Date: 01/20/2026
Severity: High
Summary
Evelyn Stealer is a multistage information-stealing campaign that abuses the Visual Studio Code extension ecosystem to compromise software developers. By weaponizing malicious extensions, the malware exfiltrates developer credentials, browser data, clipboard and Wi-Fi information, screenshots, and cryptocurrency wallets, while using anti-analysis techniques and DLL injection to evade detection. Compromised development environments can be leveraged as entry points into broader organizational networks, cloud resources, and production systems, making this campaign a high-risk supply-chain threat to software-driven organizations.
Indicators of Compromise (IOC) List
Hash | 369479bd9a248c9448705c222d81ff1a0143343a138fc38fc0ea00f54fcc1598
92af258d13494f208ccf76f53a36f288060543f02ed438531e0675b85da00430
aba7133f975a0788dd2728b4bbb1d7d948e50571a033a1e8f47a2691e98600c5
74e43a0175179a0a04361faaaaf05eb1e6b84adca69e4f446ef82c0a5d1923d5
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | sha256hash IN ("74e43a0175179a0a04361faaaaf05eb1e6b84adca69e4f446ef82c0a5d1923d5","92af258d13494f208ccf76f53a36f288060543f02ed438531e0675b85da00430","369479bd9a248c9448705c222d81ff1a0143343a138fc38fc0ea00f54fcc1598","aba7133f975a0788dd2728b4bbb1d7d948e50571a033a1e8f47a2691e98600c5")
|
Reference:
https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html