ATLA WIRE

Malicious VSX Extension "SleepyDuck" Uses Ethereum to Keep Its Command Server Alive

04.11.2025
18271
Malicious VSX Extension "SleepyDuck" Uses Ethereum to Keep Its Command Server Alive
Researchers uncover SleepyDuck RAT hidden in VSX extension, using Ethereum contracts to control infected hosts.

SleepyDuck RAT: The VSX Extension That Lives on Ethereum

Researchers just dropped the tea on SleepyDuck — a nasty RAT (Remote Access Trojan) hiding in VSX extensions that's using Ethereum smart contracts to keep its command servers alive. This isn't your grandma's malware — it's leveraging blockchain for persistence like a crypto-native cybercriminal.
The malicious extension was discovered lurking in Open VSX marketplace, targeting developers using Visual Studio Code. Once installed, SleepyDuck establishes a backdoor connection and uses Ethereum contracts as its command-and-control infrastructure — making it harder to takedown than traditional servers.
Here's the kicker: The malware uses blockchain transactions to communicate with infected hosts, meaning the attackers can maintain control as long as they keep funding the Ethereum contract. It's like having a bulletproof C2 server that lives on the blockchain.
Security researchers are calling this a significant evolution in malware infrastructure — blending traditional RAT capabilities with decentralized blockchain technology. The SleepyDuck campaign represents a new frontier in software supply chain attacks, where even developer tools aren't safe from compromise.
  • VSX marketplace compromise — malicious extension distributed to developers
  • Ethereum smart contracts used for C2 infrastructure
  • Blockchain transactions enable persistent communication
  • Traditional takedown methods ineffective against decentralized infrastructure
  • Targets Visual Studio Code users through Open VSX
The discovery highlights the growing sophistication of supply chain attacks and the emerging threat of blockchain-abusing malware. As defenders get better at shutting down traditional C2 servers, attackers are moving to decentralized alternatives that are much harder to disrupt.
#supply chain attacks#blockchain#backdoors#malware#smart contracts
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
Banner | ATLA WIRE