Evelyn Stealer is an information-stealing malware campaign that leverages malicious Visual Studio Code extensions to compromise developer environments. The attack begins with three identified malicious extensions—BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme—that drop a downloader DLL named Lightshot.dll. This DLL executes a hidden PowerShell command to download and run a second-stage payload (runtime.exe). The runtime executable decrypts and injects the main stealer payload into the legitimate Windows process grpconv.exe, running entirely in memory to evade detection. The malware collects a wide range of sensitive data, including clipboard contents, installed applications, cryptocurrency wallets, running processes, desktop screenshots, stored Wi-Fi credentials, system information, and credentials and cookies from Google Chrome and Microsoft Edge browsers. To avoid detection and ensure data collection, it terminates active browser processes and relaunches them with command-line flags that disable GPU acceleration, sandboxing, extensions, logging, and UI elements, running the browser in a minimal, off-screen window. Data exfiltration is performed via FTP to a remote server (server09.mentality[.]cloud) in zipped archives. The malware also creates a mutex to prevent multiple instances from running simultaneously. This campaign specifically targets organizations with software development teams using VS Code and third-party extensions, especially those with access to production systems, cloud resources, or digital assets. The use of trusted VS Code extensions as an infection vector highlights a significant supply chain risk. The campaign reflects a growing trend of targeting developer ecosystems due to their privileged access and potential as gateways into broader organizational infrastructure. While no known exploits in the wild have been reported, the malware’s stealth and comprehensive data theft capabilities pose a serious threat to confidentiality and integrity of sensitive information.

For European organizations, especially those with active software development teams using Visual Studio Code and third-party extensions, Evelyn Stealer represents a significant risk. The malware’s ability to steal developer credentials and cryptocurrency-related data can lead to unauthorized access to corporate networks, cloud environments, and production systems, potentially resulting in intellectual property theft, financial losses, and operational disruptions. The compromise of developer environments can facilitate further lateral movement within organizations, enabling attackers to deploy additional malware or conduct supply chain attacks. Organizations involved in fintech, blockchain, or cryptocurrency sectors are particularly vulnerable due to the targeted theft of crypto wallets. The stealthy nature of the malware, including in-memory execution and anti-analysis techniques, complicates detection and response efforts. Given the widespread use of VS Code across Europe, the threat could impact a broad range of industries, including technology, finance, and critical infrastructure. The exfiltration of sensitive data to attacker-controlled servers also raises concerns about data privacy and regulatory compliance under GDPR, potentially resulting in legal and reputational consequences.

European organizations should implement a multi-layered defense strategy tailored to this threat. First, enforce strict controls on the installation of VS Code extensions by whitelisting only verified and necessary extensions, and regularly audit installed extensions for suspicious activity. Employ endpoint detection and response (EDR) solutions capable of detecting in-memory injection and unusual process behaviors, such as unexpected PowerShell commands and browser process terminations. Monitor network traffic for anomalous FTP connections or data exfiltration attempts, especially to suspicious domains like server09.mentality[.]cloud. Implement strong credential management practices, including multi-factor authentication (MFA) for developer accounts and cloud resources, to limit the impact of stolen credentials. Conduct regular security awareness training for developers emphasizing the risks of installing untrusted extensions. Utilize application control policies to restrict execution of unauthorized DLLs and executables. Employ sandboxing and behavioral analysis tools to detect and quarantine malicious extensions before deployment. Finally, maintain up-to-date backups and incident response plans specifically addressing supply chain and developer environment compromises.