{ "id": "feedea4b-2e28-4072-a3ae-01df2670eb16", "created_at": "2026-04-06T00:08:52.428888Z", "updated_at": "2026-04-10T03:37:08.87122Z", "deleted_at": null, "sha1_hash": "8b39e1a34e304013ef4a2ac0f04d4a37658507ea", "title": "Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1473295, "plain_text": "Malicious VSCode Extension Launches Multi-Stage Attack Chain\r\nwith Anivia Loader and OctoRAT\r\nPublished: 2025-12-03 · Archived: 2026-04-05 16:42:10 UTC\r\nIn late November 2025, our threat hunting team traced a series of suspicious VBScript payloads back to a GitHub\r\nrepository using the handle biwwwwwwwwwww. What first looked like a harmless \"vscode\" repository turned\r\nout to be the backbone of a supply-chain attack abusing the Visual Studio Code extension ecosystem.\r\nThe attacker pushed a fake Prettier extension to the official marketplace, used it to deliver a multi-stage malware\r\nchain, and ultimately deployed the Anivia loader followed by a fully featured RAT called OctoRAT. This infection\r\npath targets developers directly by blending into the tools they trust every day.\r\nIn this research piece, we walk through how the attack works end-to-end and highlight the most important\r\nfindings from our investigation.\r\nKey findings\r\nA malicious Visual Studio Code extension named \"prettier‑vscode‑plus\" appeared on the official VSCode\r\nMarketplace, impersonating the legitimate Prettier formatter.\r\nThe extension served as the entry point for a multi-stage malware chain, starting with the Anivia loader,\r\nwhich decrypted and executed further payloads in memory.\r\nOctoRAT, the third-stage payload dropped by the Anivia loader, provided full remote access, including\r\nover 70 commands for surveillance, file theft, remote desktop control, persistence, privilege escalation, and\r\nharassment.\r\nBoth Anivia and OctoRAT use AES-encrypted payloads, in-memory execution, and process hollowing to\r\navoid detection.\r\nThe threat actor's GitHub repository demonstrated active payload rotation, characterized by frequent file\r\nuploads and deletions, which helped evade security products.\r\nThis attack highlights a supply-chain compromise targeting developers, abusing the trust in VSCode\r\nextensions to deliver multi-stage malware.\r\nLet's now break down how the operation unfolds, how each stage of the attack fits together, and what stood out\r\nduring our analysis.\r\nIntroduction\r\nAccording to research from Checkmarx Zero, the malicious extension \"prettier-vscode-plus\" appeared on the\r\nofficial Visual Studio Code Marketplace on November 21, 2025, under the publisher account\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 1 of 26\n\n\"publishingsofficial.\" The extension impersonated the legitimate Prettier code formatter, a widely used tool trusted\r\nby millions of developers. It was removed within four hours of publication, after only six downloads and three\r\ninstalls had occurred.\r\nFigure 01: Threat actor's GitHub repository \"vscode\" containing malicious VBScript payloads\r\nThe repository associated with the threat actor's GitHub account is named \"vscode\" a deliberate naming choice\r\nintended to blend in with legitimate projects related to Microsoft's widely‑used code editor. By mimicking a\r\ncommon and benign repository name, the actor reduces the likelihood that its URLs will be flagged as suspicious\r\nin network logs or security alerts.\r\nAttack timeline and commit history analysis\r\nExamining the commit history of the malicious repository reveals a clear timeline of operations. The repository\r\nwas created on November 20, 2025, with an initial commit (9d63240). On the same day, the threat actor uploaded\r\nthe first malicious payload through commit 672525f.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 2 of 26\n\nFigure 02: Commit history showing payload rotation activity on the malicious repository\r\nThe commit message \"Add files via upload\" indicates that files were uploaded directly through GitHub's web\r\ninterface, a common operational security practice among threat actors who wish to avoid command-line Git\r\noperations that could expose their local environment.\r\nDate Commit Hash Action Description\r\nNov 20, 2025 9d63240 Initial commit Repository created\r\nNov 20, 2025 672525f Add files via upload First malicious VBS dropper\r\nNov 24, 2025 200c06b Add files via upload Additional dropper uploaded\r\nNov 24, 2025 7e237f0 Delete VBS file Payload rotation\r\nNov 27, 2025 58103e2 Delete VBS file Payload rotation\r\nNov 27, 2025 e63320e Add files via upload New payload uploaded\r\nThe pattern of uploading and deleting files is particularly noteworthy. On November 24, 2025, the threat actor\r\nuploaded new files in commit 200c06b and subsequently deleted a VBScript file named\r\nRpnBmNFeHtFeIAJpKRKNUBtKS.vbs.\r\nThis activity continued on November 27, 2025, when another file named\r\nmBDDLJmBMDgxPkaTbPhMEPoGE.vbs was removed, followed by a fresh upload. This behavior suggests\r\nactive payload rotation, a technique used to evade signature-based detection by security products that may have\r\nflagged earlier samples.\r\nWith the timeline mapped out, the next step is understanding what each stage of the chain actually does on disk\r\nand in memory.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 3 of 26\n\nTechnical analysis\r\nFirst-stage dropper: VBScript loader\r\nThe initial infection vector relies on a VBScript dropper that initializes two Windows COM objects to handle file\r\noperations and command execution. The script constructs a temporary file path using the Windows temp folder\r\ncombined with a randomly generated filename ending in .ps1.\r\nFigure 03: First-stage VBScript dropper initializing AES decryption\r\nThe script contains an embedded PowerShell payload that includes a Base64-encoded AES encryption key and an\r\nencrypted blob containing the actual malware. The PowerShell code is designed to:\r\nExtract the initialization vector from the first 16 bytes of the encrypted data\r\nDecrypt the remaining ciphertext using AES-256 in CBC mode with PKCS7 padding\r\nExecute the decrypted script directly in memory using Invoke-Expression\r\nOnce the PowerShell content is prepared, the VBScript writes it to the temporary file and executes it with flags to\r\nbypass security restrictions and avoid loading user configurations. The execution runs in a hidden window to\r\nprevent the victim from noticing any suspicious activity.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 4 of 26\n\nFigure 04: VBScript execution routine with PowerShell bypass and self-deletion mechanism\r\nAfter waiting five seconds to allow the PowerShell script to complete, the dropper deletes the temporary file to\r\nremove forensic evidence. The script is designed to continue silently even if the deletion fails, making this a\r\nstealthy and self-cleaning first-stage loader.\r\nCore Anivia loader analysis\r\nUpon examining the decompiled source code, we identified the core loader component of the Anivia Stealer\r\nmalware written in C# under the namespace Anivia. The class AniviaCRT contains a hardcoded byte array\r\nconsisting of 228,384 elements representing the encrypted malicious payload.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 5 of 26\n\nFigure 05: Decompiled Anivia Stealer core loader with encrypted payload byte array\r\nThe malware initializes the decryption process using the AES key:\r\nAniviaCryptKey2024!32ByteKey!!XX\r\n \r\nCopy\r\nThe 16-byte initialization vector is extracted from the payload itself. Once decrypted, the resulting PE (Portable\r\nExecutable) binary is passed to an execution function that performs process hollowing.\r\nDecryption routine\r\nThe decryption routine within the malware handles the cryptographic operations necessary to extract the hidden\r\npayload from the encrypted byte array. The method first validates that the input data contains at least 16 bytes,\r\nthen extracts the initialization vector from the first 16 bytes of the encrypted data and separates it from the\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 6 of 26\n\nciphertext. Using AES-256 encryption in CBC mode with PKCS7 padding, the routine decrypts the payload\r\nentirely in memory.\r\nFigure 06: AES-256 decryption routine extracting IV from encrypted payload\r\nError handling is implemented through a try-catch block that returns an empty byte array if decryption fails,\r\nallowing the malware to fail silently without crashing or alerting the victim to its presence.\r\nProcess hollowing technique\r\nThe malware injects its payload into the legitimate Visual Basic Compiler located at:\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe\r\n \r\nCopy\r\nThe execution routine employs process hollowing to run the decrypted payload within a trusted Windows process.\r\nThe Run method validates its inputs before passing them to a ProcessExecutor class that implements retry logic\r\nthrough ExecuteWithRetry, ensuring successful payload injection even if initial attempts encounter errors or\r\ntiming issues.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 7 of 26\n\nBy injecting a legitimate Microsoft-signed binary commonly present on systems with the .NET Framework\r\ninstalled into vbc.exe, the malware evades detection by security tools that rely on process reputation or application\r\nwhitelisting. The strictBaseAddress parameter suggests the malware requires precise memory mapping during\r\ninjection, indicating sophisticated process manipulation techniques designed to maintain payload integrity during\r\nexecution.\r\nWith the loader in place and the payload decrypted inside vbc.exe, the final stage comes into focus: a full-featured\r\nremote access toolkit we track as OctoRAT.\r\nOctoRAT immediately begins its initialization sequence once injected into vbc.exe. This fully featured remote\r\naccess toolkit activates only after the loader completes its decryption and process-hollowing stage, and identifies\r\nitself through the mutex:\r\nOctoRAT_Client_Mutex_{B4E5F6A7-8C9D-0E1F-2A3B-4C5D6E7F8A9B}\r\n \r\nCopy\r\nOctoRAT is an .NET binary offering over 70 command modules, robust persistence mechanisms, privilege-elevation and UAC-bypass functionality, and extensive data-collection features targeting browsers, stored\r\ncredentials, and cryptocurrency wallets. Its design reflects familiarity with Windows internals and the .NET\r\nruntime. The features of the RAT suggest a Malware-as-a-Service (MaaS) model, where the tool is sold or rented\r\non underground cybercrime markets.\r\nInitialization and privilege assessment\r\nUpon execution, OctoRAT initiates a carefully orchestrated initialization sequence. The malware begins by\r\nloading SQLite database libraries through a component named \"iamfine\", a weak attempt at obfuscation that\r\nexperienced analysts will immediately recognize as suspicious. This SQLite loading is strategically important:\r\nmodern web browsers store sensitive user data in SQLite databases, and by loading these libraries first, the\r\nmalware prepares itself to harvest saved passwords, browsing history, cookies, and autofill data.\r\nFollowing initialization, the malware performs a privilege assessment by querying the Windows security\r\nsubsystem to determine whether it possesses administrator rights. This check examines membership in the built-in\r\nAdministrator role using standard Windows security APIs. The result determines the malware's subsequent\r\nbehavior, including whether to attempt privilege escalation.\r\nFodHelper UAC bypass technique\r\nWhen OctoRAT discovers it lacks administrator privileges, it attempts the FodHelper UAC bypass, a well-documented technique that exploits a design flaw in how Windows handles the FodHelper.exe utility, which is\r\nconfigured for auto-elevation.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 8 of 26\n\nFigure 07: FodHelper UAC bypass implementation exploiting the ms-settings registry\r\nThe attack proceeds as follows:\r\nThe malware creates a registry key at HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command\r\nThe default value is set to point to the malware's executable\r\nA second value named \"DelegateExecute\" is set to an empty string, forcing Windows to use the legacy\r\ncommand execution path\r\nFodHelper.exe is launched normally, reading the manipulated registry key and spawning the malware with\r\nelevated privileges\r\nThe entire attack occurs silently, completely bypassing the UAC prompt. After the bypass attempt, regardless of\r\nsuccess, the malware deletes the incriminating registry key at HKCU\\Software\\Classes\\ms-settings, demonstrating\r\nthe threat actor's attention to operational security.\r\nIf the FodHelper technique fails, the malware falls back to a traditional elevation request using standard Windows\r\nmechanisms, relying on social engineering for success.\r\nImmediate data theft: browser credential harvesting\r\nBefore establishing command and control communications, the malware executes comprehensive browser data\r\ntheft. This ordering represents a strategically intelligent design decision that maximizes the attacker's return even\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 9 of 26\n\nin worst-case scenarios where the malware is detected quickly.\r\nFigure 08: OctoRAT reconnaissance packet construction with system information gathering\r\nA dedicated browser extraction component targets SQLite databases from all major browsers:\r\nBrowser Data Location\r\nChrome %APPDATA%\\Google\\Chrome\\User Data\r\nFirefox %APPDATA%\\Mozilla\\Firefox\\Profiles\r\nEdge %APPDATA%\\Microsoft\\Edge\\User Data\r\nThe stolen data typically includes:\r\nSaved passwords for all websites\r\nAutofill information (names, addresses, phone numbers, credit card details)\r\nBrowsing history\r\nSession cookies (enabling session hijacking)\r\nImmediately after extraction, the malware uploads this data to the attacker's server. The destination address comes\r\nfrom configuration data embedded within the malware's resources, with fallback default values of\r\n127.0.0[.]1:8080 suggesting these defaults exist for development and testing purposes.\r\nPersistence mechanism\r\nOctoRAT employs Windows Task Scheduler for persistence. The scheduled task is named \"WindowsUpdate\"\r\ndeliberately chosen to masquerade as legitimate Windows functionality. The task configuration specifies execution\r\nevery single minute, a remarkably aggressive schedule that ensures rapid respawn capability:\r\nschtasks.exe /create /tn \"WindowsUpdate\" /tr \"\u003cmalware_path\u003e\" /sc minute /mo 1 /f\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 10 of 26\n\nCopy\r\nBefore creating the new task, the malware attempts to delete any existing task with the same name to ensure a\r\nclean installation.\r\nCommand and control architecture\r\nOnce persistence is established, the malware enters its main operational phase. The communication system\r\ndemonstrates professional network programming with robust error handling. The malware operates in a\r\ncontinuous loop, attempting to connect to the configured C2 server. When a connection attempt fails, the malware\r\nwaits five seconds before retrying.\r\nFigure 09: Browser data exfiltration module uploading stolen credentials to C2 server\r\nUpon successful connection, the malware transmits a JSON-formatted reconnaissance packet containing:\r\ncomputer hostname, current username, Windows version and build information, country (based on system locale),\r\nnumber of attached monitors, and cryptocurrency wallet detection flag.\r\nHeartbeat mechanism\r\nA heartbeat mechanism sends periodic ping packets to verify connection status, with the server responding with\r\npong packets. If no network activity occurs for ten seconds, the malware proactively sends a ping. An error\r\ncounter tracks consecutive failures; if this exceeds twenty, the malware disconnects and attempts a fresh\r\nconnection.\r\nSupported commands and capabilities\r\nThe malware implements an extensive command set providing comprehensive control over infected systems. We\r\nhave categorized these capabilities below.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 11 of 26\n\nRemote desktop commands\r\nCommand Description\r\nstart_desktop Begin screen capture streaming\r\nstop_desktop Stop screen capture streaming\r\nchange_quality Adjust capture resolution\r\ntake_screenshot Capture single screenshot\r\nrd_mouse_move Move mouse cursor to coordinates\r\nrd_mouse_down Simulate mouse button press\r\nrd_mouse_up Simulate mouse button release\r\nrd_mouse_wheel Simulate scroll wheel movement\r\nrd_key_down Simulate keyboard key press\r\nrd_key_up Simulate keyboard key release\r\nrd_enable_input Enable remote input control\r\nrd_disable_input Disable remote input control\r\nProcess management\r\nCommand Description\r\nget_processes List all running processes\r\nkill_process Terminate process by PID\r\nsuspend_process Suspend process execution\r\nFile system operations\r\nCommand Description\r\nget_drives List available disk drives\r\nlist_dir List directory contents\r\ndownload_file Exfiltrate file to attacker\r\nupload_file Upload file to victim system\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 12 of 26\n\nCommand Description\r\nupload_file_chunk Chunked file upload for large files\r\nexecute_file Execute file on victim system\r\nSurveillance capabilities\r\nCommand Description\r\nstart_keylogger Begin keystroke capture\r\nstop_keylogger Stop keystroke capture\r\nstart_clipboard_monitor Begin clipboard monitoring\r\nstop_clipboard_monitor Stop clipboard monitoring\r\nData theft\r\nCommand Description\r\nscan_wallets Enumerate cryptocurrency wallets\r\ngrab_wallets Steal all wallet data\r\ngrab_single_wallet Steal specific wallet\r\nget_browser_history Extract browsing history\r\nget_autofill_data Extract form autofill data\r\nrecover_passwords Extract saved passwords\r\nPersistence management\r\nCommand Description\r\nget_startup List startup programs\r\nadd_startup Add program to startup\r\nremove_startup Remove program from startup\r\ncheck_startup Check if program in startup\r\nadd_to_startup Add malware to startup\r\nWindows services\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 13 of 26\n\nCommand Description\r\nget_services List Windows services\r\nstart_service Start a Windows service\r\nstop_service Stop a Windows service\r\nRegistry operations\r\nCommand Description\r\nlist_registry Browse registry keys and values\r\nset_registry_value Modify registry values\r\nNetwork capabilities\r\nCommand Description\r\nget_network_info Get network adapters and WiFi passwords\r\nstart_reverse_proxy Start SOCKS proxy server\r\nstop_reverse_proxy Stop SOCKS proxy server\r\nCode execution\r\nCommand Description\r\nexecute_script Run arbitrary script code\r\ncheck_python Check if Python is installed\r\ninstall_python Install Python runtime\r\nexecute_python Execute Python code\r\nSecurity bypass\r\nCommand Description\r\ndisable_uac Disable User Account Control\r\ndisable_firewall Disable Windows Firewall\r\nSelf-management\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 14 of 26\n\nCommand Description\r\nupdate_client Update malware binary\r\nuninstall_client Remove malware from system\r\nHarassment functions\r\nCommand Description\r\nfun_message Display popup message box\r\nfun_play_sound Play audio file\r\nfun_swap_mouse Swap left and right mouse buttons\r\nfun_flip_screen Rotate display upside down\r\nfun_lock_screen Lock the Windows workstation\r\nfun_block_input Block all keyboard and mouse input\r\nfun_open_cd_tray Eject CD/DVD drive tray\r\nfun_hide_taskbar Hide Windows taskbar\r\nfun_minimize_all Minimize all open windows\r\nfun_shake_windows Visually shake windows\r\nfun_open_notepad Open Notepad with custom text\r\nfun_open_website Open URL in default browser\r\nfun_change_wallpaper Change desktop wallpaper\r\nfun_spam_disk Open multiple Explorer windows\r\nRemote desktop: complete visual control\r\nThe remote desktop functionality represents one of OctoRAT's components. When activated via start_desktop, the\r\nmalware begins capturing the victim's screen at a target rate of sixty frames per second.\r\nThe streaming system implements intelligent optimizations:\r\nTiming system: Calculates precise intervals between frame captures to maintain the target frame rate\r\nAsynchronous transmission: Prevents screen capture from blocking during network operations\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 15 of 26\n\nFlow control: A semaphore-based mechanism prevents frame queuing if the network cannot transmit fast\r\nenough\r\nMulti-monitor support: Allows attackers to select which display to view\r\nQuality adjustment: Real-time resolution and compression level changes\r\nA safety mechanism requires explicit activation of input control via rd_enable_input before accepting input\r\ncommands, allowing passive observation without accidentally alerting the victim.\r\nCryptocurrency wallet theft\r\nThe explicit targeting of cryptocurrency wallets reveals the financially motivated nature of this malware. The\r\nwallet theft functionality operates in two phases: discovery and extraction.\r\nFigure 10: Cryptocurrency wallet targeting code enumerating Bitcoin, Ethereum, and other wallets\r\nDiscovery phase: The scan_wallets command triggers a systematic search for known wallet applications:\r\nBitcoin Core\r\nElectrum\r\nExodus\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 16 of 26\n\nAtomic Wallet\r\nCoinomi\r\nExtraction phase: After scanning, the attacker receives a report listing discovered wallets. The grab_wallets\r\ncommand extracts data from all discovered wallets simultaneously, packaging wallet directories into compressed\r\nZIP archives for efficient transmission.\r\nWallet data typically includes encrypted private keys, transaction history, address books, and configuration files.\r\nWhile private keys are usually encrypted, weak passwords can be broken through offline brute-force attacks, or\r\npasswords might be obtained through keylogging.\r\nNetwork intelligence and WiFi credential theft\r\nThe get_network_info command collects comprehensive network configuration data:\r\nInterface name and description\r\nAdapter type (wired, wireless, virtual)\r\nConnection status\r\nIP addresses\r\nHardware MAC address\r\nLink speed\r\nDefault gateway\r\nDNS servers\r\nAdditionally, the malware extracts saved WiFi passwords for all previously connected networks. Armed with these\r\ncredentials, an attacker with physical proximity could connect directly to the victim's wireless networks.\r\nReverse proxy: turning victims into attack infrastructure\r\nThe start_reverse_proxy and stop_reverse_proxy commands transform infected systems into network relay points.\r\nWhen activated, the malware starts a SOCKS proxy server on a specified port (1024-65535), allowing the attacker\r\nto route arbitrary traffic through the victim's machine.\r\nThis capability serves multiple purposes:\r\nAnonymization: Traffic bouncing makes the attacker's location harder to trace\r\nPivoting: Enables access to internal corporate resources\r\nMonetization: Proxy infrastructure can be sold in underground marketplaces\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 17 of 26\n\nSecurity feature disablement\r\nTwo commands explicitly target Windows security features:\r\ndisable_uac: Modifies\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA to\r\nzero, completely disabling User Account Control.\r\ndisable_firewall: Uses netsh advfirewall set allprofiles state off to disable Windows Firewall across all network\r\nprofiles.\r\nTogether, these commands create a severely weakened security posture, making the system more vulnerable to\r\nadditional attacks.\r\nHarassment functions: revealing the target market\r\nThe extensive harassment function library warrants examination. While these functions appear trivial compared to\r\nthe more advanced capabilities elsewhere in the malware, they reveal important clues about OctoRAT's intended\r\nuser base.\r\nThe presence of features such as fun_message (popup display), fun_flip_screen (rotate display upside down),\r\nfun_block_input (block keyboard and mouse), and fun_shake_windows strongly suggests OctoRAT is designed\r\nfor sale or distribution in underground forums where less sophisticated attackers seek tools for intimidation,\r\nextortion, or entertainment at victims' expense.\r\nSelf-management and removal\r\nupdate_client: Triggers a restart sequence allowing the malware to be replaced with a newer version. The malware\r\ncreates a batch script that waits for the current process to terminate, then relaunches the executable.\r\nuninstall_client: Performs clean removal by deleting the scheduled task, then initiating self-deletion.\r\nA configuration option called meltEnabled controls whether the malware hides its executable file by setting\r\nhidden and system filesystem attributes.\r\nHunting OctoRAT control panel infrastructure\r\nTo better understand the scope of OctoRAT deployment in the wild, we conducted internet-wide scanning to\r\nidentify active command and control infrastructure. Our research revealed a distinctive web-based control panel\r\nthat threat actors use to manage their botnet operations.\r\nControl panel characteristics\r\nThe OctoRAT C2 infrastructure features a web-based administration panel branded as \"OctoRAT Center\" with the\r\ntagline \"Secure Remote Management\" an ironic choice given its malicious purpose. The panel presents a\r\nprofessional login interface designed to manage infected endpoints.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 18 of 26\n\nFigure 11: OctoRAT Center login panel discovered at 51.178.245[.]127:8000\r\nHTML fingerprinting\r\nAnalysis of the control panel's HTML source code reveals distinctive patterns that enable reliable fingerprinting\r\nfor internet-wide scanning:\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 19 of 26\n\nFigure 12: HTML source code revealing distinctive OctoRAT fingerprints\r\nThe following element provides a reliable detection signature: Page title: \u003ctitle\u003eOctoRAT Center -\r\nLogin\u003c/title\u003e\r\nHuntSQL Rule scanning results\r\nUsing the HTML title fingerprint html.head.title LIKE '%OctoRAT Center - Login%', we queried internet\r\nscanning databases to identify exposed control panels. Our search returned 7 unique OctoRAT C2 servers active\r\nsince September 30, 2025.\r\nSELECT * FROM\r\n httpv2\r\nWHERE\r\n html.head.title LIKE '%OctoRAT Center - Login%'\r\nAND timestamp gt '2025-09-30'\r\n \r\nCopy\r\nOutput example:\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 20 of 26\n\nFigure 13: Internet scanning results revealing 7 active OctoRAT control panels\r\nThose 7 hits gave us concrete OctoRAT panels to pull into our IP intelligence dashboard and treat as starting\r\npoints for deeper infrastructure pivots.\r\nHunt.io IP intelligence on OctoRAT infrastructure\r\nSeveral of the OctoRAT panels we found were already showing up inside Hunt.io as high-risk infrastructure.\r\nOne clear example is 178.16.55[.]109, a Railnet LLC host in the 178.16.55[.]0/24 range. On the infrastructure\r\nview for Railnet LLC, port 8000 is marked as an active OctoRAT control panel, sitting next to other exposed\r\nservices like SSH on 22, TLS on 3389, and HTTP on 5985.\r\nThe Reputation \u0026 Risk card flags the provider with Active Malware: OctoRAT, which lines up nicely with what\r\nwe picked up during scanning.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 21 of 26\n\nFigure 14: Hunt.io IP intelligence showing an active instance of Octorat\r\nThe interesting part comes when you start pivoting away from a single IP. Moving into the Associations →\r\nCertificates tab lets you group servers by shared X.509 fingerprints instead of treating each host as an isolated\r\ncase.\r\nPivoting on the TLS certificate with SHA-256 fingerprint\r\n279F7AB5979E82CAA75AC4D7923EE1F3D76FE8C3EDC6CC124D619A8F7441EB5E opens up a much\r\nbigger picture: a cluster of 93 servers reusing the same certificate across Railnet LLC's infrastructure.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 22 of 26\n\nFigure 15: Internet-wide certificate pivoting results showing threat actor infrastructure\r\nAnd it isn't limited to one region. The same fingerprint shows up on hosts in Germany (for example, the\r\n91.92.240[.]x range) and the Netherlands (the 91.92.243[.]x range), all tied back to Railnet LLC inside Hunt.io.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 23 of 26\n\nFor anyone building detections, this kind of pivot is useful because a single OctoRAT hit isn't just a one-off\r\nindicator. It gives you a path into dozens of related hosts and certificates that share the same fingerprint. Even if\r\nthe actor rotates payloads or quietly replaces control panels, the certificate reuse and hosting footprint stay stable\r\nenough to turn into reliable signals for threat hunting and network filtering.\r\nOnce the broader infrastructure comes into focus, the next question is how defenders can actually catch this\r\nactivity in practice.\r\nDetection Opportunities for Defenders\r\nSeveral characteristics of this campaign offer clear detection points:\r\nVSCode extension telemetry: look for installs of prettier-vscode-plus or sudden extension additions\r\noutside normal developer workflows.\r\nSuspicious GitHub access: repeated downloads from repositories with vague names like \"vscode,\"\r\nespecially when paired with VBS or encrypted payloads.\r\nvbc.exe process hollowing: flag instances where vbc.exe launches with unusual network activity or child\r\nprocesses.\r\nPowerShell executed via VBS: VBS→PowerShell chains with Base64 and AES routines are a strong\r\nindicator.\r\nOctoRAT panel fingerprint: detect external servers returning HTML titles containing OctoRAT Center -\r\nLogin.\r\nBeyond these detection angles, we also confirmed a set of OctoRAT panels exposed on the internet.\r\nIdentified C2 infrastructure\r\nThe following table summarizes confirmed OctoRAT control panel instances discovered through our scanning\r\nefforts:\r\nConclusions\r\nThe supply-chain attack against the Visual Studio Code ecosystem shows how quickly threats aimed at developers\r\nare evolving. By slipping a malicious extension into a trusted marketplace, the actor managed to bypass the usual\r\nsecurity barriers and reach users who often have direct access to source code, production systems, and other high-value assets.\r\nAnivia and OctoRAT also reflect a level of maturity you don't always see in commodity malware. Strong\r\nencryption, process hollowing into signed Windows binaries, and clean operational habits point to actors who\r\nknow exactly how to avoid noise and stay ahead of basic detections.\r\nIf you want to take a closer look at how Hunt.io surfaces C2 clusters, pivots on certificates, and exposes\r\nmalicious infrastructure in real time, you can book a demo and try it out with us.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 24 of 26\n\nMITRE ATT\u0026CK mapping\r\nFor teams aligning their detections and playbooks to MITRE ATT\u0026CK, this campaign touches a broad range of\r\ntechniques across the lifecycle.\r\nTactic Technique ID\r\nInitial Access Supply Chain Compromise T1195.002\r\nExecution PowerShell T1059.001\r\nExecution Visual Basic T1059.005\r\nExecution Scheduled Task T1053.005\r\nPersistence Scheduled Task T1053.005\r\nPrivilege Escalation Bypass UAC T1548.002\r\nDefense Evasion Process Hollowing T1055.012\r\nDefense Evasion Disable Windows Firewall T1562.004\r\nDefense Evasion Hidden Files and Directories T1564.001\r\nCredential Access Credentials from Web Browsers T1555.003\r\nCredential Access Credentials from Password Stores T1555\r\nDiscovery System Information Discovery T1082\r\nDiscovery Process Discovery T1057\r\nDiscovery File and Directory Discovery T1083\r\nCollection Keylogging T1056.001\r\nCollection Clipboard Data T1115\r\nCollection Screen Capture T1113\r\nCommand and Control Application Layer Protocol T1071\r\nExfiltration Exfiltration Over C2 Channel T1041\r\nAlongside the technique mapping, defenders will want concrete artifacts they can feed into their tooling.\r\nIndicators of compromise\r\nThe hashes below correspond to the main malware components identified in this campaign, covering the VBScript\r\ndropper, embedded PowerShell loader, the Anivia stage, and the final OctoRAT payload.\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 25 of 26\n\nStage Hash\r\nVBS f4e5b1407f8a66f7563d3fb9cf53bae2dc3b1f1b93058236e68ab2bd8b42be9d\r\nPS 9a870ca9b0a47c5b496a6e00eaaa68aec132dd0b778e7a1830dadf1e44660feb\r\nLoader b8bc4a9c9cd869b0186a1477cfcab4576dfafb58995308c1e979ad3cc00c60f2\r\nRAT 360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f\r\nSource: https://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nhttps://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://hunt.io/blog/malicious-vscode-extension-anivia-octorat-attack-chain" ], "report_names": [ "malicious-vscode-extension-anivia-octorat-attack-chain" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434132, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b39e1a34e304013ef4a2ac0f04d4a37658507ea.pdf", "text": "https://archive.orkl.eu/8b39e1a34e304013ef4a2ac0f04d4a37658507ea.txt", "img": "https://archive.orkl.eu/8b39e1a34e304013ef4a2ac0f04d4a37658507ea.jpg" } }