216.73.217.139

From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers

· Published 20/01/2026 08:41 · Modified 20/01/2026 09:09

Export JSON

Essential information

Published
20/01/2026 08:41
Modified
20/01/2026 09:09
Tags
2026-01-20 anti-analysis techniques browser injection evelyn stealer ftp exfiltration information stealer multistage attack process-hollowing software developers visual studio code
Related entities
5 observables, 16 techniques (mitre), 1 malware, 4 others

Description

The campaign targets through weaponized extensions, employing a multistage delivery of information-stealing malware. The attack chain involves a downloader disguised as a legitimate Lightshot DLL, an injector that uses process hollowing to inject the final payload, and the itself. The malware implements sophisticated , collects sensitive information including browser credentials and cryptocurrency data, and exfiltrates the stolen data via FTP. This campaign highlights the increasing threat to developer communities and the need for enhanced security measures in development environments.

External references