WaterPlum Abuses VS Code Tasks to Deploy StoatWaffle Malware

North Korean WaterPlum Campaign Analysis

Security researchers have identified a sophisticated shift in the TTP of North Korean state-sponsored actors, specifically the group tracked as WaterPlum (also known as the “Contagious Interview” campaign). According to The Hacker News, this APT is now weaponizing Microsoft Visual Studio Code configuration files to automate the delivery of a new malware family identified as StoatWaffle. This campaign primarily targets software engineers within the cryptocurrency and decentralized finance (DeFi) sectors through fraudulent job recruitment schemes.

The Lazarus Group, to which these activities are often linked, has historically relied on social engineering to trick targets into running malicious binaries. The transition to abusing integrated development environment (IDE) features marks a significant evolution in their ability to compromise high-value targets while minimizing user friction during the infection chain.

Visual Studio Code tasks.json malware distribution

The technical core of this attack vector involves the abuse of the tasks.json file, which is typically stored in the .vscode directory of a project workspace. In legitimate scenarios, these tasks automate workflows such as compiling code or running test suites. However, WaterPlum engineers these files to include the runOn: folderOpen property.

When a developer is lured through a Phishing attempt into downloading a project repository and opening it in VS Code, the editor automatically executes the commands defined in the task. If the developer has already enabled “Workspace Trust” for the directory or has global trust settings configured, the execution occurs without any additional security prompts. This method of Visual Studio Code tasks.json malware distribution bypasses traditional warnings that users might expect when executing standalone executable files or scripts.

Technical Profile: StoatWaffle Malware

StoatWaffle is a newly identified malware downloader that serves as a primary stage for further exploitation. Once the malicious VS Code task triggers, it typically executes a shell command that fetches the StoatWaffle payload from a remote C2 server. The malware is designed to establish a persistent foothold on the victim’s machine, allowing the attackers to conduct reconnaissance and deploy secondary payloads tailored to the environment.

Observations indicate that StoatWaffle employs various obfuscation layers to avoid detection by standard EDR solutions. It is capable of gathering system metadata, including active processes, network configurations, and user credentials, which are then exfiltrated to the attacker-controlled infrastructure. The use of legitimate developer tools for initial access significantly complicates the forensic trail for an incident response team.

How to detect StoatWaffle malware

To effectively detect StoatWaffle malware, security operations centers must pivot their focus toward process tree analysis. Security teams should monitor for instances where code.exe (Visual Studio Code) spawns command-line interpreters like powershell.exe, cmd.exe, or bash that execute suspicious network-bound commands or access hidden directories.

Integrating these telemetry patterns into a SIEM for real-time alerting is critical. Furthermore, network-level detection should focus on identifying unauthorized HTTPS traffic to domains that do not align with known package managers or developer resources. Organizations are also encouraged to audit their SOC playbooks to include checks for anomalous .vscode directory modifications within internal and external code repositories.

Defensive Strategies and Mitigation

Defending against this APT requires a combination of technical controls and developer awareness. The behavior aligns with several techniques in the MITRE ATT&CK framework, specifically User Execution: Malicious File (T1204.002) and Command and Scripting Interpreter (T1059).

1. Configure Task Policies: Administrators should enforce a policy that disables automatic task execution. Setting task.allowAutomaticTasks to off in the global VS Code settings prevents the runOn: folderOpen trigger from functioning.
2. Strict Workspace Trust: Encourage developers to use the “Restricted Mode” in VS Code when opening projects from unverified sources. Trust should never be granted to repositories received during unsolicited recruitment processes.
3. Endpoint Hardening: Deploy EDR policies that block IDE processes from spawning shells with network-reaching capabilities unless explicitly required by the development workflow.

By addressing the vulnerabilities inherent in the Supply Chain Attack surface of development environments, organizations can mitigate the risks posed by North Korean cyber operations.