Cybersecurity researchers have disclosed details of a malware campaign that's targeting software developers with a new information stealer called Evelyn Stealer by weaponizing the Microsoft Visual Studio Code (VS Code) extension ecosystem.
"The malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. Compromised developer environments can also be abused as access points into broader organizational systems," Trend Micro said in an analysis published Monday.
The activity is designed to single out organizations with software development teams that rely on VS Code and third-party extensions, along with those with access to production systems, cloud resources, or digital assets, it added.
It's worth noting that details of the campaign were first documented by Koi Security last month, when details emerged of three VS Code extensions – BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme – that ultimately dropped a malicious downloader DLL ("Lightshot.dll") responsible for launching a hidden PowerShell command to fetch and execute a second-stage payload ("runtime.exe").
The executable, for its part, decrypts and injects the main stealer payload into a legitimate Windows process ("grpconv.exe") directly in memory, allowing it to harvest sensitive data and exfiltrate it to a remote server ("server09.mentality[.]cloud") over FTP in the form of a ZIP file. Some of the information collected by the malware includes -
- Clipboard content
- Installed apps
- Cryptocurrency wallets
- Running processes
- Desktop screenshots
- Stored Wi-Fi credentials
- System information
- Credentials and stored cookies from Google Chrome and Microsoft Edge
In addition, it implements safeguards to detect analysis and virtual environments and takes steps to terminate active browser processes to ensure a seamless data collection process and prevent any potential interference when attempting to extract cookies and credentials.
This is achieved by launching the browser via the command line by setting the following flags for detection and forensic traces -
- --headless=new, to run in headless mode
- --disable-gpu, to prevent GPU acceleration
- --no-sandbox, to disable browser security sandbox
- --disable-extensions, to prevent legitimate security extensions from interfering
- --disable-logging, to disable browser log generation
- --silent-launch, to suppress startup notifications
- --no-first-run, to bypass initial setup dialogs
- --disable-popup-blocking, to ensure malicious content can execute
- --window-position=-10000,-10000, to position the window off-screen
- --window-size=1,1, to minimize window to 1x1 pixel
"The [DLL] downloader creates a mutual exclusion (mutex) object to ensure that only one instance of the malware can run at any given time, ensuring that multiple instances of the malware cannot be executed on a compromised host," Trend Micro said. "The Evelyn Stealer campaign reflects the operationalization of attacks against developer communities, which are seen as high-value targets given their important role in the software development ecosystem."
The disclosure coincides with the emergence of two new Python-based stealer malware families referred to as MonetaStealer and SolyxImmortal, with the former also capable of targeting Apple macOS systems to enable comprehensive data theft.
"[SolyxImmortal] leverages legitimate system APIs and widely available third-party libraries to extract sensitive user data and exfiltrate it to attacker-controlled Discord webhooks," CYFIRMA said.
"Its design emphasizes stealth, reliability, and long-term access rather than rapid execution or destructive behaviour. By operating entirely in user space and relying on trusted platforms for command-and-control, the malware reduces its likelihood of immediate detection while maintaining persistent visibility into user activity.
Update
Matt Szafran, IT security principal at KBR, told The Hacker News of a ClickFix-based attack chain that delivers Evelyn Stealer by leveraging malvertising lures to trigger the execution of PowerShell code that unleashes a multi-stage infection chain comprising a series of intermediate payloads to drop GuLoader, which then retrieves the Evelyn Stealer payload from GitHub and loads it into memory using MSBuild.
 |
| ClickFix-based Evelyn Stealer attack chain (Credit: Matt Szafran) |
"The ClickFix tricked the user into running some PowerShell, which downloaded and ran a JS [JavaScript] file, which in turn spawned its own PowerShell to download a GuLoader malware hidden inside a JPG file," Szafran explained via email.
"The JS extracts the GuLoader from the JPG, loads it into memory, and invokes its entry point. As a part of the invocation it is passed the location of a TXT file, which is the Evelyn Stealer malware. The GuLoader downloads the Evelyn Stealer, using MSBuild to load it into memory and set it running."
The Evelyn Stealer malware distributed as part of the attack was built on January 14, 2026, and comes with capabilities to gather session data from WhatsApp and Telegram, as well as cryptocurrency wallets and Epic Games.
(The story was updated after publication on January 28, 2026, to include additional insights about Evelyn Stealer campaigns.)
