Threat Actors Using Malicious VSCode Extension to Deploy Anivia Loader and OctoRAT

   December 4, 2025  Posted in CyberSecurityNews

Threat Actors Using Malicious VSCode Extension to Deploy Anivia Loader and OctoRAT

Threat Actors Using Malicious VSCode Extension to Deploy Anivia Loader and OctoRAT

A fake Visual Studio Code extension has been used in a supply chain attack that targets developers through their editor.

The rogue extension, named prettier-vscode-plus and posing as the trusted Prettier formatter, appeared briefly in the official VSCode Marketplace before takedown.

Once installed, it pulled staged scripts from a GitHub repository called vscode under the account biwwwwwwwwwww.

Threat actor's GitHub repository 'vscode' containing malicious VBScript payloads (Source - Hunt.io)
Threat actor’s GitHub repository ‘vscode’ containing malicious VBScript payloads (Source – Hunt.io)

The extension blended into normal developer workflows, triggering its payload when projects were opened. Behind the scenes, it fetched an obfuscated VBScript file that served as the first-stage dropper.

This script wrote a PowerShell loader into the temp folder and ran it with execution policy bypass flags, while hiding all windows from the user.

Hunt.io security analysts identified the activity after tracing suspicious VBScript downloads back to the vscode repository and linking them to the short-lived marketplace listing.

google

The impact is serious, and the final payload is OctoRAT, a full remote access tool deployed through an intermediate component known as the Anivia loader.

Together, they enable code execution, data theft from browsers and wallets, and remote desktop control on developer systems.

Even though the extension had only a handful of installs, the targets are high value, with access to source code and production systems.

Infection chain and loader behavior

The infection begins with a VBScript dropper that creates a random PowerShell file in the temp path and populates it with a Base64-encoded AES payload.

First-stage VBScript dropper initializing AES decryption (Source - Hunt.io)
First-stage VBScript dropper initializing AES decryption (Source – Hunt.io)

The script uses COM objects such as WScript.Shell to run the loader without user prompts. A simplified view of the persistence task later set by OctoRAT looks like:

schtasks.exe /create /tn “WindowsUpdate” /tr “” /sc minute /mo 1 /f

The PowerShell loader decrypts the embedded blob using AES-256 in CBC mode and executes the result directly in memory.

Anivia then takes over, storing its encrypted payload in a byte array and using a hard-coded key to decrypt a portable executable.

That payload is injected into the trusted vbc.exe process via process hollowing, which helps it avoid common endpoint checks.

Threat Actors Using Malicious VSCode Extension to Deploy Anivia Loader and OctoRAT
OctoRAT Center login panel (Source – Hunt.io)

From there, OctoRAT launches, sets the WindowsUpdate task for repeat startup, and opens an encrypted command channel to attacker control servers.

This complete technical breakdown shows how one fake extension can deliver a full intrusion in a few steps.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

googlenews



Source link