Full Report
A remote access trojan dubbed SleepyDuck, and disguised as the well-known Solidity extension in the Open VSX open-source registry, uses an Ethereum smart contract to establish a communication channel with the attacker. [...]
Analysis Summary
# Tool/Technique: SleepyDuck
## Overview
SleepyDuck is a Remote Access Trojan (RAT) disguised as a legitimate Solidity extension within the Open VSX open-source registry. Its primary purpose is to establish a persistent and redundant command and control (C2) channel with the attacker, eventually leading to system compromise and command execution on developer machines.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: VS Code environments leveraging Open VSX extensions (likely JavaScript/Node.js based execution environments within the IDE).
- Capabilities: Establish C2 communication via an Ethereum smart contract for redundancy, system data exfiltration, and remote command execution.
- First Seen: Submitted October 31st (with malicious update likely November 1st, 2025).
## MITRE ATT&CK Mapping
*Note: Direct mappings are inferred based on described functionality.*
- T1566 - Phishing: Compromise Software Supply Chain
- T1566.008 - T1566.008: Compromise Software Supply Chain (via malicious extension)
- T1078 - Valid Accounts
- T1078.004 - T1078.004: Cloud Accounts (Implied, as it targets developers using specialized development platforms/IDEs)
- T1059 - Command and Scripting Interpreter
- T1059.004 - T1059.004: Unix Shell (Implied via command sandbox)
- T1105 - Ingress Tool Transfer
- T1105: Ingress Tool Transfer (Implied when receiving commands for execution/further payload download)
- T1071 - Application Layer Protocol
- T1071.001 - T1071.001: Web Protocols (Used for POST requests containing system data)
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - T1547.001: Registry Run Keys / Startup Folder (Implied via persistence mechanism setup)
## Functionality
### Core Capabilities
- **Disguise:** Masquerades as the well-known Solidity extension, published under the package name `'juan-bianco.solidity-vlang'` on the Open VSX registry.
- **Activation:** Executes malicious code upon editor startup, when a Solidity file is opened, or when the Solidity compile command is run.
- **Persistence Setup:** Creates a lock file to ensure it runs only once per host.
- **Data Collection:** Collects system data including hostname, username, MAC address, and timezone.
- **C2 Polling:** Initiates a polling loop to communicate with the C2 infrastructure.
### Advanced Features
- **Blockchain C2 Redundancy:** Utilizes an Ethereum smart contract to store and retrieve C2 server addresses and configuration updates. This technique ensures long-term persistence even if the primary C2 server is decommissioned.
- **Fast RPC Connection:** Finds the fastest Ethereum RPC provider to efficiently read commands from the stored smart contract.
- **Command Execution Sandbox:** Sets up a sandbox environment for executing received commands.
- **Evasion/Legitimacy:** Calls a fake function, `webpack.init()`, from `extension.js` to blend in and appear as a legitimate extension process.
- **Configuration Update:** Retrieves and applies current valid configuration from the C2 source (initially primary C2, then Ethereum contract).
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: `extension.js` (contains the malicious logic)
- Registry Keys: [Not specified in the context]
- Network Indicators:
- Primary C2: `sleepyduck[.]xyz` (defanged)
- C2 Communication: POST requests containing system data, used to receive commands.
- Redundancy mechanism relies on reading from the Ethereum blockchain.
- Behavioral Indicators:
- Execution triggered by VS Code/Solidity events.
- Creation of a lock file for single execution per host.
- Network activity querying an Ethereum RPC endpoint.
## Associated Threat Actors
- [Not explicitly named, but attributed to attackers targeting developers via software supply chain compromise.]
## Detection Methods
- Signature-based detection: Targeting the package name `'juan-bianco.solidity-vlang'` or known malicious hashes (if available).
- Behavioral detection: Monitoring JavaScript/extension processes for unusual system information gathering (hostname, MAC address) or unexpected network connections to external web services or Ethereum RPC nodes during IDE operation.
- YARA rules: [Not available in the context]
## Mitigation Strategies
- **Source Trust:** Exercise extreme caution when downloading VS Code extensions; trust only reputable publishers and their official repositories (e.g., the official VS Code Marketplace over Open VSX, unless the publisher is verified).
- **Supply Chain Monitoring:** Implement security scanning or auditing checks for extensions downloaded from community registries like Open VSX.
- **Principle of Least Privilege:** Ensure developer environments run with the necessary permissions and isolate sensitive operations.
## Related Tools/Techniques
- Other supply chain attacks targeting IDE extensions or developer tooling.
- Malware families that utilize blockchain infrastructure (like Ethereum) for C2 redundancy or persistence.