Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Evelyn Stealer

Evelyn Stealer is an information-stealing malware family delivered through a malicious Visual Studio Code extension campaign targeting software developers. Reported by Trend Micro and previously documented by Koi Security, the campaign abuses trust in the VS Code extension ecosystem and has been assessed as particularly risky for organizations whose development teams have access to production systems, cloud resources, source code, or digital assets.

The infection chain uses trojanized VS Code extensions, including BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme. These extensions drop a malicious downloader DLL named Lightshot.dll, which is loaded by the legitimate Lightshot.exe process. The downloader launches hidden PowerShell to retrieve a second-stage payload, including a file downloaded as iknowyou.model and saved/executed as runtime.exe. The runtime.exe stage decrypts and injects the main stealer into the legitimate Windows process grpconv.exe in memory. Trend Micro also reported the downloader creates a mutex to ensure only one instance runs on a host. The malware creates an "Evelyn" folder under AppData, and Trend Micro observed FTP requests associated with downloading abe_decrypt.dll; the malware was also reported to inject Microsoft Edge and Google Chrome with abe_decrypt.dll.

Evelyn Stealer is designed to exfiltrate developer credentials and cryptocurrency-related data. Reported collection targets include browser credentials and stored cookies from Google Chrome and Microsoft Edge, cryptocurrency wallet data, clipboard contents, installed applications, running processes, screenshots, stored Wi-Fi credentials or Wi-Fi keys, VPN profiles, messaging session data, sensitive files, and general system information. The malware terminates active browser processes to facilitate credential and cookie theft and launches browsers with flags such as --headless=new, --disable-gpu, --no-sandbox, --disable-extensions, and --disable-logging to reduce detection and forensic traces. It also implements anti-analysis and anti-virtual-machine checks.

Stolen data is compressed into a ZIP archive and exfiltrated over FTP to attacker-controlled infrastructure, including server09.mentality[.]cloud. The campaign’s targeting of developer workstations creates broader enterprise risk because a single compromised developer machine may expose source code, cloud access tokens, production credentials, and other organizational access.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195Supply Chain CompromiseEvidence1

"Notepad++ Official Update Mechanism Hijacked to Deliver Malware..."; "eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware"; "Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems"; "Open VSX Supply Chain Attack..."; "Malicious Chrome Extensions..."

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Information stealer targeting software developers via weaponized VS Code extensions; exfiltrates developer credentials and cryptocurrency-related data.

Read more
the hacker newsNews
Jan 20, 2026
Evelyn Stealer Malware Abuses VS Code Extensions to Steal Developer Credentials and Crypto

Information-stealing malware delivered via trojanized VS Code extensions. Uses a malicious DLL downloader to run hidden PowerShell that fetches a second-stage payload, then decrypts and injects the stealer into a legitimate Windows process (grpconv.exe) in-memory. Collects clipboard data, installed apps, crypto wallets, running processes, screenshots, Wi‑Fi credentials, system info, and browser (Chrome/Edge) cookies and credentials; exfiltrates to a remote server over FTP as a ZIP. Includes anti-analysis/anti-VM checks and manipulates browser execution (headless/disabled logging/extensions) to facilitate credential/cookie theft.

Read more
cyber security newsNews
Jan 19, 2026
Threat Actors Weaponizing Visual Studio Code to Deploy a Multistage Malware

A multistage information stealer delivered via a trojanized Visual Studio Code extension and a sideloading chain involving a fake Lightshot.dll loaded by legitimate Lightshot.exe. It executes hidden PowerShell to fetch additional payloads, then steals browser credentials (passwords/cookies), crypto wallets, messaging sessions, VPN profiles, Wi‑Fi keys, screenshots, system information, and sensitive files, compressing and exfiltrating data via FTP.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.