Security researchers have detailed an intrusion campaign aimed at software engineering environments, using a new information-stealing malware dubbed Evelyn Stealer that abuses the Microsoft Visual Studio Code (VS Code) extension ecosystem as the initial access vector.

“The malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. Compromised developer environments can also be abused as access points into broader organizational systems,” Trend Micro said in an analysis published Monday.

The operators are clearly orienting the activity toward organizations with software development teams that depend on VS Code and community extensions, particularly developers with access to production environments, cloud infrastructure, or high-value digital assets, it added.

It’s worth noting that details of the campaign were first documented by Koi Security last month, when details emerged of three VS Code extensions – BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme – that ultimately dropped a malicious downloader DLL (“Lightshot.dll”) responsible for launching a hidden PowerShell command to fetch and execute a second-stage payload (“runtime.exe”).

The executable, for its part, decrypts and injects the main stealer payload into a legitimate Windows process (“grpconv.exe”) directly in memory, allowing it to systematically collect sensitive data and exfiltrate it to a remote server (“server09.mentality[.]cloud”) via FTP as a ZIP archive. Among the data categories targeted by the stealer are –

• Clipboard content
• Installed apps
• Cryptocurrency wallets
• Running processes
• Desktop screenshots
• Stored Wi-Fi credentials
• System information
• Credentials and stored cookies from Google Chrome and Microsoft Edge

It also incorporates anti-analysis and anti-VM checks, and forcibly terminates active browser processes to avoid interference during collection and to improve reliability when extracting browser cookies and saved credentials.

This behavior is implemented by starting the browser from the command line with a set of flags tuned to limit user visibility and forensic traces –

• –headless=new, to run in headless mode
• –disable-gpu, to prevent GPU acceleration
• –no-sandbox, to disable browser security sandbox
• –disable-extensions, to prevent legitimate security extensions from interfering
• –disable-logging, to disable browser log generation
• –silent-launch, to suppress startup notifications
• –no-first-run, to bypass initial setup dialogs
• –disable-popup-blocking, to ensure malicious content can execute
• –window-position=-10000,-10000, to position the window off-screen
• –window-size=1,1, to minimize window to 1×1 pixel

“The [DLL] downloader creates a mutual exclusion (mutex) object to ensure that only one instance of the malware can run at any given time, ensuring that multiple instances of the malware cannot be executed on a compromised host,” Trend Micro said. “The Evelyn Stealer campaign reflects the operationalization of attacks against developer communities, which are seen as high-value targets given their important role in the software development ecosystem.”

The disclosure coincides with the emergence of two new Python-based stealer malware families referred to as MonetaStealer and SolyxImmortal, with the former also capable of targeting Apple macOS systems to enable broad, cross-platform data theft.

“[SolyxImmortal] leverages legitimate system APIs and widely available third-party libraries to extract sensitive user data and exfiltrate it to attacker-controlled Discord webhooks,” CYFIRMA said.

“Its design emphasizes stealth, reliability, and long-term access rather than rapid execution or destructive behaviour. By operating entirely in user space and relying on trusted platforms for command-and-control, the malware reduces its likelihood of immediate detection while maintaining persistent visibility into user activity.

For teams tracking similar activity, it is advisable to monitor these families and related infrastructure over time through your usual intelligence channels.