The Evelyn Stealer campaign represents a sophisticated targeted attack against software developers, leveraging weaponized Visual Studio Code extensions as the initial infection vector. The attack unfolds in multiple stages: initially, a downloader masquerades as a legitimate Lightshot DLL to avoid suspicion. This downloader then executes an injector component that employs process hollowing, a stealthy technique where a legitimate process is hollowed out and replaced with malicious code, to load the final payload—the Evelyn Stealer malware. The malware incorporates advanced anti-analysis techniques such as obfuscation and anti-debugging to hinder forensic and automated detection efforts. Once active, Evelyn Stealer harvests a broad range of sensitive information including browser credentials, cryptocurrency wallet data, and potentially other system information. Data exfiltration is conducted over FTP, a less commonly monitored protocol in modern environments, which may allow attackers to evade network detection. The campaign underscores the growing threat to developer ecosystems, where trusted tools and extensions can be weaponized to compromise development environments and steal valuable intellectual property or credentials. Indicators of compromise include specific file hashes and suspicious domains used for command and control. Although no CVE or known exploits in the wild are reported, the campaign's complexity and targeted nature make it a significant threat vector for organizations relying on Visual Studio Code in their software development lifecycle.

For European organizations, particularly those with active software development teams using Visual Studio Code, the Evelyn Stealer campaign poses a serious risk to confidentiality and integrity. The theft of browser credentials and cryptocurrency data can lead to financial losses, unauthorized access to corporate and personal accounts, and potential lateral movement within networks. Intellectual property and sensitive development data may be exposed, impacting competitive advantage and compliance with data protection regulations such as GDPR. The use of FTP for data exfiltration may bypass some traditional network security controls, increasing the likelihood of successful data theft. The campaign could disrupt development workflows and erode trust in development tools, potentially leading to operational delays and increased remediation costs. Given the targeted nature of the attack, organizations with high-value development assets or those involved in cryptocurrency projects are at elevated risk. The medium severity rating reflects the targeted scope and the need for user interaction (installing malicious extensions), but the sophisticated evasion techniques increase the challenge of detection and response.

1. Enforce strict policies on Visual Studio Code extension installation, limiting to verified and trusted sources only. 2. Implement application whitelisting and code-signing verification to prevent unauthorized DLLs and executables from running. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting process hollowing, DLL injection, and other advanced malware behaviors. 4. Monitor network traffic for unusual FTP connections or data transfers, especially to suspicious or unknown domains. 5. Educate developers about the risks of installing unverified extensions and encourage regular audits of installed extensions. 6. Use multi-factor authentication (MFA) and password managers to reduce the impact of stolen credentials. 7. Regularly update and patch development tools and environments to minimize vulnerabilities. 8. Employ threat intelligence feeds to detect and block known indicators of compromise such as malicious hashes and domains associated with the campaign. 9. Conduct regular security assessments and penetration testing focused on the software development lifecycle and supply chain risks. 10. Isolate development environments from critical production networks to limit lateral movement in case of compromise.