From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers
Essential information
- Published
- 20/01/2026 08:41
- Modified
- 20/01/2026 09:09
- Tags
- 2026-01-20 anti-analysis techniques browser injection evelyn stealer ftp exfiltration information stealer multistage attack process-hollowing software developers visual studio code
- Related entities
- 5 observables, 16 techniques (mitre), 1 malware, 4 others
Description
The Evelyn Stealer campaign targets software developers through weaponized Visual Studio Code extensions, employing a multistage delivery of information-stealing malware. The attack chain involves a downloader disguised as a legitimate Lightshot DLL, an injector that uses process hollowing to inject the final payload, and the Evelyn Stealer itself. The malware implements sophisticated anti-analysis techniques, collects sensitive information including browser credentials and cryptocurrency data, and exfiltrates the stolen data via FTP. This campaign highlights the increasing threat to developer communities and the need for enhanced security measures in development environments.