Evelyn Stealer and the rising risk of developer tool supply chain attacks
Threat Group: Unknown cybercriminal operators leveraging developer tooling supply chains
Threat Type: Information stealer malware delivered via malicious development extensions
Exploited Vulnerabilities: Abuse of the Visual Studio Code extension trust model, DLL side loading, PowerShell execution policy misuse, Windows process hollowing
Malware Used: Evelyn Stealer, Lightshot.dll downloader, iknowyou.model injector
Threat Score: 8.1 🔴 High
Last Threat Observation: 21 January 2026
Overview
Evelyn Stealer is a sophisticated multi stage information stealing malware campaign that specifically targets software developers through the Visual Studio Code extension ecosystem. The campaign was publicly disclosed in mid January 2026 following coordinated analysis by multiple security research organisations including Trend Micro, Koi Security, and reporting from Cyber Security News.
Unlike broad opportunistic infostealers, Evelyn Stealer is deliberately engineered to compromise developer workstations where access to source code, cloud credentials, cryptographic keys, and production infrastructure is common. The malware abuses the trust developers place in their tooling by weaponising Visual Studio Code extensions that appear legitimate and function as advertised.
Once installed, the extension silently initiates a complex infection chain involving DLL side loading, PowerShell based payload retrieval, process hollowing, and headless browser automation. The final payload operates almost entirely within legitimate Windows processes, significantly reducing its detection footprint during early stages of infection.
The strategic value of this campaign lies in its ability to harvest browser cookies, cloud authentication material, SSH keys, cryptocurrency wallets, and VPN profiles. In many environments this provides direct access to production systems, cloud control planes, and financial assets.
Key Details
Delivery Method
Malicious Visual Studio Code extensions published under convincing names and themes, often mimicking popular developer utilities or visual themes.
Target
Software developers, DevOps engineers, and organisations relying on Visual Studio Code for application development, infrastructure management, and cloud operations.
Functions
- Steals browser cookies and session tokens from Chromium based browsers
- Extracts cryptocurrency wallet data including MetaMask and Phantom
- Harvests SSH keys, VPN profiles, and API credentials
- Performs stealthy data exfiltration via FTP to attacker controlled infrastructure
- Evades detection through process hollowing and headless browser execution
Obfuscation
- DLL side loading via masqueraded LightShot binaries
- AES encrypted payload stages decrypted in memory
- Execution within legitimate Windows system processes
- Use of mutex objects to prevent duplicate execution
Attack Vectors
Initial Infection via Malicious Extension
The attack begins when a developer installs a malicious Visual Studio Code extension. Known observed extensions masquerade as themes, AI assistants, or productivity enhancements such as Bitcoin Black, Codo AI, and various dark theme packages.
These extensions are designed to operate as expected from a user perspective. This deliberate functionality reduces suspicion and increases dwell time on infected systems. The malicious logic is embedded within extension scripts that execute during activation events or background tasks.
Stage One DLL Side Loading
Upon activation, the extension drops a malicious dynamic link library named Lightshot.dll into its own directory within the user Visual Studio Code extensions path. It also deploys or references a bundled executable named LightShot.exe, which is either a legitimate copy or a counterfeit variant of the popular screenshot tool.
Through DLL side loading, the executable is coerced into loading the malicious Lightshot.dll instead of the legitimate library. This technique leverages Windows DLL search order behaviour and avoids triggering common script based detection mechanisms.
Once loaded, the malicious DLL gains execution within the context of a seemingly benign application.
Stage Two Payload Retrieval
The malicious DLL executes an obfuscated PowerShell command. This command reaches out to attacker infrastructure to retrieve the next stage payload. Observed payload filenames include runtime.exe and iknowyou.model, both written to the user Temp directory.
This stage is responsible for system reconnaissance, environment validation, and preparation for injection. The payload is encrypted at rest and only decrypted during execution.
Stage Three Process Hollowing and Persistence
The decrypted final payload, Evelyn Stealer, is injected into the Windows system process grpconv.exe using process hollowing. The malware creates the process in a suspended state, replaces its memory image with malicious code, and resumes execution.
grpconv.exe is a legitimate Group Policy related utility that rarely generates network traffic. Its use as a hollowed host process significantly reduces the likelihood of detection by behavioural monitoring systems that rely on process reputation.
A mutex named COOL_SCREENSHOT_MUTEX_YARRRP is created to ensure that only one instance of the malware runs at any given time.
Credential Harvesting and Exfiltration
Once resident, Evelyn Stealer initiates data harvesting routines. It launches Chromium based browsers such as Chrome and Edge in headless mode using command line flags that suppress window creation and GPU acceleration. This allows extraction of cookies, stored credentials, and session tokens without triggering user visible alerts.
The malware also enumerates known cryptocurrency wallet extensions including MetaMask and Phantom, extracting wallet data and associated secrets.
Collected data is compressed into archives and exfiltrated via FTP to a remote command and control server. The use of FTP is notable as many modern environments focus monitoring on HTTPS based exfiltration, leaving legacy protocols less scrutinised.
Known Indicators of Compromise
File Hashes MD5
Not observed or reliably reported for this campaign.
File Hashes SHA1
Not observed or reliably reported for this campaign.
File Hashes SHA256
| File Name | Description | SHA256 |
|---|---|---|
| Lightshot.dll | Malicious DLL used for side loading stage one | 369479bd9a248c9448705c222d81ff1a0143343a138fc38fc0ea00f54fcc1598 |
| iknowyou.model | Injector payload stage two | 92af258d13494f208ccf76f53a36f288060543f02ed438531e0675b85da00430 |
| EvelynStealer.exe | Final payload stage three | aba7133f975a0788dd2728b4bbb1d7d948e50571a033a1e8f47a2691e98600c5 |
| runtime.exe | Alternate stage two payload | Varies |
| abe_decrypt.dll | Browser credential decryption module | 74e43a0175179a0a04361faaaaf05eb1e6b84adca69e4f446ef82c0a5d1923d5 |
Domains
- server09.mentality[.]cloud
- syn1112223334445556667778889990[.]org
Network Behaviour
- Outbound FTP connections on port 21 from developer workstations
- Network activity originating from grpconv.exe
Mitigation and Prevention
Mitigation Checklist
- Remove all untrusted Visual Studio Code extensions immediately
- Restrict installation of extensions to approved publishers only
- Block outbound FTP traffic unless explicitly required
- Monitor system processes for anomalous network behaviour
- Enable PowerShell script block logging and constrained language mode
- Deploy EDR rules to detect DLL side loading from user writable directories
- Rotate all credentials stored on affected systems
- Treat exposed cryptocurrency wallets as permanently compromised
User Awareness
Developers should be educated on the risks associated with third party extensions and themes. Visual appearance enhancements and AI assistants should be treated with the same scrutiny as executable software.
Email Filtering
While this campaign does not rely on email delivery, secondary payload distribution via phishing cannot be ruled out. Maintain strong filtering and attachment inspection.
Antivirus Protection
Ensure antivirus and EDR platforms are configured for behavioural detection rather than signature only scanning. Emphasise detection of process hollowing, suspicious PowerShell execution, and abnormal child process behaviour.
Two Factor Authentication
Enforce two factor authentication across all developer accessible platforms including source control, cloud providers, and CI CD pipelines.
Log Monitoring
Actively monitor for grpconv.exe network activity, FTP sessions from endpoints, and browser executions with headless flags.
Regular Updates
Keep Windows, Visual Studio Code, and endpoint security tooling fully patched. Regularly review installed extensions across developer fleets.
Risk Assessment
Evelyn Stealer represents a high risk threat due to its targeted nature and the sensitivity of assets it seeks to compromise. Developer workstations often function as implicit trust anchors within organisations. Compromise at this level can enable lateral movement into production systems, cloud control planes, and intellectual property repositories.
The campaign demonstrates a mature understanding of developer workflows and security blind spots. By leveraging trusted tooling rather than exploiting traditional vulnerabilities, the attackers significantly reduce the effectiveness of perimeter based defences.
The use of headless browser extraction, encrypted payload staging, and process hollowing places Evelyn Stealer firmly within the category of advanced infostealers rather than commodity malware. Organisations that rely heavily on developer autonomy and decentralised tooling are particularly exposed.
Conclusion
Evelyn Stealer underscores a growing shift in attacker focus toward development environments and software supply chains. The abuse of Visual Studio Code extensions highlights the urgent need for stronger governance over developer tooling and extension ecosystems.
Organisations should assume that any unvetted extension represents executable code with full user level privileges. Proactive monitoring, strict extension controls, and rapid credential rotation are essential to reducing the impact of this campaign.
Failure to address this threat class risks not only data loss but full infrastructure compromise through stolen developer credentials and access tokens.
Sources
- Trend Micro – From Extension to Infection An In Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers – https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html
- The Hacker News – Evelyn Stealer Malware Abuses VS Code Extensions to Steal Developer Credentials and Crypto – https://thehackernews.com/2026/01/evelyn-stealer-malware-abuses-vs-code.html
- SC Media – Illicit VS Code extension delivers multi stage Evelyn infostealer – https://www.scworld.com/brief/illicit-vs-code-extension-delivers-multi-stage-evelyn-infostealer
- Koi Security – The VS Code Malware That Captures Your Screen – https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen