A malicious VS Code/Open VSX extension named SleepyDuck uses an Ethereum smart contract to store and update its C2 server address, enabling resilient remote access trojan functionality and sandbox evasion. The campaign reached thousands of downloads and parallels other malicious extensions that delivered crypto-mining payloads under deceptive publishers. #SleepyDuck #0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465
Keypoints
- SleepyDuck was published in Open VSX as a Solidity development tool and updated from benign to malicious between Oct 31 and Nov 1, 2025, under the publisher juan-bianco.solidity-vlang (v0.0.8).
- The extension uses the Ethereum blockchain and a specific smart contract (0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465) to retrieve its C2 server address (sleepyduck[.]xyz), enabling dynamic updates and takedown resilience.
- The malware connects to an Ethereum RPC provider, polls the contract, and establishes a 30-second command polling loop to receive instructions and new configurations.
- SleepyDuck collects and exfiltrates system data (hostname, username, MAC address, timezone) and can execute emergency commands across infected endpoints.
- Fallback mechanisms allow the extension to query multiple predefined Ethereum RPC addresses if the primary C2 or domain is taken down.
- Researchers observed potential artificial inflation of download counts (reported ~14,000 downloads) to boost visibility and deceive developers.
- Related malicious extensions on the VS Code Marketplace (publisher “developmentinc”) delivered a batch-script miner that disabled Defender protections and ran a Monero miner; those extensions have been removed.
MITRE Techniques
- [T1071] Application Layer Protocol – SleepyDuck uses Ethereum RPC connections to interact with a smart contract for C2 resolution. Quote: ‘The SleepyDuck malware initiates by connecting to an Ethereum Remote Procedure Call (RPC) provider.’
- [T1573] Encrypted Channel (via blockchain contract) – The extension retrieves dynamic C2 information from an on-chain smart contract to conceal and update server addresses. Quote: ‘interacts with a specific smart contract … to retrieve the address of its C2 server.’
- [T1090] Proxy – Use of the Ethereum blockchain and RPC providers acts as an intermediary layer to obscure direct C2 infrastructure and provide fallback resolution. Quote: ‘fallback mechanisms to query a predefined list of Ethereum RPC addresses to obtain updated server details from the contract.’
- [T1082] System Information Discovery – The malware collects host-level information for profiling and exfiltration. Quote: ‘exfiltrate system information, including hostname, username, MAC address, and timezone, to the C2 server.’
- [T1059] Command and Scripting Interpreter – The malicious extensions downloaded and executed batch scripts to install and run a cryptocurrency miner, including privilege escalation and Defender exclusions. Quote: ‘observed downloading and executing a batch script miner … elevating its privileges and configuring exclusions in Microsoft Defender Antivirus.’
- [T1114] Email Collection / Exfiltration (data exfiltration) – Collected system data is sent to the C2 server as part of the intrusion’s exfiltration capability. Quote: ‘exfiltrate system information … to the C2 server.’
Indicators of Compromise
- [Smart Contract Address] C2 resolution mechanism – 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465
- [Ethereum Address] Threat actor / contract updater – 0x0eDcFE26CF600FB56ae6AaF3F1D943c811314573
- [Domain] Primary C2 domain – sleepyduck[.]xyz
- [Domain] Previous/placeholder server address seen in transactions – localhost:8080
- [Publisher/Extension] Malicious package identity and metadata – juan-bianco.solidity-vlang (version 0.0.8), ~14,000 reported downloads
- [Malicious extensions publisher] Related malicious marketplace publisher – developmentinc (extensions delivering a batch-script miner and Monero executable)