Visual Studio Code Abused in Sophisticated Multistage Malware Attacks

The rapid expansion of Visual Studio Code’s extension marketplace has created a fertile ground for supply‑chain abuse. Threat actors can publish seemingly benign themes or AI assistants that pass Microsoft’s review process, yet embed hidden scripts capable of executing arbitrary code. By targeting the IDE that developers use daily, attackers gain a foothold on machines that often hold privileged credentials, API keys, and direct access to version‑control systems, making the platform an attractive vector for sophisticated intrusion campaigns.

Evelyn Stealer exemplifies a layered attack architecture. Initial extensions drop a trojanized Lightshot DLL, which hijacks the legitimate executable to run PowerShell commands that fetch a second‑stage payload. This payload performs process hollowing on grpconv.exe, decrypts its core using AES‑256‑CBC, and injects itself to evade signature‑based detection. Once resident, the malware conducts extensive environment checks, launches headless browsers with stealth flags, and siphons browser cookies, cryptocurrency wallet files, Wi‑Fi profiles, and system metadata before compressing and exfiltrating the data over FTP. The use of DLL hijacking, process injection, and anti‑analysis techniques underscores the sophistication of modern developer‑focused threats.

Defenders must elevate developer workstations to a critical security tier. Effective mitigations include strict vetting of VS Code extensions, application whitelisting for binaries like Lightshot, and continuous monitoring for anomalous PowerShell or headless‑browser activity. Deploying endpoint detection that can spot DLL hijacking and process hollowing, coupled with zero‑trust network segmentation for CI/CD pipelines, reduces the blast radius of a breach. Vendors such as TrendAI Vision One now provide detection signatures and hunting queries, but proactive governance and real‑time telemetry remain essential as IDE‑centric attack vectors continue to evolve.