BLUF

 Threat actors are weaponizing the Visual Studio Code (VSC) extension ecosystem to deploy Evelyn Stealer, a multistage information-stealing malware targeting developer credentials and cryptocurrency data.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by developer workstation compromise via malicious Visual Studio Code extensions delivering Evelyn Stealer:

·       Low-end total cost: $750,000 – $1.2M

·       (Limited developer exposure, rapid detection, no downstream system access)

·       Typical expected range: $1.5M – $3.0M

·       (Multiple developers impacted, credential rotation, CI/CD validation required)

·       Upper-bound realistic scenarios: $4.0M – $6.5M

·       (Credential abuse leads to broader access, regulatory response triggered)

Key Cost Drivers

·       Number of developer endpoints and privileged credentials exposed

·       Scope of CI/CD and source code repository access tied to infected users

·       Speed of detection and containment of malicious IDE extensions

·       Regulatory environment and customer data access pathways

·       Cyber insurance coverage alignment with credential theft scenarios

Targeted Sectors

·       Software Development

·       IT Services

·       DevOps

Countries

·       Global

Date of First Reported Activity

·       Late 2025/Early January 2026

Date of Last Reported Activity Update

·       January 19, 2026

APT Names
 There have been no APT groups associated with Evelyn Stealer at this time

Potentially Associated Criminal Organization Names

o5tdev

IOCs

·       Malware Evelyn Stealer

Staging Directory

·       The malware creates a directory at %APPDATA%\Local\Evelyn\ to harvest and stage stolen data.

File Activity

It targets a wide range of sensitive data including:

·       Clipboard contents

·       Stored WiFi credentials.

·       Developer credentials and cryptocurrency-related data.

·       Screenshots of the desktop and lists of running processes/installed programs.

Malicious VSC Extensions

·       Look for suspicious or unauthorized extensions within the Visual Studio Code ecosystem that may be used as initial access points.

Detection Capabilities

·       Platforms like Trend Vision One provide tailored threat hunting queries and automated blocking for known Evelyn Stealer IOCs.

Tools Used in Campaign

·       Visual Studio Code Extensions

·       OpenVSX

CVEs and CVSS Vectors

·       Not applicable.

Nessus ID

·       Not applicable

Mitigation Data

·       Implement strict extension whitelisting for IDEs

·       Monitor for suspicious child processes from code.exe.

Malware Names

·       Evelyn Stealer

Malware Samples

sha256

E3544F1A9707EC1CE083AFE0AE64F2EDE38A7D53FC6F98AAB917CA049BC63E69

Known Decoding Key (AES-256-CBC)

Key (32 bytes)

2e649f6145f55988b920ff5a445e63aae29c80495b830e0d8bb4b3fff4b1f6f4

IV (16 bytes)

5c507b22e9814428c5f2b1ef213c5c4a

Verdict

·       Malicious

o   Categorized as a high-risk data exfiltration Trojan.

Primary Objectives

·       Harvest browser credentials, cookies, and autofill data.

·       Steal cryptocurrency wallet information and session tokens.

·       Capture system metadata, clipboard contents, and Wi-Fi credentials.

·       Take screenshots of the infected environment.

Threat Actor Context

·       Observed targeting software developers by abusing the Visual Studio Code (VSC) Extension Marketplace.

·       Uses lures like "Bitcoin Black" themes and "Codo AI" coding assistants to deliver malicious extensions.

·       Functions as a mature multi-stage pipeline designed to pivot from developer workstations into enterprise environments.

Behavior Analysis

Initial Infection

·       Chained through malicious VSC extensions that execute PowerShell and batch scripts upon activation.

Anti-Analysis

·       Implements multiple checks to detect sandbox or research environments and terminates if identified.

Execution

·       Employs Process Hollowing and DLL Hijacking (often using the legitimate Lightshot utility) to run malicious code under trusted binary names like grpconv.exe.

Exfiltration

Communicates with Command-and-Control (C2) servers over FTP for data upload.

TTPs

Initial Access

·       T1566 Phishing

o   Distributed through deceptive VSC extensions (e.g., "Bitcoin Black" theme or "Codo AI") that act as initial lures.

Execution

·       T1059.001 PowerShell

o   Malicious extensions execute PowerShell scripts on activation to download secondary payloads.

·       T1059.003 Windows Command Shell

o   Uses batch scripts for initial staging and malware installation.

Persistence & Defense Evasion

·       T1574.002 DLL Side-Loading

o   Pairs a legitimate utility (e.g., Lightshot) with a trojanized DLL to execute code under a trusted process.

·       T1055.012 Process Hollowing

o   Used during multi-stage staging to evade detection by hiding malicious code in legitimate processes.

·       T1497 Virtualization/Sandbox Evasion

o   Implements advanced checks for VMs, including GPU analysis, hostname indicators, disk size (less than 60 GB), and registry keys to avoid research environments.

·       T1027 Obfuscated Files or Information

o   Uses memory-only decryption for sensitive artifacts to prevent unencrypted data from reaching the disk.

Discovery

·       T1082 System Information Discovery

o   Collects detailed host information, including computer name and hardware configurations.

·       T1012 Query Registry

o    Scans hardware registry keys for identifiers of virtualization software like VMware or VirtualBox.

Credential Access & Collection

·       T1056.002 GUI Input Capture

o   Captures screenshots and monitors clipboard data.

·       T1555 Credentials from Password Stores

o   Harvests browser credentials, Wi-Fi credentials, and cryptocurrency wallet data.

·       T1055 Process Injection

o   Utilizes DLL injection to harvest credentials directly from browser processes.

Command and Control (C2)

·       T1071.002 File Transfer Protocols

o   Communicates exfiltrated data and receives commands over FTP.

·       T1071.004 DNS

o   Some variations use DNS port 53 to funnel exfiltrated data, obscuring traffic within legitimate DNS communications.

Suggested rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Detect unusual FTP uploads to external IPs, specifically those initiated by unusual processes like VSC or scripts.

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE Evelyn Stealer FTP C2 Activity Observed"; flow:established,to_server; content:"STOR"; nocase; metadata:impact_confidentiality, policy_violation; sid:1000001; rev:1;)

Monitor for VSC extensions initiating non-standard network connections or downloading external payloads.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE Evelyn Stealer - Potential Malicious VSC Extension Download"; http.uri; content:".zip"; http.user_agent; content:"VSCode"; sid:1000002; rev:1;)

SentinelOne

Search for PowerShell or batch scripts spawned by the Visual Studio Code process.

ProcessNameIdentifier = "code.exe" AND (ChildProcessName = "powershell.exe" OR ChildProcessName = "cmd.exe")

Evelyn Stealer uses the Lightshot utility to sideload a trojanized DLL.

ProcessNameIdentifier = "Lightshot.exe" AND ModuleName = "untrusted_dll_name.dll" (Replace with specific IOCs from recent reports).

Monitor for indicators of process hollowing or attempts to bypass security hooks.

IndicatorType = "ProcessHollowing" OR IndicatorType = "Injection"

Splunk

Detecting Script-Based Initial Access:

index=sysmon EventCode=1 parent_process_name="code.exe" (process_name="powershell.exe" OR process_name="cmd.exe")

| table _time, host, user, process, parent_process, command_line

Evelyn harvests files and system info before exfiltrating.

index=sysmon (EventCode=11 OR EventCode=15) file_path="*AppData\\Local\\Temp*" (file_name="*.zip" OR file_name="*.7z")

| stats count by host, file_name, file_path

Correlate Suricata FTP alerts with endpoint activity.

index=suricata event_type=alert alert.signature="*FTP*" OR alert.signature="*Evelyn*"

| join type=inner src_ip [search index=sysmon | rename host_ip as src_ip]

Delivery Method

·       Malicious extensions uploaded to the VSC Marketplace or OpenVSX.

Email Samples

·       Not applicable

References

Innovate Cybersecurity

·       hxxps://innovatecybersecurity.com/security-threat-advisory/top-10-cybersecurity-news-jan-05-2026-lastpass-2022-breach-continues-to-fuel-crypto-theft-silk-typhoon-targeting-u-s-gov-entities-fortinet-firewalls-2fa-bypass-exploitation-and-more/

TrendMicro

·       hxxps://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html

Blog Whiteintel

·       hxxps://blog.whiteintel.io/exposing-threat-actors-with-whiteintel-ai/

VirusTotal

·       hxxps://www.virustotal.com/gui/file/e3544f1a9707ec1ce083afe0ae64f2ede38a7d53fc6f98aab917ca049bc63e69/details