The Evelyn Stealer campaign represents a targeted effort to compromise software developers by weaponizing the Visual Studio Code (VSC) extension ecosystem. The attack utilizes a multistage delivery chain starting with a malicious extension that drops a downloader disguised as a legitimate Lightshot DLL. This downloader then fetches a second-stage injector, which employs process hollowing to deploy the final Evelyn Stealer payload into genuine Windows processes like "grpconv.exe."
Evelyn Stealer is highly sophisticated, featuring multiple layers of anti-analysis and anti-sandbox techniques to evade detection by researchers. Its primary goal is the exfiltration of sensitive data, including browser credentials, cryptocurrency wallets, system configuration details, and Wi-Fi passwords. The stolen data is archived into ZIP files with specific naming conventions and exfiltrated to the attacker's command-and-control server via FTP.
Top comments (0)