Ddos 
Attack flow overview | Image: Datadog Security Research
In a detailed report published by Datadog Security Research, threat actor MUT-9332 has been linked to a new malware campaign using malicious Visual Studio Code extensions to infect Windows-based Solidity developers. These deceptive extensions were designed to appear legitimate while secretly executing an elaborate, multi-stage attack to steal credentials, exfiltrate data, and deliver persistent browser-based spyware.
VS Code’s popularity—now the primary IDE for 74% of developers—and its extensibility have made it a rich target for attackers. Extensions have the ability to read code, access system commands, and install other software with minimal user friction. According to the report:
“They are one-click installable from within the VS Code editor… and are subject to automated security scanning… which can lead some developers to think that extensions have been thoroughly vetted and are thus trustworthy.”
MUT-9332 took advantage of this trust, publishing extensions that masqueraded as tools for Solidity syntax scanning and vulnerability detection. However, buried within legitimate functionality was obfuscated JavaScript code connecting to attacker infrastructure and initiating a stealthy malware chain.
Three malicious VS Code extensions target Solidity developers on Windows: solaibot, among-eth, and blankebesxstnion. Once installed, the extensions initiated a staged infection that began with a seemingly innocuous PowerShell command:
This single command triggered a cascade of payloads, each more obfuscated than the last. The malware downloaded a malicious browser extension (extension.zip) and an executable (myau.exe)—both engineered to extract and exfiltrate cryptocurrency wallet credentials.
The malware used two distinct infection paths, enhancing its survivability and evasion:
- extension.zip was embedded into Chromium-based browsers (Chrome, Edge, Opera, Brave).
- myau.exe disabled Windows Defender, added registry keys, and established persistence.
“Both perform malicious actions on the victim system, including exfiltrating cryptocurrency wallet credentials to attacker infrastructure.”
MUT-9332’s methods went beyond the conventional. One path in the infection chain involved downloading a Base64-encoded payload hidden inside an image file hosted on the Internet Archive. Rather than using true steganography, the attacker embedded the data plainly within the image:
“The attacker’s intention… was once again to run myau.exe on the victim system.”
Another path involved executing obfuscated VBScript and PowerShell combinations that masked their activities using strings like ȧⳛ ܖᖳ᎑ ឺ┰ഴ♛ፙឳʿᰤම to defeat static detection.
The executable myau.exe took extreme measures to evade detection:
- Disabled Windows Defender and telemetry
- Added firewall rules to block Microsoft security infrastructure
- Sinkholed domains of major antivirus vendors via the hosts file
- Triggered a system crash if forcefully terminated
“It disables Windows Defender scanning… and invokes RtlSetProcessIsCritical(true), causing the system to crash if the malware process is terminated.”
The final payload, myaunet.exe, served as a powerful infostealer, targeting Discord, Chrome, Brave, Edge, crypto wallets, and Electron-based apps. It uploaded data to https://m-vn[.]ws/bird.php using JSON payloads for profiling.
Based on overlapping infrastructure and tactics, Datadog attributes the attack to MUT-9332, a threat actor also linked to a Monero cryptomining campaign via backdoored extensions.
“We are moderately confident that MUT-9332 is also the threat actor behind the Monero campaign.”
Despite limited installs (<50 before removal), the campaign highlights how supply chain threats in development environments can lead to widespread and deeply embedded compromises. Microsoft has since removed all three extensions from the VS Code Marketplace.
Donate