A North Korean threat actor is distributing new malware by hiding it in malicious Visual Studio Code (VS Code) projects that execute automatically when opened. The malware, dubbed StoatWaffle, has been attributed to a group tracked as WaterPlum, also known as Team 8, Moralis, or the Modilus family.
According to a report by NTT Security, the campaign has been active since at least December 2025 and uses a novel feature in VS Code’s ‘tasks.json’ file to trigger the infection chain. The malware is a modular implant written in Node.js and includes capabilities for stealing credentials and providing remote access to compromised systems.
The attack begins when a developer opens a malicious repository, disguised as a blockchain-related project, in VS Code. The project contains a .vscode directory with a specially crafted tasks.json file. This file uses the runOn: folderOpen option, which instructs VS Code to execute a defined task as soon as the folder is opened and trusted by the user.
This task downloads and executes a batch file from a web application hosted on Vercel. This initial script checks if Node.js is installed on the victim’s system and, if not, downloads and installs it from the official website. It then fetches and runs env.npl, the initial loader for the StoatWaffle malware.
StoatWaffle’s Modular Capabilities
The StoatWaffle malware operates in stages, starting with two downloader components. The first loader, env.npl, polls a command-and-control (C2) server every five seconds. When it receives a response, it executes the embedded Node.js code, which launches a second downloader. This second stage also polls the C2 server, fetching and executing the main malware modules.
NTT Security researchers observed two primary modules being delivered:
- Stealer Module: This component is designed to exfiltrate credentials and data from Chromium-based browsers and Mozilla Firefox. It also targets browser extension data. On macOS systems, the module additionally steals the iCloud Keychain database. The stolen data is copied to a temporary directory and uploaded to the C2 server. The stealer can also detect if it is running in a Windows Subsystem for Linux (WSL) environment and access Windows user data from within the Linux instance.
- RAT Module: This module provides the attackers with remote access to the compromised system. It communicates with the C2 server to receive commands, which include the ability to list files, execute shell commands, upload files, and run arbitrary Node.js code.
The campaign targets developers, a group that often has privileged access to sensitive systems and source code. The use of a legitimate developer tool feature to initiate the attack makes it particularly difficult to detect. A similar trend was observed in a separate campaign involving a malicious npm package that also deployed a RAT on developer machines.
Indicators of Compromise
Indicators of compromise (IOCs) associated with this campaign include the following IP addresses:
185[.]163[.]125[.]196147[.]124[.]202[.]208163[.]245[.]194[.]21666[.]235[.]168[.]13687[.]236[.]177[.]9
