editorially independent. We may make money when you click on links
to our partners.
Learn More
A malicious Visual Studio (VS) Code extension posing as an AI-powered assistant was quietly installing remote access malware on developers’ systems.
The fake extension, called ClawdBot Agent, appeared legitimate on the surface but executed malware automatically as soon as VS Code launched.
“The layering here is impressive. You’ve got a fake AI assistant dropping legitimate remote access software configured to connect to attacker infrastructure, with a Rust-based backup loader that fetches the same payload from Dropbox disguised as a Zoom update, all staged in a folder named after a screenshot application,” said Aikido security researchers.
How the ClawdBot Extension Attack Worked
The attackers began by exploiting brand recognition around the popular Clawdbot AI assistant, even though the legitimate Clawdbot team has never released an official Visual Studio Code extension.
By registering the name first and presenting a polished, fully functional plugin, the attackers were able to convince users they were installing a legitimate AI coding assistant rather than a malicious imposter.
Once installed, the extension was designed to activate automatically every time VS Code started, requiring no additional user interaction.
During its startup routine, the extension immediately contacted an external command-and-control (C2) server to retrieve configuration instructions and initiate payload delivery.
Error handling was intentionally suppressed to prevent crashes or alerts, while the advertised AI features continued to function normally, integrating with providers such as OpenAI, Anthropic, and Google to reinforce the appearance of legitimacy.
Automatic Execution and Remote Access Deployment
With the initial foothold established, the extension deployed ScreenConnect, a legitimate remote IT support tool, but preconfigured to communicate with attacker-controlled infrastructure at meeting.bulletmailer[.]net over port 8041.
Victims unknowingly received a fully operational ScreenConnect client that automatically established remote access sessions, granting the attackers persistent, interactive control over compromised systems.
Redundant Payload Delivery and Persistence
To ensure reliability, researchers found that the attackers implemented multiple fallback delivery mechanisms.
Alongside the primary JavaScript-based dropper, a malicious Rust-based DLL disguised as DWrite.dll served as a secondary loader.
If the primary C2 server was unavailable, the DLL independently downloaded the same ScreenConnect installer from a Dropbox link masquerading as a Zoom update.
Additional fallback scripts using hardcoded URLs and PowerShell provided yet another layer of redundancy, allowing the attack to continue even if parts of the infrastructure were disrupted.
This approach — often referred to as “Bring Your Own ScreenConnect” — abuses trusted remote management software to evade detection, as tools like ScreenConnect are commonly permitted in enterprise environments and digitally signed by legitimate vendors.
Although Microsoft removed the malicious extension shortly after it was reported, the campaign had already succeeded in infecting systems in the wild.
How Organizations Can Reduce Risk
The ClawdBot Agent incident underscores the importance of responding promptly when trusted developer tools are misused.
Because the extension relied on legitimate software and standard workflows, addressing the issue may require more than simply uninstalling it.
A layered approach that combines cleanup, prevention, and improved visibility can help organizations reduce risk.
- Uninstall the ClawdBot Agent extension immediately and remove any ScreenConnect components installed outside approved IT workflows.
- Block known malicious domains and monitor for outbound connections to port 8041 or other ScreenConnect-related infrastructure.
- Rotate all API keys or credentials entered into the extension, including keys for AI services such as OpenAI or Anthropic.
- Restrict VS Code extensions through allowlisting and limit installation to vetted publishers, especially on developer workstations.
- Monitor endpoint and network telemetry for abnormal extension behavior, including startup execution, dropped binaries, or unauthorized remote access tools.
- Apply tighter egress controls and segmentation for developer environments to reduce blast radius if a workstation is compromised.
- Test and refine incident response plans for developer tool and software supply chain compromise scenarios, including detection, containment, and recovery workflows.
Together, these measures help limit the blast radius of extension-based compromises and improve organizational resilience against similar developer tool and supply chain risks.
This incident shows how developer tools can be misused when attackers take advantage of familiar branding and trusted software.
As extensions and plugins gain broader access to development environments, it becomes more important to apply consistent security controls to these tools.
Incidents involving trusted tools reinforce the value of zero-trust strategies that reduce reliance on assumed legitimacy.
