The article details a sophisticated malware campaign dubbed Evelyn Stealer, which specifically targets software developers by weaponizing the Visual Studio Code (VSC) extension ecosystem. The threat actors utilize malicious extensions to gain a foothold in developer environments, aiming to exfiltrate sensitive credentials, source code access indicators, and cryptocurrency assets. This approach exploits the implicit trust developers place in their development tools and third-party plugins.
Evelyn Stealer employs a multistage delivery process involving a downloader disguised as a legitimate DLL, an injector utilizing process hollowing techniques, and the final information-stealing payload. The malware features robust anti-analysis and anti-sandbox measures, including GPU and disk size checks, to evade detection. For exfiltration, it injects a decryption DLL into headless browser processes and uploads stolen data to a command-and-control server via FTP.
Top comments (0)