A sophisticated remote access trojan named SleepyDuck has infiltrated the Open VSX IDE extension marketplace, targeting developers using code editors like Cursor and Windsurf.
The malware disguised itself as a legitimate Solidity extension under the identifier juan-bianco.solidity-vlang, exploiting name squatting techniques to deceive unsuspecting users.
Initially published on October 31st as version 0.0.7, the extension appeared harmless until it was maliciously updated to version 0.0.8 on November 1st, gaining new capabilities after accumulating 14,000 downloads.
The extension masquerades as a development tool for Solidity programming, a language commonly used in blockchain and smart contract development.
Attackers leveraged this popular category to maximize their victim pool among cryptocurrency developers and blockchain engineers.
What makes this threat particularly dangerous is its ability to establish persistent remote access to infected Windows systems while maintaining stealth through various evasion techniques.
Secure Annex analysts identified the malware’s unique persistence mechanism that utilizes Ethereum blockchain contracts to maintain command and control infrastructure.
This innovative approach allows attackers to update their control server addresses even if the primary domain is seized or taken offline.
The malware communicates with sleepyduck[.]xyz as its default command and control server, employing a 30-second polling interval to receive instructions from threat actors.
The infection begins when the extension activates upon opening a new code editor window or selecting a .sol file.
The malware retrieves critical machine information including hostname, username, MAC address, and timezone data, which helps it evade sandbox analysis environments commonly used by security researchers.
SleepyDuck demonstrates advanced persistence through blockchain technology, representing a concerning evolution in malware infrastructure.
The threat maintains resilience by storing fallback configuration data in Ethereum contract address 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465.
When connectivity to the primary command server fails, the malware queries this immutable blockchain contract to retrieve updated server addresses, polling intervals, and even emergency commands for all infected endpoints.
The malware’s activation function creates a lock file to ensure single execution, then invokes a deceptive webpack.init() function that initializes the malicious payload.
During initialization, it identifies the fastest Ethereum RPC provider from a hardcoded list, establishes a command execution sandbox through vm.createContext(sandbox), and begins its polling loop to await attacker instructions.
This architecture grants attackers complete remote control over compromised systems while maintaining operational security through decentralized infrastructure that cannot be easily dismantled.
Read more on Cyber Security News
