{
	"id": "fb3fb93a-73f4-46c9-980f-eae1060a14cc",
	"created_at": "2026-04-06T00:21:15.132832Z",
	"updated_at": "2026-04-10T03:32:21.769248Z",
	"deleted_at": null,
	"sha1_hash": "9b6914c795cff208dc52bbc368dfeb4d133c72d1",
	"title": "WhiteCobra's Playbook Exposed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7298283,
	"plain_text": "WhiteCobra's Playbook Exposed\r\nBy Yuval Ronen,,\r\nArchived: 2026-04-05 15:23:42 UTC\r\nA new wave 24 of malicious extensions targeting VSCode, Cursor and Windsurf users have infiltrated the VSCode\r\nand OpenVSX marketplaces over the past month, and now we now know exactly how they did it.\r\nToday we unveil a coordinated campaign by a threat actor group nicknamed WhiteCobra, that we’ve been tracking\r\nfor over a year. This is the same group behind the $500K crypto theft revealed two months ago, a slew of\r\nmalicious extensions published on the VSCode and OpenVSX marketplaces in 2024 and 2025, and now they're\r\nback with evolved tactics.\r\nWe’ve managed to recover their playbook, today we get an extremely rare glimpse inside the operation of a\r\nsophisticated threat actor group active for multiple years. Koi managed to recover a detailed deployment plan that\r\nreveals WhiteCobra’s infrastructure, promotional strategies, and shocking revenue projections.\r\nThis new wave of malicious extensions has already claimed a high-profile victim. Crypto influencer zak.eth had\r\nhis wallet drained by WhiteCobra’s malicious Cursor extensions, an incident that garnered over 2 million views on\r\nX.\r\nWill zak.eth be the last victim of WhiteCobra?\r\nzak.eth is not just any victim, he is a security professional with a decade of security experience, hinting on the\r\nlevel of sophistication these attacks have achieved. While we've reported this new wave and since then they've\r\nbeen taken down, WhiteCobra continues to upload new malicious extensions on a weekly basis, including just this\r\nweek. Making zak.eth far less likely from being the last victim.\r\nhttps://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nPage 1 of 11\n\nLet’s break down how WhiteCobra went from sloppy PowerShell miners to stealthy MacOS-compatible crypto\r\nstealers, why their old trick of installs inflation still makes them look legitimate, and how their multi-stage\r\npayload delivery works under the hood.\r\nThe $500K/Hour Plan: Inside WhiteCobra's Leaked Playbook\r\nWe managed to recover a markdown file titled \"DEPLOYMENT PLAN: Operation Solidity Pro\", and just like the\r\nmovies it reads like a criminal business plan.\r\nWhile we’ll now break down their detailed plan step by step, we’ve included a censored version of this smoking\r\ngun along this blog post, removing the technical details that will allow replication of these attacks.\r\nThe document begins with cold calculations of potential revenue:\r\nLow Estimate: $10,000/hour (targeting select high-value wallets)\r\nHigh Estimate: $500,000/hour (widespread infection hitting \"whale wallets\")\r\nRevenue estimates from WhiteCobra's playbook\r\nBut the revenue projections are just the beginning. The playbook provides a complete blueprint for weaponizing\r\nthe VS Code extension ecosystem.\r\nTheir 5-Phase Attack Strategy\r\nPhase 1: Packaging - Instructions for creating the malicious VSIX file\r\nPhase 2: Deployment - Steps to upload to OpenVSX with \"convincing details\"\r\nPhase 3: Promotion - Social media templates and bot engagement tactics\r\nPhase 4: Inflation - Automated scripts to generate 50,000 fake downloads for \"social proof\"\r\nPhase 5: Exfiltration - Real-time monitoring of stolen seed phrases and immediate fund transfers\r\nhttps://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nPage 2 of 11\n\nThe document even includes the wallet address where stolen funds should be sent and specific instructions for\r\nsetting up command \u0026 control infrastructure, complete with ScreenConnect backdoors on port 8041.\r\nFake Downloads: Manufacturing Trust at Scale\r\nOne of the most damaging revelations from the playbook is their systematic approach to faking credibility: \"Let\r\nthe script run until the target of 50,000 downloads is reached. This will provide social proof for developers\r\ndiscovering the extension\" (Directly quoted from their manual). In practice we see that malicious extensions often\r\nhave much higher number than that. To really see how confusing it can be, take a good look at the following\r\nscreenshot and try to guess - which is the real Solidity extension and which is the malware?\r\nWhich one would you trust, 1 or 2?\r\nIf you guessed #1 with 108K downloads was legitimate, congratulations! you have just installed malware. The #2\r\nextension with 64K downloads is actually legitimate, but the malicious version has inflated its numbers to appear\r\neven more trustworthy. This is exactly how zak.eth and countless other developers got compromised, the fake\r\noften looks more real than the real thing.\r\nThe playbook continues by detailing their download inflation strategy, including:\r\nProcurement of \"thousands of high-quality residential proxies\"\r\nPython scripts ( download_bot.py ) to automate the inflation\r\nInstructions to run the bot immediately after deployment to create instant credibility\r\nBy faking massive numbers of downloads, they continue to trick developers, and sometimes even marketplace\r\nreview systems, into thinking their extensions are safe, popular, and vetted. To a casual observer, 100K installs\r\nsignals legitimacy. That’s exactly what they’re counting on.\r\nhttps://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nPage 3 of 11\n\nSnippet from download_bot.py\r\nSocial Engineering at Scale: The X (Twitter) Campaign\r\nThe playbook includes pre-written social media templates and a sophisticated promotional strategy. Their posts\r\nare crafted to exploit developer psychology:\r\nWhiteCobra's twitter posts playbook\r\nNotice the manipulation tactics:\r\nArtificial urgency (\"Don't get left behind\", \"Don't be the last to join\")\r\nFake social proof (\"50,000+ developers switched\" - the same fake downloads they generated)\r\nhttps://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nPage 4 of 11\n\nAggressive positioning (\"Hardhat is dead\", \"they don't want you to have\")\r\nFOMO triggers targeting developer insecurities about using \"outdated\" tools\r\nThe playbook instructs operators to:\r\nUse \"high-reputation X accounts\" styled after known developer influencers\r\nStagger posts over 2-hour periods to simulate organic discovery\r\nDeploy bots to \"like, retweet, and comment on relevant developer conversations\"\r\nThis coordinated social media manipulation explains how these malicious extensions gain traction so quickly. By\r\nthe time real developers start discussing them, the conversation has already been seeded with fake endorsements\r\nand artificial buzz.\r\nSnippet from poster.py\r\nTechnical Deep Dive: WhiteCobra’s Payload Delivery Chain\r\nWhite Cobra’s operation isn’t just persistent - it’s technically layered, obfuscated, and intentionally evasive. Let’s\r\nwalk through the extension’s execution flow and unpack how the final malicious executable is delivered and run,\r\ncross-platform.\r\nThis isn’t your typical script kiddie setup - it’s a carefully staged, platform-aware infection chain.\r\nLet’s analyze one of the extensions (they are practically the same) the threat actor uploaded to OpenVSX -\r\n“solidity” by “juan-blanco” (the legitimate extension is the same name by “juanblanco”)\r\nIt’s going to be a multi-stage fun with the actual obfuscated and deobfuscated malicious code snippets, so buckle\r\nup!\r\nhttps://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nPage 5 of 11\n\nExecution chain Illustration\r\nStage 1: Execution Begins from extension.js\r\nAt first glance, the extension’s main file “extension.js” looks completely harmless. In fact, it’s nearly identical to\r\nthe default “Hello World” boilerplate that comes with every VSCode extension template. There’s no suspicious\r\nlogic - just a clean, minimal setup. The only additional functionality is the call for “ShowPrompt” function from\r\n“./utils/prompt”.\r\nextension.js\r\nThis simple call hands off execution to the prompt.js file - the true entry point of the attack chain. By isolating\r\nmalicious behavior in a secondary script, the threat actor avoids triggering red flags during static reviews or\r\nautomated scans that only check the primary file.\r\nThe ShowPrompt() function hides additional code that is executed using eval:\r\nprompt.js\r\nThe eval is hiding in here- \"Z\u0026X\u0026Z\u0026h\u0026b\u0026A\u0026=\u0026=\u0026\" -\u003e \"ZXZhbA==\" -\u003e “eval”\r\nThe resulted script downloads the next stage from Cloudflare’s pages.dev based on the platform\r\nresulted script\r\nStage 2: Platform specific payload\r\nLet’s dive into the Windows payload - it uses the same trick to hide the eval call and has base64 encoded script:\r\nWindows Second Payload\r\nThe encoded script is as follows:\r\nWindows second payload encoded script\r\nhttps://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nPage 6 of 11\n\nLooks complicated... Let me deobfuscate it a bit and show what it really does:\r\nWindows second payload deobfuscated\r\nOh! So it simply uses Powershell to download python, and then executes encoded python script!\r\nThe python script downloads from pages.dev a file with “pyd” extension (that has nothing to do with pyd file),\r\ndecrypts it using a hardcoded substitution key, and executes the downloaded shellcode directly in the memory:\r\nPython script\r\nStage 3: Shellcode executable\r\nThe shellcode executes a PE executable - LummaStealer (a commercial info-stealer) that steals crypto information\r\nand more from the machine.\r\nWe analyzed it and discovered that it looks for many different services in the machine:\r\nCryptocurrency wallets and information\r\nConnection Services like anydesk, VPNs and VNC\r\nCloud Infrastructure\r\nMessaging platforms\r\nPassword Managers\r\nWallet \u0026 Password management Browser extensions\r\nhttps://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nPage 7 of 11\n\nThe malware targets file-sharing, cloud infrastructure and messaging apps\r\nPopular chrome extensions targeted by WhiteCobra\r\nDuring it's execution, it communicates with the following C2 servers:\r\nIliafmoj[.]forum\r\nmastwin[.]in\r\nhttps://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nPage 8 of 11\n\nFinal Thoughts\r\nWhiteCobra's leaked playbook reveals more than just their tactics. It exposes the industrialization of extension-based attacks. With documented processes, automated tools, and revenue projections treating victims as mere\r\nnumbers, this isn't hacking; it's a business operation.\r\nSolidity-Ethereum report on Koidex\r\nWhile we've reported these 24 variants and they've been taken down, WhiteCobra continues uploading new\r\nmalicious extensions on a daily basis. The playbook shows they can deploy a new campaign in under 3 hours,\r\nfrom packaging to promotion to profit.\r\nThis growing gap between attacker sophistication and developer defenses is the real danger. Threat actors like\r\nWhiteCobra are operating with industrialized precision, while everyday developers have almost no reliable way to\r\ntell safe tools from malicious ones. Marketplace ratings, download counts, and even official reviews can all be\r\nmanipulated, leaving even seasoned professionals vulnerable. Without better mechanisms for trust and\r\nverification, the advantage remains firmly on the side of the attackers.\r\nKoi was built to solve this problem. Our platform gives practitioners and enterprises the ability to uncover,\r\nevaluate, and control what their teams bring in from ecosystems like VS Code, NPM, Chrome Web Store,\r\nHugging Face, Homebrew, and beyond. Today, some of the world’s largest banks, Fortune 50 companies, and\r\nleading technology firms rely on Koi to automate the processes that bring visibility, establish governance, and\r\nproactively shrink this expanding attack surface.\r\nIf you want to see how it works — or if you’re ready to take action — book a demo or reach out to us.\r\nWe’ve got more to share soon, so stay tuned.\r\nIOCs\r\nhttps://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nPage 9 of 11\n\nExtension IDs:\r\nOpen-VSX (Cursor/Windsurf)\r\nChainDevTools.solidity-pro\r\nkilocode-ai.kilo-code\r\nnomic-fdn.hardhat-solidity\r\noxc-vscode.oxc\r\njuan-blanco.solidity\r\nkineticsquid.solidity-ethereum-vsc\r\nETHFoundry.solidityethereum\r\nJuanFBlanco.solidity-ai-ethereum\r\nEthereum.solidity-ethereum\r\njuan-blanco.solidity\r\nNomicFdn.hardhat-solidity\r\njuan-blanco.vscode-solidity\r\nnomic-foundation.hardhat-solidity\r\nnomic-fdn.solidity-hardhat\r\nCrypto-Extensions.solidity\r\nCrypto-Extensions.SnowShsoNo\r\nVS Code\r\nJuanFBlanco.awswhh\r\nETHFoundry.etherfoundrys\r\nEllisonBrett.givingblankies\r\nMarcusLockwood.wgbk\r\nVitalikButerin-EthFoundation.blan-co\r\nShowSnowcrypto.SnowShoNo\r\nCrypto-Extensions.SnowShsoNo\r\nRojo.rojo-roblox-vscode\r\nNetwork IOCs:\r\nhttps://g83u.pages[.]dev/hjxuw1x.txt\r\nhttps://g83u.pages[.]dev/qp5tr4f.txt\r\nIliafmoj[.]forum\r\nmastwin[.]in\r\nniggboo[.]com\r\nFile Hashes:\r\n1a728a7b7f68a71474a6a04f92960b18aae45ae5d00ea9a1d88174f8bd4ffa10 - Mac ARM executable\r\n89848e8a1c8840a0561fcae2948b5941ed55a53474298007d7272f391b28c1b9 - Mac ARM executable\r\nfa078483566de02cb64d970d06aa82470beee4c665cfee6915968cb0adb2c6c4 - Mac Intel executable\r\nhttps://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nPage 10 of 11\n\n39459ad404c9f0ad361d82b9f96d60f13a9281d3746ada4ef8675dd80fcb9a7e - Mac Intel executable\r\ne8ce84a6e84d4bb0ee50dcde0a72dab9f2e6a2c2f80eeab4df243d5eaaa57a6f - Windows Shellcode\r\n99b976ff0908b03d277bc96d0010b0f1aef8ae1529b753c645c57b7399760a51 - Windows Shellcode\r\n22350ef4cdee6af4cbe7809f98256dbfd882dab08ea51ab14880d5da9ce9c06d - Windows LummaStealer\r\n118b10295fea2613f72bc89074db9ab82a57c44ab7f62bddb3a86a4ed87f379f - Windows LummaStealer\r\nSource: https://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nhttps://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.koi.ai/blog/whitecobra-vscode-cursor-extensions-malware"
	],
	"report_names": [
		"whitecobra-vscode-cursor-extensions-malware"
	],
	"threat_actors": [
		{
			"id": "ca4d8568-ef8e-41e7-a7d1-a8bddf2c4e4b",
			"created_at": "2026-02-11T02:00:03.949755Z",
			"updated_at": "2026-04-10T02:00:03.973815Z",
			"deleted_at": null,
			"main_name": "WhiteCobra",
			"aliases": [],
			"source_name": "MISPGALAXY:WhiteCobra",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434875,
	"ts_updated_at": 1775791941,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b6914c795cff208dc52bbc368dfeb4d133c72d1.pdf",
		"text": "https://archive.orkl.eu/9b6914c795cff208dc52bbc368dfeb4d133c72d1.txt",
		"img": "https://archive.orkl.eu/9b6914c795cff208dc52bbc368dfeb4d133c72d1.jpg"
	}
}