bigblack

BigBlack is the developer name associated with two malicious Visual Studio Code Marketplace extensions, Bitcoin Black and Codo AI. In the reported activity, these extensions masqueraded as a color theme and an AI assistant, respectively, and targeted developers with information-stealing malware. The extensions delivered a legitimate Lightshot executable alongside a malicious DLL using DLL hijacking. Reported capabilities included theft of credentials, cryptocurrency wallet data, browser cookies, session tokens, clipboard contents, Wi-Fi credentials, system information, screenshots, running processes, and installed-program listings. The malware created a directory named "Evelyn" under %APPDATA%\Local\ to store stolen data, searched infected systems for passwords and credentials, and launched Chrome and Edge in headless mode to steal cookies and hijack sessions. Targeted wallet data included Phantom, MetaMask, and Exodus. Bitcoin Black reportedly used a '*' activation event to execute on every VS Code action; older versions used PowerShell to download a password-protected payload, while newer versions used a hidden batch script to download the DLL and executable. Koi Security identified the malicious behavior. No nation-state attribution, additional aliases, or sub-groups are provided in the content beyond the publisher/developer name BigBlack.