From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software
Summary:
A recent investigation by Trend Micro has detailed a sophisticated campaign deploying "Evelyn Stealer," a multistage information-stealing malware specifically targeting software developers. The attack chain begins with the weaponization of the Visual Studio Code (VSC) extension ecosystem, where threat actors upload malicious extensions to the marketplace. Once a developer installs one of these extensions, a first-stage downloader (masquerading as a legitimate "Lightshot" DLL) is executed. This downloader utilizes PowerShell to fetch a second-stage injector, which employs process hollowing to inject the final Evelyn Stealer payload into legitimate Windows processes
The malware is highly functional, capable of exfiltrating browser credentials, system information, Wi-Fi passwords, and clipboard data. It specifically targets high-value developer assets, including cryptocurrency wallets and credentials for production environments. Evelyn Stealer also features robust anti-analysis and anti-sandbox techniques to evade detection during automated security scans. Communication with the threat actor’s infrastructure is conducted over FTP for data exfiltration and HTTP for command-and-control (C2) operations.
Security Officer Comments:
This campaign represents a significant shift in the threat landscape by targeting the "supply chain" of the organization, the developers themselves. While many security postures focus on protecting end-users or production servers, the development environment is often more permissive to allow for debugging and third-party integrations. This makes developers an ideal "pivot point." If a developer’s machine is compromised via a malicious VSC extension, the attacker gains access to source code, SSH keys, and cloud environment credentials.
Suggested Corrections:
To defend against the Evelyn Stealer and similar marketplace-based threats, organizations should implement the following defensive measures:
Link(s):
https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html
A recent investigation by Trend Micro has detailed a sophisticated campaign deploying "Evelyn Stealer," a multistage information-stealing malware specifically targeting software developers. The attack chain begins with the weaponization of the Visual Studio Code (VSC) extension ecosystem, where threat actors upload malicious extensions to the marketplace. Once a developer installs one of these extensions, a first-stage downloader (masquerading as a legitimate "Lightshot" DLL) is executed. This downloader utilizes PowerShell to fetch a second-stage injector, which employs process hollowing to inject the final Evelyn Stealer payload into legitimate Windows processes
The malware is highly functional, capable of exfiltrating browser credentials, system information, Wi-Fi passwords, and clipboard data. It specifically targets high-value developer assets, including cryptocurrency wallets and credentials for production environments. Evelyn Stealer also features robust anti-analysis and anti-sandbox techniques to evade detection during automated security scans. Communication with the threat actor’s infrastructure is conducted over FTP for data exfiltration and HTTP for command-and-control (C2) operations.
Security Officer Comments:
This campaign represents a significant shift in the threat landscape by targeting the "supply chain" of the organization, the developers themselves. While many security postures focus on protecting end-users or production servers, the development environment is often more permissive to allow for debugging and third-party integrations. This makes developers an ideal "pivot point." If a developer’s machine is compromised via a malicious VSC extension, the attacker gains access to source code, SSH keys, and cloud environment credentials.
Suggested Corrections:
To defend against the Evelyn Stealer and similar marketplace-based threats, organizations should implement the following defensive measures:
- Extension Governance: Implement a "vetted extensions only" policy for IDEs like Visual Studio Code. Use Enterprise settings to restrict extension installations to a private marketplace or an approved allow-list.
- Endpoint Detection and Response (EDR): Ensure EDR solutions are configured to monitor for suspicious child processes emerging from IDEs, specifically PowerShell execution or unusual network connections (like FTP) from developer workstations.
- Network Segmentation: Isolate development environments from highly sensitive production networks. Use "Jump Boxes" or Managed Development Environments (like GitHub Codespaces or AWS Cloud9) that offer centralized security controls and session logging.
- Credential Hygiene: Enforce the use of hardware-based MFA (e.g., FIDO2 keys) for all developer access to repositories and cloud consoles to mitigate the impact of stolen session tokens or browser-cached credentials.
- IOC Monitoring: Security teams should proactively hunt for the indicators of compromise identified in this campaign, specifically the domain:
- server09.mentality[.]cloud and syn1112223334445556667778889990[.]org, and the file hash for the initial loader Lightshot.dll.
- Hunting query for Evelyn Stealer C2: "eventSubId:204 AND request:\"server09.mentality.cloud\""
Link(s):
https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html