Evelyn Stealer
Evelyn is a sophisticated information-stealing malware built to quietly gather sensitive data while actively avoiding security analysis and detection. Its primary function is to harvest valuable information from infected systems and exfiltrate it to a threat actor's command-and-control (C2) infrastructure over FTP.
The stealer is capable of collecting a broad range of data, including saved browser credentials, clipboard contents, Wi-Fi passwords, cryptocurrency wallet information, and detailed system intelligence. Once aggregation is complete, all stolen material is compressed into a ZIP archive and transmitted to the attacker's FTP server.
Table of Contents
Silent Setup and Abuse of Windows Capabilities
When executed, Evelyn dynamically loads the Windows components it needs to operate, including functionality for process injection, file and registry access, network communication, and clipboard monitoring. These capabilities allow the malware to integrate deeply into the system and support its data-theft objectives.
To remain covert, Evelyn is engineered to evade both manual and automated analysis. Before fully activating, it evaluates its environment to determine whether it is being examined.
Built-In Analysis and Sandbox Evasion
Evelyn employs multiple anti-analysis techniques to detect virtual machines, debuggers, and security or research tools. Only after confirming the system appears to be a genuine user environment does it proceed.
At that stage, the malware creates its own directories within the user's AppData folder, which it uses to store harvested information and supporting files.
Aggressive Browser Targeting and Process Manipulation
The malware begins by collecting any browser data already present on the system and then forcibly closes running browsers. This both prevents data conflicts and prepares the environment for the next phase: injection.
Evelyn requires a specific auxiliary file to steal browser login data. It first checks whether this file already exists in the system's TEMP directory. If not, it attempts to download the file from its FTP server. As a final fallback, it searches the directory from which the malware itself is running.
Once the file is obtained, Evelyn launches the targeted browser in a highly controlled manner and covertly injects the malicious component into it. This allows the stealer to bypass built-in browser protections. To avoid alerting the user or security software, the browser is started with numerous concealed parameters that suppress windows, disable security features and extensions, prevent log creation, and hide any visible signs that the browser was opened. These measures enable silent extraction of browser data.
Expanding the Data Harvest
Beyond browsers, Evelyn captures screenshots of the desktop and compiles extensive system details, including the current username, computer name, operating system version, installed applications, running processes, and VPN configurations. The malware also actively targets cryptocurrency wallets, monitors the clipboard, and retrieves saved Wi-Fi credentials.
All collected information is consolidated, compressed into a ZIP archive, and exfiltrated to the attacker's C2 server via FTP.
Infection Vector: A Trojanized Developer Extension
Evelyn is distributed through a malicious Visual Studio Code extension posing as a legitimate add-on. When installed, this extension drops a rogue file disguised as a normal Lightshot dynamic-link library (DLL). The genuine Lightshot application then loads this fake DLL, unknowingly executing the attacker's code.
Once active, the malicious DLL launches a hidden PowerShell command to download an additional payload. This secondary component is responsible for injecting and activating the Evelyn information stealer.
Security Impact and Risk Assessment
Evelyn represents a high-risk threat due to its stealth, broad data-collection scope, and strong evasion techniques. Its focus on browser data, system intelligence, and cryptocurrency assets makes infections particularly dangerous. Compromise by this stealer can result in financial losses, account takeovers, and identity theft, underscoring the importance of strong endpoint protection, cautious extension installation practices, and continuous monitoring for anomalous system behavior.
