Ravie LakshmananJan 20, 2026Cloud Safety / Developer Safety
Cybersecurity researchers have disclosed particulars of a malware marketing campaign that is concentrating on software program builders with a brand new data stealer referred to as Evelyn Stealer by weaponizing the Microsoft Visible Studio Code (VS Code) extension ecosystem.
“The malware is designed to exfiltrate delicate data, together with developer credentials and cryptocurrency-related knowledge. Compromised developer environments can be abused as entry factors into broader organizational methods,” Pattern Micro mentioned in an evaluation revealed Monday.
The exercise is designed to single out organizations with software program growth groups that depend on VS Code and third-party extensions, together with these with entry to manufacturing methods, cloud assets, or digital belongings, it added.
It is value noting that particulars of the marketing campaign had been first documented by Koi Safety final month, when particulars emerged of three VS Code extensions – BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme – that in the end dropped a malicious downloader DLL (“Lightshot.dll”) accountable for launching a hidden PowerShell command to fetch and execute a second-stage payload (“runtime.exe”).
The executable, for its half, decrypts and injects the primary stealer payload right into a authentic Home windows course of (“grpconv.exe”) instantly in reminiscence, permitting it to reap delicate knowledge and exfiltrate it to a distant server (“server09.mentality[.]cloud”) over FTP within the type of a ZIP file. Among the data collected by the malware consists of –
Clipboard content material
Put in apps
Cryptocurrency wallets
Working processes
Desktop screenshots
Saved Wi-Fi credentials
System data
Credentials and saved cookies from Google Chrome and Microsoft Edge
As well as, it implements safeguards to detect evaluation and digital environments and takes steps to terminate energetic browser processes to make sure a seamless knowledge assortment course of and stop any potential interference when trying to extract cookies and credentials.
That is achieved by launching the browser by way of the command line by setting the next flags for detection and forensic traces –
–headless=new, to run in headless mode
–disable-gpu, to forestall GPU acceleration
–no-sandbox, to disable browser safety sandbox
–disable-extensions, to forestall authentic safety extensions from interfering
–disable-logging, to disable browser log era
–silent-launch, to suppress startup notifications
–no-first-run, to bypass preliminary setup dialogs
–disable-popup-blocking, to make sure malicious content material can execute
–window-position=-10000,-10000, to place the window off-screen
–window-size=1,1, to reduce window to 1×1 pixel
“The [DLL] downloader creates a mutual exclusion (mutex) object to make sure that just one occasion of the malware can run at any given time, making certain that a number of situations of the malware can’t be executed on a compromised host,” Pattern Micro mentioned. “The Evelyn Stealer marketing campaign displays the operationalization of assaults towards developer communities, that are seen as high-value targets given their essential function within the software program growth ecosystem.”
The disclosure coincides with the emergence of two new Python-based stealer malware households known as MonetaStealer and SolyxImmortal, with the previous additionally able to concentrating on Apple macOS methods to allow complete knowledge theft.
“[SolyxImmortal] leverages authentic system APIs and extensively accessible third-party libraries to extract delicate consumer knowledge and exfiltrate it to attacker-controlled Discord webhooks,” CYFIRMA mentioned.
“Its design emphasizes stealth, reliability, and long-term entry fairly than speedy execution or damaging behaviour. By working completely in consumer house and counting on trusted platforms for command-and-control, the malware reduces its probability of instant detection whereas sustaining persistent visibility into consumer exercise.
