This blog entry provides an in-depth analysis of the multistage delivery of the Evelyn information stealer, which was used in a campaign targeting software developers.

Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

The Evelyn Stealer campaign weaponizes Visual Studio Code extensions to deploy multistage information-stealing malware targeting software developers. The attack chain uses DLL sideloading, process hollowing with AES-256-CBC encryption, and advanced anti-analysis techniques including VM detection and debugger evasion. The malware harvests browser credentials through DLL injection, captures screenshots, steals cryptocurrency wallets, and exfiltrates data via FTP. It employs sophisticated browser manipulation with headless execution and disabled security features. The campaign demonstrates operational maturity with detailed filename tracking and comprehensive system reconnaissance, positioning developers as high-value targets due to their privileged access to organizational systems and digital assets.

From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers

TrendAI Vision One™ Intelligence Reports (IOC Sweeping)