20.01.2026
2 min
421
Researchers at cybersecurity firms have identified a new malicious distribution campaign for the Evelyn Stealer malware that uses the Microsoft Visual Studio Code (VS Code) extension ecosystem to target software developers.
The attacks will use maliciously created VS Code extensions that look like legitimate themes or plugins, install them, then run a malicious DLL file that runs a hidden PowerShell command that retrieves a second stage payload.
Once the first payload has been retrieved, it will be injected directly into the memory of a legitimate Windows application which allows it to remain undetected. This payload will collect data from the clipboard, the operating system, the installed applications on the machine, cryptocurrency wallets, the desktop screenshoot, the Wi-Fi passwords that have been saved, and the cookies and logon details for Google Chrome and Microsoft Edge.
Evelyn Stealer attempts to remove forensic evidence of its existence, and to make analysis of the code difficult, it operates its browsers in headless mode, removes all the extensions, logs, and sandbox protection, and positions the windows of the executable off screen.
The campaign was first identified by researchers in the last part of 2025 when they discovered multiple malicious VS Code extensions that were downloading modules that would deliver the initial payload. Researchers at Trend Micro conducted further research and verified the usage of in-memory injection and the use of FTP to send stolen data out of the network.
This campaign is focused on organizations that have development teams that have access to their production systems, their cloud-based infrastructure, or other digital assets; therefore, a developer environment represents a high-risk entry point to an organization.
This campaign is an example of how the developer tools are increasingly being used as vectors for attacks. If a developer environment becomes compromised it can result in a rapid breach of the entire organization and this reinforces the need for tight controls around third party extensions to developer tools, as well as greater oversight of the development environment.
