Full Report
Cybersecurity researchers have flagged a new malicious extension in the Open VSX registry that harbors a remote access trojan called SleepyDuck. According to Secure Annex's John Tuckner, the extension in question, juan-bianco.solidity-vlang (version 0.0.7), was first published on October 31, 2025, as a completely benign library that was subsequently updated to version 0.0.8 on November 1 to
Analysis Summary
# Tool/Technique: SleepyDuck (via juan-bianco.solidity-vlang extension)
## Overview
SleepyDuck is a Remote Access Trojan (RAT) delivered via a malicious extension in the Open VSX registry (`juan-bianco.solidity-vlang`). Its primary purpose is to establish command and control over compromised developer workstations, gather system information, and maintain persistence through a resilient C2 mechanism leveraging the Ethereum blockchain.
## Technical Details
- Type: Malware family (Remote Access Trojan) / Supply Chain Attack (Malicious Extension)
- Platform: Developer workstations running code editors supporting Open VSX extensions (e.g., VS Code).
- Capabilities: Remote access, system information exfiltration, resilient C2 updating/fallback via Ethereum contracts.
- First Seen: Initial benign release on October 31, 2025; malicious update on November 1, 2025.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- *General C2 communication implied.*
- **TA0009 - Collection**
- T1082 - System Information Discovery
- T1039 - Data from Local System
- *Gathers system information (hostname, username, MAC address, timezone).*
- **TA0005 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder
- *Triggered upon opening a new code editor window or selecting a `.sol` file, indicating execution based on application state.*
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- *Exfiltrates gathered system information to the remote server.*
## Functionality
### Core Capabilities
* **RAT Functionality:** Executes commands received from the remote server.
* **Trigger Mechanism:** Executes upon opening a new code editor window or selecting a `.sol` file (Solidity source file).
* **C2 Polling:** Checks for new commands every 30 seconds.
* **Information Gathering:** Collects hostname, username, MAC address, and timezone.
### Advanced Features
* **Resilient C2 Update via Ethereum:** Utilizes an Ethereum contract ([0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465]) to store and update its C2 server address, making disruption difficult.
* **C2 Fallback:** If the primary domain (`sleepyduck[.]xyz`) is seized, it queries RPC addresses to find the contract and extract the new server details.
* **Emergency Command:** Capable of executing a universal emergency command to all compromised endpoints if necessary.
* **Sandbox Evasion:** Includes techniques to detect and avoid execution within analysis environments.
* **Initial C2:** Contacted `sleepyduck[.]xyz`.
## Indicators of Compromise
- File Hashes: N/A (Information pertains to an extension installation)
- File Names: `juan-bianco.solidity-vlang` (version 0.0.7 $\rightarrow$ 0.0.8)
- Registry Keys: N/A
- Network Indicators:
- Initial C2 Domain: `sleepyduck[.]xyz`
- Initial C2 Port (implied transaction): `:8080` (before jump to domain)
- C2 Blockchain Contract Address: `0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465`
- Associated Actor Address (for context/tracking): `0x0edcfe26cf600fb56ae6aaf3f1d943c811314573`
- Behavioral Indicators: Installation and execution triggered by VS Code/editor activity related to Solidity files; periodic network connections to update C2 information via Ethereum RPCs.
## Associated Threat Actors
The source material does not explicitly name the threat actor group responsible for SleepyDuck, only referring to them as the "threat actor" who published the extension and managed the contract transactions.
## Detection Methods
- Signature-based detection: Detection of the specific malicious extension name/ID in the Open VSX registry.
- Behavioral detection: Monitoring for the extension hook execution upon opening `.sol` files, subsequent attempts to connect to external RPC providers, and C2 polling activity (e.g., connections to `sleepyduck[.]xyz`).
- YARA rules: N/A (No file hashes provided, but rules could target the payload contained within the extension package).
## Mitigation Strategies
* Exercise extreme caution when downloading third-party extensions, especially for specialized or less common repositories like Open VSX.
* Prefer extensions from verified, trusted publishers on official marketplaces (like VS Code Marketplace, though it also requires vigilance).
* Implement network monitoring to detect unusual external communication originating from development IDE processes (e.g., connections to known blockchain RPC nodes or suspicious domains).
* Conduct supply chain hardening assessments for developer tools and associated marketplace extensions.
## Related Tools/Techniques
* **Supply Chain Attacks targeting IDEs/Extensions:** Including other malicious extensions found on VS Code/Open VSX targeting Solidity developers, such as those previously disclosed by threat actors.
* **Blockchain-based C2:** Use of decentralized infrastructure (like Ethereum smart contracts) to enhance C2 resilience, seen in various other malware families attempting to evade traditional domain takedowns.
* **Related Batch Miner Payload:** The article mentions another set of extensions by "developmentinc" that deployed an immediate Monero mining payload using a batch script started via `cmd.exe` and configuring Defender exclusions, indicating a likely related threat actor profile utilizing opportunistic malware delivery.