“Evelyn Stealer” Weaponizes Visual Studio Code Extensions

The tools that software developers trust most are being turned against them in a sophisticated new malware campaign. A recent analysis by Trend Micro has shed light on “Evelyn Stealer,” a multi-stage espionage operation that weaponizes the Visual Studio Code (VSC) extension ecosystem to infiltrate development environments and harvest high-value data.

For modern developers, extensions are the lifeblood of productivity. But according to Trend Micro’s latest report, threat actors are leveraging this reliance to slip past defenses.

“Analysis of the Evelyn Stealer campaign targeting software developers shows that threat actors are weaponizing the Visual Studio Code (VSC) extension ecosystem to deploy a multistage, information-stealing malware,” the report states.

By disguising malicious payloads within seemingly helpful tools, the attackers treat “the developer environment itself as the delivery mechanism.” Once installed, the malware doesn’t just sit idle; it deploys a complex infection chain involving loaders and process hollowing to execute the Evelyn Stealer payload.

The primary goal of the campaign is clear: gather the keys to the kingdom. Developers often hold privileged access to production systems, cloud infrastructure, and proprietary code, making them lucrative targets.

The Evelyn Stealer is designed to be thorough. It employs DLL injection to harvest browser credentials, snatches cryptocurrency data, captures screenshots, and even steals Wi-Fi and clipboard information.

This isn’t a “script kiddie” operation. The analysis highlights the campaign’s impressive technical discipline, noting its use of AES-256-CBC encryption and multi-layered anti-analysis techniques to evade sandbox detection.

“The Evelyn Stealer campaign reflects the operationalization of attacks against developer communities, which are seen as high-value targets given their important role in the software development ecosystem.”

The malware authors have clearly done their homework, designing a threat that exploits “the implicit trust developers place in their tools” while maintaining disciplined operational security.

As development teams increasingly adopt AI-powered tools and third-party extensions, the attack surface is only expanding. Trend Micro warns that this level of targeting is likely just the beginning.

“The technical and operational maturity demonstrated by this campaign suggests that we’re likely to see more targeted attacks against developer communities in the future, especially as more teams and companies adopting AI-powered tools and extensions, which further expands the attack surface.”

Security teams are advised to move beyond standard endpoint protection and implement specific vetting processes for IDE extensions, treating the developer’s laptop as a critical gateway that requires “zero-trust architectures specifically designed for development workflows.”

Related Posts:

• Microsoft launches Windows ML to bring machine learning to the desktop
• Google AI Studio Changes: Gemini 2.5 Pro No Longer Free
• Developers Beware: Supply Chain Attacks Target Visual Studio Code Extensions
• Stealthy Cyberattack Turns Visual Studio Code into a Remote Access Tool