Full Report
Bitdefender researchers have discovered a malicious Windsurf IDE (integrated development environment) extension that deploys a multi-stage NodeJS stealer by using the Solana blockchain as the payload infrastructure.
Analysis Summary
# Tool/Technique: Windsurf IDE Solana-Based Stealer
## Overview
This is a sophisticated, multi-stage NodeJS-based information stealer delivered via a malicious extension for the Windsurf IDE (and Visual Studio Code). The attack is notable for utilizing the Solana blockchain as its Command and Control (C2) infrastructure to host encrypted payloads, making the distribution mechanism highly resilient to traditional takedowns. The malware specifically targets developer environments to harvest high-value credentials, while explicitly avoiding systems located in Russia.
## Technical Details
- **Type:** Malware Family (Stealer / Loader)
- **Platform:** Windows (Targeting developer environments/IDEs)
- **Capabilities:** Credential theft (Chromium browsers), persistence via scheduled tasks, blockchain-based payload retrieval, geo-fencing (anti-Russian).
- **First Seen:** March 2026 (as per report date)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain]
- **[TA0003 - Persistence]**
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- [T1027 - Obfuscated Files or Information]
- [T1614.001 - System Location Discovery: System Language Discovery]
- **[TA0009 - Collection]**
- [T1555.003 - Credentials from Web Browsers]
- **[TA0011 - Command and Control]**
- [T1102.002 - Web Service: Bidirectional Communication (Blockchain)]
## Functionality
### Core Capabilities
- **IDE Integration:** Disguises itself as `reditorsupporter.r-vscode`, mimicking the legitimate `REditorSupport` extension.
- **Blockchain Payload Delivery:** Uses Solana blockchain transactions to store and retrieve encrypted JavaScript payloads.
- **Credential Theft:** Utilizes native NodeJS addons (`.node` files/DLLs) to extract passwords, session cookies, and sensitive data from Chromium-based browsers.
- **System Profiling:** Collects usernames, environment variables, locale, and timezone data.
### Advanced Features
- **Anti-Russian Geo-fencing:** Checks for Russian language markers, UTC offsets (+2 to +12), and specific Russian timezones (e.g., Moscow, Vladivostok). If detected, the malware terminates.
- **Persistence Mechanism:** Creates hidden Windows Scheduled Tasks that relaunch a bundled NodeJS runtime to execute the malicious script on reboot.
- **Defense Evasion:** Decrypts payloads in memory only after installation; clears specific registry keys in `HKCU:\Software\Microsoft\Windows\CurrentVersion\Run` to hide its presence.
## Indicators of Compromise
- **File Names:**
- `reditorsupporter.r-vscode-2.8.8-universal` (Extension name)
- `w.node`, `c_x64.node`, `index_ia32.node` (Malicious native addons)
- `DllExtractChromiumSecrets.dll`
- `node.exe` (Bundled in non-standard paths)
- **Directory Paths:**
- `.windsurf/extensions/`
- `%AppData%\Roaming\node_x86\`
- `%AppData%\Roaming\zplnUtG\`
- **Registry Keys:**
- Interactions with `HKCU:\Software\Microsoft\Windows\CurrentVersion\Run`
- **Network Indicators:**
- Traffic to Solana blockchain API endpoints (e.g., `api[.]mainnet-beta[.]solana[.]com`)
## Associated Threat Actors
- **Unknown:** The specific group is not named, though the "Anti-Russia" check suggests a non-CIS (Commonwealth of Independent States) based actor or a targeted geopolitical motivation.
## Detection Methods
- **Signature-based:** Scanning for the specific `reditorsupporter` extension string and the unique native `.node` file hashes.
- **Behavioral Detection:**
- Monitoring IDE processes (`windsurf.exe`, `code.exe`) spawning PowerShell with Base64 encoded commands.
- Identification of `schtasks.exe` creation originating from IDE extension folders.
- Detection of non-browser processes accessing browser credential storage files (Login Data, Cookies).
## Mitigation Strategies
- **Extension Scripting:** Implement policies to restrict the installation of unverified or third-party IDE extensions.
- **Execution Policy:** Enforce strict PowerShell Execution Policies (e.g., `AllSigned`).
- **Endpoint Hardening:** Use EDR/AV solutions to monitor for unusual NodeJS runtime executions in user `AppData` directories.
- **Supply Chain Hygiene:** Developers should verify extension publisher identities and cross-reference download counts/reviews with official marketplaces.
## Related Tools/Techniques
- **Living-off-the-Trusted-Service:** Similar to attacks using GitHub Gists or Pastebin for C2, but evolved to use Decentralized Finance (DeFi) infrastructure (Blockchain).
- **Typosquatting:** Similar to packages found in NPM or PyPI aimed at developers.