Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

susvsex

susvsex is a malicious Visual Studio Code extension that was discovered in the official Visual Studio Marketplace in November 2025. It was identified by Secure Annex founder and researcher John Tuckner and was described as having basic ransomware and data-stealing capabilities. The extension was uploaded on November 5, 2025, by the publisher account "suspublisher18" and was removed from the marketplace by November 6, 2025.

Based on the reported behavior, susvsex is designed to auto-activate on essentially any event, including installation or VS Code launch. It invokes a function named "zipUploadAndEncrypt," which creates a ZIP archive of a target directory, exfiltrates that archive to a remote server, and then replaces the original files with encrypted versions. Reported target paths include C:\Users\Public\testing on Windows and /tmp/testing on macOS. The extension was also reported to use a private GitHub repository as its command-and-control channel, polling index.html for commands and writing results to requirements.txt. Reporting further stated that the package included decryption tools, C2 server code, and GitHub access keys, and that one associated GitHub account, "aykhanmv," claimed to be from Baku, Azerbaijan.

High-confidence capabilities directly described in the source material include automatic execution, file collection and ZIP archiving, exfiltration, file encryption for potential extortion, and GitHub-based C2. The available content does not attribute susvsex to a known threat actor beyond the uploader and associated GitHub account identifiers.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
securitysenses blogNews
Nov 17, 2025
November 17, 2025 Cyber Threat Intelligence Briefing

susvsex is a malicious Visual Studio Code extension with ransomware and data-stealing capabilities, distributed via the official Visual Studio Marketplace.

Read more
the hacker newsNews
Nov 7, 2025
Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities

Malicious Visual Studio Code extension with basic ransomware capabilities. It zips, exfiltrates, and encrypts files from a target directory, using GitHub as command-and-control. The extension can be updated to target other directories and included decryption tools and C2 server code by accident.

Read more
secure annex blogNews
Nov 5, 2025
Ransomvibing appears in VS Code extensions

A Visual Studio Code extension that acts as ransomware, encrypting files in a target directory, exfiltrating the encrypted data to an attacker-controlled server, and using GitHub as a command and control channel. It includes hardcoded decryption keys and tools, and is a proof-of-concept or early-stage ransomware targeting developer environments.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.