Visual Studio Code Extensions Hide Evelyn Stealer

Threat actors are abusing Visual Studio Code extensions to deploy multistage malware, targeting developer environments rather than end-user machines. In a recent campaign dubbed Evelyn Stealer, attackers hid the malicious payload within a trojanized extension that installs a fake Lightshot.dll file. This component loads via Lightshot.exe when a screenshot is taken, initiating the infection chain.

After activation, the malware fetches additional payloads using covert PowerShell commands. It eventually deploys the Evelyn Stealer malware, which exfiltrates browser passwords, cookies, cryptocurrency wallets, VPN profiles, messaging sessions, and Wi-Fi credentials. Attackers compress the stolen data and upload it to an FTP server they control.

Trend Micro analysts report that these attackers exploit trust in the Visual Studio Code extensions marketplace. A single compromised developer machine can leak sensitive files, production credentials, and cloud access tokens.

To see a full breakdown of the Evelyn campaign and its infection stages, read the official article at

Threat Actors Weaponizing Visual Studio Code to Deploy a Multistage Malware