaffle to Team 8, a threat actor previously associated with the Contagious Interview campaign. The use of developer-focused platforms and tools marks a shift in targeting strategies, reflecting a growing interest in infiltrating software development environments.

Adaptability of Threat Actors

The Contagious Interview campaign has evolved over time, with earlier phases relying on different malware strains, including tools such as OtterCookie. However, around December 2025, the campaign transitioned to the newly identified variant, StoatWaffle.

This shift highlights the adaptability of threat actors and their ability to evolve their tactics to evade detection.

Conclusion

The use of malicious Visual Studio Code projects to spread advanced stealing malware underscores the importance of implementing robust security measures in developer environments.

It also emphasizes the need for continued vigilance and awareness among developers and organizations to stay ahead of emerging threats.