Bitdefender found a malicious Windsurf IDE extension masquerading as an R language support package that delivers a multi-stage NodeJS stealer by pulling encrypted payloads from the Solana blockchain. The campaign targets developers for Chromium credential theft and persistence via a hidden PowerShell scheduled task, while avoiding Russian systems. #Windsurf #Solana #NodeJS #REditorSupporter #Chromium
Keypoints
- A fake R extension inside Windsurf IDE triggered the infection after being installed by a developer.
- The malicious package hid its behavior with encrypted JavaScript that decrypted only after installation.
- Instead of a traditional C2 server, the attackers used the Solana blockchain to retrieve payload fragments.
- The malware performed system profiling and stopped execution if it detected Russian language, timezone, or offset indicators.
- Native .node add-ons were dropped to extract saved passwords, cookies, session tokens, and Chromium secrets.
- Persistence was established with a hidden PowerShell-created scheduled task named UpdateApp and a startup launch of node.exe.
- The campaign focused on developers, likely to harvest privileged access, API keys, and other valuable credentials.
MITRE Techniques
- [T1204.002] Malicious File â The victim installed a fake Windsurf extension that launched the infection inside the IDE ecosystem (âa fake R language development extension installed inside Windsurf IDE triggers a malware infectionâ).
- [T1027] Obfuscated Files or Information â The loader used encrypted and base64-encoded JavaScript to conceal the real payload (âdecrypting an embedded payloadâ, âBase64 JavaScript layered with AES-encrypted payload componentsâ).
- [T1497.001] Virtualization/Sandbox Evasion: System Checks â The payload profiled the host and quit on Russian indicators to avoid execution on targeted systems (âit looked for language markersâ, âcompared the system timezoneâ, âexecution stopped immediatelyâ).
- [T1105] Ingress Tool Transfer â The malware retrieved JavaScript payload fragments remotely from Solana transaction data (âit queried blockchain transactions and retrieved encoded data embedded within transaction metadataâ).
- [T1059.007] Command and Scripting Interpreter: JavaScript â The malicious logic ran as JavaScript within the NodeJS runtime (âexecuted it using NodeJS runtime primitivesâ, âa second-stage JavaScript componentâ).
- [T1106] Native API â The PowerShell loader used Win32 API calls via Add-Type and NodeJS loaded native .node modules for browser data theft (âleveraged Win32 API calls through Add-Typeâ, âloaded by NodeJS as .node filesâ).
- [T1053.005] Scheduled Task/Job: Scheduled Task â Persistence was created through a hidden scheduled task named UpdateApp that ran at startup (âcreated a scheduled task named: UpdateAppâ, ârun at startup with the highest privilegesâ).
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder â The script interacted with HKCU Run persistence and removed evidence of it (âinteracted with the following registry entryâ, âHKCU:SoftwareMicrosoftWindowsCurrentVersionRunâ).
- [T1059.001] Command and Scripting Interpreter: PowerShell â PowerShell was used to hide the console, create persistence, and launch node.exe (âinvoked PowerShell to achieve persistenceâ, âhid its console windowâ).
Indicators of Compromise
- [Domains/URLs ] blockchain retrieval and RPC access â api.mainnet-beta.solana[.]com
- [File names ] malicious extension/package and dropped modules â reditorsupporter.r-vscode-2.8.8-universal, w.node, c_x64.node, and 2 more items
- [File names ] dropped browser-stealing component â DllExtractChromiumSecrets.dll
- [File paths ] temp location for dropped native modules â AppDataLocalTemp
, C:Users AppDataRoamingnode_x86nodenode.exe - [File paths ] persistence-related script location â C:Users
AppDataRoamingzplnUtGindex.js - [Registry keys ] persistence and cleanup target â HKCU:SoftwareMicrosoftWindowsCurrentVersionRun
- [Scheduled task names ] startup persistence task â UpdateApp
Read more: https://www.bitdefender.com/en-us/blog/labs/windsurf-extension-malware-solana