Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/Threats/Threat Actors Weaponizing Visual Studio Code to Deploy a Multistage Malware
Threats

Threat Actors Weaponizing Visual Studio Code to Deploy a Multistage Malware

Threat actors are weaponizing Visual Studio Code, leveraging its rich extension ecosystem to deploy multistage malware onto developer workstations. The latest campaign, dubbed Evelyn Stealer, hides...

Marcus Rodriguez
Marcus Rodriguez
January 19, 2026 2 Min Read
57 0

Threat actors are weaponizing Visual Studio Code, leveraging its rich extension ecosystem to deploy multistage malware onto developer workstations.

The latest campaign, dubbed Evelyn Stealer, hides behind a malicious extension that delivers a stealthy information stealing tool in several carefully staged steps.

Instead of targeting end users, the operators go after developers, who often hold keys to source code, cloud consoles, and cryptocurrency assets.

The attack begins when a victim installs a trojanized Visual Studio Code extension that appears useful or harmless. Behind the scenes it drops a fake Lightshot.dll component, which is then loaded by the legitimate Lightshot.exe screenshot tool.

From there the malware chain unfolds, fetching new payloads, launching hidden PowerShell commands, and preparing the ground for the final Evelyn Stealer executable that steals data at scale.

Attack chain (Source - Trend Micro)
Attack chain (Source – Trend Micro)

Trend Micro analysts noted that the attackers weaponize trust in the Visual Studio Code marketplace, using the extension to stage a full attack chain that runs from initial loader to final data theft.

 Download request of the injector (Source - Trend Micro)
Download request of the injector (Source – Trend Micro)

By abusing a familiar tool like Lightshot and using signed looking exports, the first stage blends into normal developer activity while quietly setting up later phases of the compromise.

Once fully executed, Evelyn Stealer harvests browser passwords, cookies, cryptocurrency wallets, messaging sessions, VPN profiles, Wi-Fi keys, and sensitive files from the compromised machine.

It also captures screenshots and detailed system information, then compresses everything into a single archive and uploads it to an attacker controlled FTP server.

For organizations, a single infected developer laptop can expose source code, cloud access tokens, and production credentials, turning a toolchain misstep into a wide ranging breach.

Inside the Multistage Infection Chain

The first stage sits inside a malicious Visual Studio Code extension and masquerades as Lightshot.dll, executed by Lightshot.exe whenever the user takes a screenshot.

FTP requests showing abe_decrypt.dll being downloaded (Source - Trend Micro)
FTP requests showing abe_decrypt.dll being downloaded (Source – Trend Micro)

When triggered, this downloader launches a hidden PowerShell command that pulls a second stage file named iknowyou.model from a remote domain, saves it as runtime.exe, and runs it.

The Evelyn Stealer payload creates an AppData Evelyn folder, injects Edge and Chrome with abe_decrypt.dll, then uploads a zip over FTP.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachMalwareThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Remcos RAT Masquerade as VeraCrypt Installers Steals Users Login Credentials

Next Post

Google Gemini Privacy Controls Bypassed to Access Private Meeting Data Using Calendar Invite

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us