A new malware campaign is A/B testing delivery effectiveness on software developers using malicious VS Code extensions.
In a campaign tracked by Koi, a threat actor published two malicious VS Code extensions – ‘Bitcoin Black’ and ‘Codo AI’ – to see which lure worked best. One targeted crypto enthusiasts; the other, productivity-focused engineers. Both delivered a capability that turned the developer’s own workstation into a surveillance post.
The attackers combined social engineering with DLL hijacking to bypass standard controls, using a legitimate signed binary to load their payload. It is a case study in how the software supply chain is being probed for weak points; specifically targeting the tools developers often trust blindly.
A/B testing malware on software developers
The VS Code malware campaign’s publisher, ‘BigBlack’, tailored the social engineering to specific psychological profiles. Bitcoin Black pitched itself as a “premium dark theme inspired by Bitcoin,” aiming for users likely to manage crypto wallets.
Codo AI marketed itself as an “AI-powered coding assistant with ChatGPT and DeepSeek integration.” Unlike instantly suspicious extensions that fail to deliver promised features, Codo AI actually worked. Users could chat with the AI models as advertised to mask the background activity.
Under the hood, however, the activation logic differed. Legitimate themes are passive JSON files. Bitcoin Black broke this rule, using a “*” activation event to force code execution on every VS Code action. Codo AI was more subtle, burying its malicious trigger deep in the source code, “right before the legitimate AI chat implementation.”
Cleaning up the malware for the malicious VS code extensions
The malware did not arrive fully formed. Koi researchers analysed multiple versions and found a clear trail of iteration as the attackers refined their delivery.
Early variants (version 2.5.0) were messy. The attackers used a PowerShell script with four different fallback methods to extract a password-protected ZIP file. They relied on libraries like DotNetZip and even the native Windows Expand-Archive command. This approach was fragile and noisy. Worse, the attackers forgot to hide the execution window (windowsHide: false), meaning the infection process likely flashed a visible terminal on the victim’s screen.
By version 3.3.0, they had learned from these mistakes. The bloated PowerShell logic was gone, replaced by a streamlined batch script. The new script used native curl commands to pull the executable and DLL directly, without the need for unzipping. They also corrected the visibility error; the script now runs with windowsHide: true, making the process invisible to any user’s machine that’s been infected by the malware through one of the VS Code extensions. A marker file, .done, was added to prevent the malware from re-infecting the same machine.
The delivery mechanism drops a payload that relies on DLL hijacking. The script downloads the legitimate executable for Lightshot, a well-known screenshot tool. Alongside it, it places a malicious file named Lightshot.dll.
When the signed Lightshot.exe runs, it automatically loads the attacker’s DLL. This technique allows the malware to inherit the trust of the signed binary. Security tools that whitelist known-good executables might overlook the process, and to a user inspecting the task manager, everything looks normal.
Once loaded, the DLL acts as an infostealer. It targets the “staging directory at %APPDATA%\Local
A/B testing by the attackers optimises delivery but the malware’s most aggressive feature is browser session hijacking. Using the malicious VS Code extensions, the malware launches Google Chrome and Edge in headless mode using flags like –headless=new, –disable-gpu, and –no-sandbox. It sets the window size to a tiny 1×1 pixel and positions it off-screen at coordinate -10000,-10000. This allows the attackers to piggyback on the developer’s authenticated sessions, stealing cookies and bypassing login prompts without the user noticing.
Human fingerprints left in the malware campaign
Despite the clean execution in later versions, the attackers left traces of their identity. The code contains comments such as “IMPORTANT: KEEP POWERSHELL/BAT METHOD,” suggesting a team environment where one developer was warning others not to break the build.
The choice of mutex – a system object used to prevent multiple instances of the malware from running – also reveals a personality behind the keyboard. They named it COOL_SCREENSHOT_MUTEX_YARRR. The pirate reference suggests a sense of humour but also serves as a high-fidelity Indicator of Compromise (IoC).
The infrastructure itself is less polished. The Command and Control (C2) domain, syn1112223334445556667778889990.org, looks like a “keyboard mash,” standing in contrast to the careful social engineering of the extensions themselves.
This latest malware campaign once again highlights a blindness in how development environments are secured; this time targeting VS Code with malicious extensions. The use of A/B testing aims to optimise malware delivery effectiveness and developers who otherwise rigorously vet production dependencies often install IDE extensions with little thought. ‘Bitcoin Black’ and ‘Codo AI’ exploited this habit, proving that a useful tool can also be an effective weapon.
For security teams, the presence of signed binaries launching from unexpected locations should be a red flag. The malware’s reliance on DLL hijacking works because the parent process is trusted. Identifying this activity requires looking at module loads, not just process names.
As the analysis concludes, “sophistication is uneven, but the techniques that matter are solid.”
See also: TypeScript 7 native compiler port shatters build times
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events. Click here for more information.
Developer is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.