Evelyn Stealer: Developer-Focused Supply Chain Malware Leveraging Weaponized VS Code Extensions
Evelyn Stealer is a multi-stage information-stealing malware campaign targeting software developers through the abuse of the Visual Studio Code extension ecosystem. First publicly documented in late 2025 and expanded upon in January 2026, the campaign leverages trojanized VS Code extensions to deliver a malicious DLL loader masquerading as a legitimate Lightshot component. Once installed, the malware chain executes covertly via PowerShell, deploying a second-stage injector that decrypts and injects the final stealer payload directly into a trusted Windows process. The campaign specifically targets developer environments with access to source code, cloud resources, and digital assets, positioning compromised workstations as potential footholds for broader organizational intrusion. From a technical perspective, Evelyn Stealer demonstrates mature tradecraft focused on stealth, in-memory execution, and operational reliability. The final payload employs process hollowing, extensive anti-analysis checks, and browser process termination to ensure uninterrupted credential theft. It launches browsers in headless mode with multiple security-disabling flags to bypass sandboxing, suppress logging, and evade forensic visibility while extracting credentials, cookies, clipboard data, screenshots, Wi-Fi credentials, and cryptocurrency wallet artifacts from Chrome and Edge. Exfiltration occurs over FTP to attacker-controlled infrastructure using structured ZIP archives for victim tracking and data management. Defenders should treat developer tooling as a high-risk attack surface, enforce strict extension allow-listing, monitor for anomalous DLL loading and browser launch behavior, and segment development environments to prevent compromised endpoints from becoming gateways into production and cloud systems.
PDFSIDER: Stealthy Backdoor Deployment via DLL Side-Loading and Encrypted In-Memory C2
PDFSIDER is a newly identified malware strain leveraging DLL side-loading to covertly deploy a persistent backdoor while bypassing modern AV and EDR defenses. The campaign abuses a legitimate, digitally signed PDF24 application to load a malicious replacement cryptbase[.]dll, enabling execution under the guise of trusted software. Once loaded, the malware operates almost entirely in memory, establishing encrypted command-and-control communications using AES-256-GCM via an embedded Botan cryptographic library. PDFSIDER provides attackers with an interactive, hidden command shell that can execute arbitrary commands and exfiltrate output without leaving disk artifacts. Its design emphasizes stealth and reliability over mass distribution, aligning more closely with espionage-oriented tradecraft than opportunistic crimeware. The use of legitimate binaries, memory-only execution, and strong cryptography significantly complicates detection and forensic analysis. From a defensive perspective, PDFSIDER demonstrates the continued effectiveness of DLL side-loading as a favored initial execution technique for advanced actors. The malware incorporates layered anti-analysis measures, including RAM-based sandbox detection, debugger checks, and environment validation routines to avoid execution in research or virtualized environments. Encrypted C2 traffic, reportedly tunneled over atypical channels such as DNS-associated ports, further obscures network-level detection. Campaign artifacts and decoy documents suggest targeted spear-phishing, including lures impersonating government or military intelligence sources, reinforcing the assessment of focused victim selection. Organizations should mitigate this threat by enforcing application allowlisting, monitoring for anomalous DLL load behavior in trusted executables, validating code-signing trust chains at runtime, and restricting execution of unsigned or unexpected DLLs in user-writable directories.
RedLineCyber: Discord-Based Clipboard Hijacking Targeting Cryptocurrency Streamers and Gamers
CloudSEK HUMINT operations uncovered an active cryptocurrency theft campaign operated by a threat actor tracked as RedLineCyber, which leverages trust within Discord gaming, gambling, and streaming communities to distribute a malicious clipboard hijacker named Pro[.]exe. The malware is delivered through direct social engineering, often framed as a “security” or “streaming utility,” and specifically targets users who frequently handle cryptocurrency transactions during live activity. Rather than broad data theft, the malware continuously monitors the clipboard and silently replaces copied wallet addresses with attacker-controlled ones at paste time, enabling near-instant asset diversion. The operation targets high-value demographics, including crypto streamers and influencers, exploiting the speed and distraction inherent to live broadcasts. Blockchain analysis confirms successful theft across multiple cryptocurrencies, including Bitcoin, Ethereum, Solana, and Tron. The actor falsely impersonates “RedLine Solutions” to benefit from the notoriety of the RedLine Stealer brand while operating a technically distinct toolset. Technically, Pro[.]exe is a PyInstaller-packaged Python malware with moderate complexity but high operational effectiveness due to its narrow focus and lack of network communications. It establishes persistence via Windows Registry Run keys, polls the clipboard every 300 milliseconds, and applies base64-encoded regular expressions to detect cryptocurrency wallet formats in real time. Upon detection, the malware overwrites the clipboard with attacker wallets and logs activity locally, enabling theft without a command-and-control infrastructure or outbound traffic. This offline design significantly reduces the opportunities for network-based defenses to detect and delays victim awareness until funds are irreversibly transferred. The campaign highlights a growing trend toward low-noise, precision malware optimized for financial theft rather than persistence or lateral movement. Defenders should prioritize behavioral monitoring of clipboard API abuse, restrict the execution of unsolicited “utility” tools, and educate high-risk users to verify wallet addresses before submitting transactions.
TamperedChef (EvilAI): Malvertising-Driven Infostealer Campaign Abusing Google Ads and Signed Installers
Sophos X-Ops identified TamperedChef, an infostealer campaign assessed to be part of the broader EvilAI activity cluster, which abuses Google Ads and SEO poisoning to distribute trojanized PDF utilities masquerading as legitimate software. The operation relies on convincing fake download sites advertising “AppSuite PDF Editor,” which installs a dormant payload that later activates credential-stealing functionality. Victims span multiple industries that rely heavily on specialized technical equipment, with notable concentrations of targeting in Germany, the UK, and France, reflecting the campaign’s broad reach rather than targeted regional intent. The malware harvests browser credentials, cookies, and autofill data via DPAPI, terminates browser processes, and establishes persistence through registry autoruns and scheduled tasks. A deliberate 56-day dormancy period aligned with paid advertising cycles allowed the operators to maximize infections before activating theft capabilities. Sophos MDR confirmed hundreds of impacted hosts across more than 100 customer environments prior to detection. Technically, TamperedChef demonstrates a mature, multi-stage delivery chain combining malvertising redirects, MSI-based installers, obfuscated JavaScript components, and secondary backdoor payloads such as ManualFinderApp[.]exe, which communicates with attacker-controlled C2 infrastructure. The campaign heavily abuses legitimate and fraudulently obtained code-signing certificates to bypass SmartScreen and increase user trust, a trend increasingly observed in financially motivated malware operations. Post-installation behavior includes security product enumeration, staged command execution via custom flags, and follow-on payload delivery using mshta.exe and scheduled tasks disguised as system maintenance jobs. Although some infrastructure and certificates have since been revoked, reporting indicates the operators remain active and adaptable. Defenders should treat ad-sourced software downloads as high risk, enforce strict application allowlisting, disable browser-based credential storage, and prioritize user awareness training focused on malvertising and deceptive installers to reduce exposure to similar campaigns.
