Cybersecurity researchers have disclosed details of a malware campaign that’s targeting software developers with a new information stealer called Evelyn Stealer by weaponizing the Microsoft Visual Studio Code (VS Code) extension ecosystem.
“The malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. Compromised developer environments can also be abused as access points into broader organizational systems,” Trend Micro said in an analysis published Monday.
The activity is designed to single out organizations with software development teams that rely on VS Code and third-party extensions, along with those with access to production systems, cloud resources, or digital assets, it added.
It’s worth noting that details of the campaign were first documented by Koi Security last month, when details emerged of three VS Code extensions – BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme – that ultimately dropped a malicious downloader DLL (“Lightshot.dll”) responsible for launching a hidden PowerShell command to fetch and execute a second-stage payload (“runtime.exe”).
The executable, for its part, decrypts and injects the main stealer payload into a legitimate Windows process (“grpconv.exe”) directly in memory, allowing it to harvest sensitive data and exfiltrate it to a remote server (“server09.mentality[.]cloud”) over FTP in the form of a ZIP file. Some of the information collected by the malware includes –
- Clipboard content
- Installed apps
- Cryptocurrency wallets
- Running processes
- Desktop screenshots
- Stored Wi-Fi credentials
- System information
- Credentials and stored cookies from Google Chrome and Microsoft Edge
In addition, it implements safeguards to detect analysis and virtual environments and takes steps to terminate active browser processes to ensure a seamless data collection process and prevent any potential interference when attempting to extract cookies and credentials.
This is achieved by launching the browser via the command line by setting the following flags for detection and forensic traces –
- –headless=new, to run in headless mode
- –disable-gpu, to prevent GPU acceleration
- –no-sandbox, to disable browser security sandbox
- –disable-extensions, to prevent legitimate security extensions from interfering
- –disable-logging, to disable browser log generation
- –silent-launch, to suppress startup notifications
- –no-first-run, to bypass initial setup dialogs
- –disable-popup-blocking, to ensure malicious content can execute
- –window-position=-10000,-10000, to position the window off-screen
- –window-size=1,1, to minimize window to 1×1 pixel
“The [DLL] downloader creates a mutual exclusion (mutex) object to ensure that only one instance of the malware can run at any given time, ensuring that multiple instances of the malware cannot be executed on a compromised host,” Trend Micro said. “The Evelyn Stealer campaign reflects the operationalization of attacks against developer communities, which are seen as high-value targets given their important role in the software development ecosystem.”
The disclosure coincides with the emergence of two new Python-based stealer malware families referred to as MonetaStealer and SolyxImmortal, with the former also capable of targeting Apple macOS systems to enable comprehensive data theft.
“[SolyxImmortal] leverages legitimate system APIs and widely available third-party libraries to extract sensitive user data and exfiltrate it to attacker-controlled Discord webhooks,” CYFIRMA said.
“Its design emphasizes stealth, reliability, and long-term access rather than rapid execution or destructive behaviour. By operating entirely in user space and relying on trusted platforms for command-and-control, the malware reduces its likelihood of immediate detection while maintaining persistent visibility into user activity.
