Weekly Threat Bulletin – January 21st, 2026

Evelyn Stealer Abuses Visual Studio Code Extensions in Multistage Attacks

A sophisticated multistage malware campaign, dubbed "Evelyn Stealer," is exploiting the Visual Studio Code (VSC) extension ecosystem to compromise software developers and infiltrate enterprise environments. The attack begins with seemingly legitimate VSC extensions, such as a "Bitcoin Black" theme or a "Codo AI" assistant, which, upon activation, execute hidden PowerShell and batch scripts to download and stage the malware. The campaign leverages DLL hijacking by delivering a trojanized `Lightshot.dll` alongside the legitimate Lightshot screenshot utility, which then spawns a hidden PowerShell command to retrieve a second-stage executable, `runtime.exe` (identified as `iknowyou.model`). This second stage acts as a process-hollowing injector, creating a suspended `grpconv.exe` instance, decrypting the Evelyn Stealer payload using AES-256-CBC, and injecting it into the legitimate process to evade detection. Once active, Evelyn Stealer performs extensive environment checks, including virtual machine and debugger detection, before establishing a working directory in AppData. It focuses on browser-centric data theft and session hijacking, launching hidden browser instances with specific flags to extract credentials, cookies, and session data via an injected ``abe_decrypt.dll`.` The malware collects a wide array of sensitive information, including clipboard contents, Wi-Fi credentials, system details, installed software, running processes, VPN configurations, and cryptocurrency wallet data, which is then archived into a context-rich ZIP file and exfiltrated over FTP to attacker-controlled infrastructure. This campaign highlights the critical need for organizations to implement strict VSC extension vetting, monitor for anomalous PowerShell and headless browser activity, harden against DLL hijacking, and apply zero-trust principles to development and build systems, as compromised developer machines offer direct access to high-value assets like source code and CI/CD pipelines.

Threat Details and IOCs

Mitigation Advice

• Scan all developer workstations for the Visual Studio Code extensions named 'Bitcoin Black' and 'Codo AI'. If found, isolate the affected machines and uninstall the extensions immediately.
• Use your Endpoint Detection and Response (EDR) tool to hunt for the filenames 'Lightshot.dll', 'runtime.exe', 'iknowyou.model', and 'abe_decrypt.dll' across all endpoints, paying special attention to user Temp and AppData directories.
• Configure your SIEM or EDR to create a high-priority alert for instances of the 'grpconv.exe' process being launched in a suspended state, which is a key indicator of this malware's process hollowing technique.
• Create detection rules in your endpoint security tools to alert on browser processes (chrome.exe, msedge.exe) being launched with command-line arguments that include '--headless=new' or '--no-sandbox'.
• Review network logs for outbound FTP traffic from workstations. Configure the perimeter firewall to block all outbound FTP connections except to pre-approved, legitimate servers.

Compliance Best Practices

• Establish a formal policy and process for vetting and approving third-party Visual Studio Code extensions. Maintain an allowlist of approved extensions for developer use.
• Implement system-wide hardening configurations to mitigate DLL hijacking, such as enabling the 'CWDIllegalInDllSearch' registry setting and enforcing secure library loading in application development standards.
• Deploy an application control solution, such as Windows Defender Application Control or a third-party tool, to prevent the execution of unauthorized applications and scripts from user-writable locations like %TEMP% and %APPDATA%.
• Begin planning the adoption of a Zero Trust architecture for developer environments, focusing on micro-segmentation, strict identity verification, and least-privilege access for all connections to code repositories, build servers, and cloud infrastructure.
• Enable advanced PowerShell logging capabilities, including Script Block Logging and Module Logging, across all workstations and servers, and ensure these logs are forwarded to a centralized SIEM for analysis and retention.
• Implement a recurring security awareness training program for all software developers that specifically covers the risks associated with IDE extensions and how to scrutinize tools from third-party marketplaces.

RCE Vulnerability CVE-2025-14894 in Livewire Filemanager Endangers Servers

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-14894 with a CVSS score of 7.5, has been discovered in Livewire Filemanager, a popular tool for the Laravel PHP framework. The flaw resides in `LivewireFilemanagerComponent.php`, which lacks proper file type and MIME validation, enabling an unauthenticated attacker to upload a malicious PHP file to the server. If the common Laravel command `php artisan storage:link` has been executed, making the `storage/app/public` directory publicly accessible, the uploaded malicious file can then be executed via its URL under `/storage`. This allows for arbitrary code execution on the server with the web server's privileges, potentially leading to full system compromise, data exfiltration, and the deployment of backdoors. As of now, no official patch has been released. Administrators are advised to immediately verify if Livewire Filemanager is in use with public storage and, if so, to temporarily disable web access to the upload directory or remove the Filemanager component until a fix becomes available.

Threat Details and IOCs

Mitigation Advice

• Identify all Laravel applications within the environment and determine if they use the Livewire Filemanager component.
• On systems identified with Livewire Filemanager, check for the existence of a symbolic link from the `public/storage` directory to the `storage/app/public` directory.
• If a public storage symbolic link exists, immediately remove the link or reconfigure the web server (e.g., Nginx, Apache) to block all public web access to the storage directory.
• If disabling web access is not practical, uninstall the Livewire Filemanager component entirely from all affected Laravel applications until a patched version is available.
• Inspect web server logs for POST requests to file upload endpoints associated with Livewire Filemanager and scan the `storage/app/public` directory for any unauthorized or suspicious PHP files.

Compliance Best Practices

• Establish a robust vulnerability management program that includes monitoring security advisories for all third-party software components and a defined process for testing and applying patches promptly.
• Implement a secure development policy requiring that all user-uploaded files be stored outside of the web root directory. Files should only be served to users through a trusted, authorized script.
• Deploy and configure a Web Application Firewall (WAF) with rules to block file uploads containing executable extensions for all public-facing applications.
• Deploy a File Integrity Monitoring (FIM) solution on web servers to generate alerts upon the creation or modification of files in critical directories, particularly web-accessible ones.
• Mandate that all file upload functionality within applications must validate files against a strict allow-list of permitted file extensions and MIME types.

New StackWarp Hardware Flaw Breaks AMD SEV-SNP Protections on Zen 1–5 CPUs

A new hardware vulnerability, codenamed StackWarp (CVE-2025-29943, CVSS v4 score: 4.6), has been identified in AMD Zen 1 through Zen 5 processors, including AMD EPYC 7003, 8004, 9004, 9005 Series Processors and their embedded variants. Discovered by academics at the CISPA Helmholtz Center for Information Security, this medium-severity improper access control bug allows an admin-privileged attacker on a host server to manipulate the stack pointer within confidential virtual machines (CVMs) protected by AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP). The flaw exploits a microarchitectural optimization called the stack engine via an undocumented control bit on the hypervisor side, enabling remote code execution and privilege escalation inside the CVM. Demonstrated impacts include the recovery of RSA-2048 private keys, bypassing OpenSSH password authentication and sudo's password prompt, and achieving kernel-mode code execution. AMD has released microcode updates in July and October 2025, with AGESA patches for EPYC Embedded 8004 and 9004 Series Processors anticipated in April 2026. Operators of SEV-SNP hosts are advised to install these updates and consider temporarily disabling hyperthreading for CVMs requiring high integrity.

Threat Details and IOCs

Mitigation Advice

• Inventory all on-premises and cloud-based servers to identify systems running affected AMD EPYC 7003, 8004, 9004, and 9005 series processors.
• On identified vulnerable AMD systems hosting confidential virtual machines (CVMs), disable hyperthreading (Simultaneous Multithreading/SMT) in the BIOS/UEFI settings.
• Contact your cloud service providers to inquire about their patching and mitigation status for the StackWarp vulnerability (CVE-2025-29943) on their AMD-based instances.

Compliance Best Practices

• Incorporate the AMD microcode and AGESA firmware updates for CVE-2025-29943 into your standard patch management cycle and deploy them to all affected systems as they become available from your hardware vendors.
• Review and harden access control policies for all hypervisor management interfaces, ensuring only essential personnel have administrative privileges and that all access is logged and monitored.
• Enhance security monitoring within high-value confidential virtual machines (CVMs) by tuning Endpoint Detection and Response (EDR) tools and log analysis to detect anomalous process execution or unexpected privilege escalation.

Malicious GhostPoster Browser Extensions Found with 840,000 Installs

Seventeen malicious browser extensions, part of the GhostPoster campaign, were discovered across Chrome, Firefox, and Edge stores, accumulating over 840,000 installations. Initially reported by Koi Security, and further detailed by browser security platform LayerX, these extensions hid malicious JavaScript code within their logo images, monitoring browser activity, hijacking affiliate links on e-commerce platforms, and injecting invisible iframes for ad and click fraud. The code fetched a heavily obfuscated payload from an external resource to execute these actions. A more advanced variant, identified in extensions like 'Instagram Downloader', moved the malicious staging logic to the extension's background script, using a bundled image file as a covert payload container. This variant extracts hidden data from the image's raw bytes using a specific delimiter (">>>>"), stores it, Base64-decodes it, and executes it as JavaScript, demonstrating enhanced dormancy, modularity, and resilience against detection. The campaign originated on Microsoft Edge, expanding to Firefox and Chrome, with some extensions active since 2020. While Mozilla, Microsoft, and Google have removed the identified extensions from their stores, users who installed them remain at risk. Specific extensions included "Google Translate in Right Click" (522,398 installs), "Translate Selected Text with Google" (159,645 installs), and "Ads Block Ultimate" (48,078 installs), among others.

Threat Details and IOCs

Mitigation Advice

• Audit all company workstations to identify and immediately remove the 17 malicious GhostPoster browser extensions listed in the article from all Chrome, Firefox, and Edge browsers.
• Scan DNS, proxy, and firewall logs for connections to known GhostPoster command-and-control domains to identify potentially compromised systems.
• Send an immediate security bulletin to all employees warning them about the threat of malicious browser extensions, instructing them to review their installed extensions, and providing a clear process for reporting anything suspicious.

Compliance Best Practices

• Develop and enforce a browser extension allowlist policy using Group Policy (GPO) or a Mobile Device Management (MDM) solution to prevent users from installing any unapproved extensions on corporate devices.
• Deploy or tune an Endpoint Detection and Response (EDR) solution to create detection rules for anomalous browser process behavior, such as a browser extension reading and executing code hidden within image files.
• Establish a continuous security awareness training program that specifically educates employees on the risks of browser extensions, how to identify potentially malicious add-ons, and the importance of installing software only from trusted and vetted sources.
• Implement a DNS filtering service that blocks access to newly registered domains and domains categorized as malicious to prevent browsers from connecting to threat actor infrastructure and downloading malicious payloads.

Researchers Breach StealC Infrastructure, Access Malware Control Panels

Criminal infrastructure, including that of the StealC infostealer, frequently exhibits vulnerabilities stemming from its rushed development, reuse of components, and inadequate security measures. Security researchers have successfully exploited these inherent weaknesses within the StealC malware's operational infrastructure, gaining access to its control panels. StealC, an infostealer and downloader, emerged in early 2023 and is distributed under a Malware-as-a-Service (MaaS) model for approximately $200 per month, making it accessible to a broad range of cybercriminals. It indiscriminately targets any Windows user, with over 100,000 unique victims identified across various industries and regions, impacting millions by stealing credentials that can lead to further intrusions, credential stuffing, and ransomware precursors. The malware is designed to exfiltrate sensitive data from over 23 browsers and extensions, 15 cryptocurrency wallets, and applications such as Discord, Telegram, and Outlook. Its distribution methods are diverse, encompassing malvertising, phishing campaigns, compromised websites, YouTube videos, and cracked software. Defenders can identify StealC through specific Indicators of Compromise (IOCs, including IP addresses like 45.93.20[.]28, domains such as stealc[.]maliciousserver[.]com, and file hashes like 9f34ab1c9d9351f59826b8d5c458a3d3), network-based detection of HTTP POST requests to raw IPs or domains with long random paths, and behavioral analysis of processes exhibiting initial minimal data uploads followed by aggressive harvesting or suspicious child process creation. Associated MITRE ATT&CK techniques include T1071.001, T1555, and T1140. Effective mitigation strategies involve implementing multi-factor authentication, educating users against saving passwords in browsers, enforcing the principle of least privilege, utilizing password managers, and regularly updating software, with Yara and Suricata rules also available for detection.

Threat Details and IOCs

Mitigation Advice

• Block the following indicators in the firewall and web proxy: IP addresses `45.93.20[.]28` and `88.214.48[.]93`, and domain `stealc[.]maliciousserver[.]com`.
• Add the following file hashes to your EDR and antivirus blocklists: `9f34ab1c9d9351f59826b8d5c458a3d3` and `eb6c798cc9b87f2287e5eabc203b5a9d3c8af969f8fc433107a3a129b1df8596`.
• Download and apply the latest Suricata rules for StealC detection from trusted sources like SEKOIA.IO to your network intrusion detection system.
• Deploy the latest Yara rules for StealC from sources like SEKOIA.IO to scan file systems and memory for malware artifacts.
• Create a detection rule in your SIEM to alert on HTTP POST requests to raw IP addresses, especially those followed by small, sequential POST requests, which indicates a custom exfiltration loop.
• Configure your EDR to alert on processes that exhibit a dormant phase after initial execution, followed by the creation of suspicious child processes for data harvesting.

Compliance Best Practices

• Develop and execute a project to enforce multi-factor authentication (MFA) on all external-facing services, VPNs, and critical internal applications.
• Establish an ongoing security awareness training program that specifically educates users on the risks of malvertising, phishing, and downloading cracked software, and teaches them not to save passwords in web browsers.
• Implement a corporate-approved password manager and create a policy requiring its use to discourage saving passwords in browsers and promote strong, unique passwords for all services.
• Initiate a comprehensive review of user and service account permissions to enforce the principle of least privilege, limiting the potential impact of a compromised account.
• Strengthen the existing patch management program to ensure all software, especially web browsers and their extensions, are updated regularly and in a timely manner.