TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers

Ahmed Mohamed Ibrahim · 2026-01-19 · Read original ↗

ATT&CK techniques detected

10 predictions
T1055.012Process Hollowing
97%
“dll immediately executes its payload. the malware implements a legitimate - looking lightshot function exports to maintain its cover and implements a singleton pattern to ensure that it only executes once. it then launches a hidden powershell command to download and execute a sec…”
T1176.002IDE Extensions
89%
“from extension to infection : an in - depth analysis of the evelyn stealer campaign targeting software developers malware from extension to infection : an in - depth analysis of the evelyn stealer campaign targeting software developers this blog entry provides an in - depth analy…”
T1555.003Credentials from Web Browsers
89%
“- related processes ( e. g., vmtoolsd. exe, vboxservice. exe ) - registry analysis : checks hardware registry keys for vm identifiers, a relatively sophisticated evasion technique to avoid analysis environments after successful initialization and environment validation, the malwa…”
T1055.012Process Hollowing
87%
“the final payload, which is a copy of evelyn stealer. upon execution, the malware dynamically imports windows apis and creates a new instance of “ grpconv. exe ” using “ createprocessa ” with the create _ suspended flag. it then decrypts the final embedded payload ( evelyn steale…”
T1204.002Malicious File
85%
“country _ code } - { ip _ address } - { username } - { os _ version } - { crypto _ found } - { paypal _ found } - { crypto _ websites } - { ram _ info } - { gpu _ info } - { metamask } - { phantom } - { trustwallet } - { other _ wallets } - { timestamp }. zip. conclusion the evel…”
T1176Software Extensions
65%
“from extension to infection : an in - depth analysis of the evelyn stealer campaign targeting software developers malware from extension to infection : an in - depth analysis of the evelyn stealer campaign targeting software developers this blog entry provides an in - depth analy…”
T1195.001Compromise Software Dependencies and Development Tools
57%
“from extension to infection : an in - depth analysis of the evelyn stealer campaign targeting software developers malware from extension to infection : an in - depth analysis of the evelyn stealer campaign targeting software developers this blog entry provides an in - depth analy…”
T1056.001Keylogging
54%
“- launch ” : suppresses startup notifications - “ - - no - first - run ” : bypasses initial setup dialogs - “ - - disable - popup ” - blocking : ensures malicious content can execute - “ - - window - position = - 10000, - 10000 ” : positions window off - screen - “ - - window - s…”
T1497.001System Checks
39%
“. exe ” and resumes the execution of the suspended process. table 3 : details of evelyn stealer upon execution of evelyn stealer, the malware dynamically resolves all windows apis needed for malware operations, including process injection, file operations, registry access, networ…”
T1055.001Dynamic-link Library Injection
32%
“tailored threat hunting queries, threat insights, and intelligence reports. on december 8, 2025, koi. ai published their findings about a campaign specifically targeting software developers through weaponized visual studio code extensions. here, we ’ ll provide a more in - depth …”

Summary

This blog entry provides an in-depth analysis of the multistage delivery of the Evelyn information stealer, which was used in a campaign targeting software developers.