An active VS Code extensions attack campaign we dub SaassyCode, is currently targeting users of Trello and Roblox (who independently download these extensions from the VS Code marketplace, with no relation to these vendors), with two malicious extensions discovered so far.
Discovery was done automatically by Knostic's AgentMesh (https://agentmesh.knostic.ai/).
Both currently known campaign extensions have now been removed from the VS Code marketplace.
The dropper architecture is identical between the two, with same staged filename, same execution chain, and different payload domain. Follow-on analysis of both final-payload chains confirms the same builder/operator toolkit (shared crypter family, IntelDriver persistence, ::/@ dual-blob carving, base64+XOR → iEx loader); the two extensions are two distinct campaign instances.
VS Code Marketplace | Rating 4.25 | Publisher: GeorgeXBT (unverified)
AgentMesh Link: https://agentmesh.knostic.ai/extensions/126428
Marketplace ID: GeorgeXBT.managerblx
Published: May 27, 2026
File analysed: extension/src/extension.js
SHA-256: cfdf72c510670341dce392ab250a5f5ff2a398d993d1106fb8026ec6397cb393
Behavior: ManageRBLX is not a Roblox development tool. It is a runtime loader that downloads a JavaScript payload from giantapplebees[.]shop and executes it via Windows Script Host on every VS Code startup. The extension declares activationEvents: ["*"], so the dropper runs automatically whenever VS Code loads, without the user ever opening the Roblox board UI.
Indicators of Compromise (IoCs):
Payload URL: hxxps://giantapplebees[.]shop/newly.js
Staged file: %TEMP%\nice.js
Process spawned: cscript.exe //nologo //e:jscript %TEMP%\nice.js
Process relationship: code.exe → cscript.exe
Cluster IoC: %TEMP%\nice.js, shared with TrelloBlox (second analysis below)
Final payload automated analysis (giantapplebees[.]shop chain. Captured & statically analyzed):
Kill chain (4 stages):
Stage 1: newly.js (WSH JScript, 1,254 B)
Stage 2: gay.vbs (VBS launcher, 345 B, saved as %TEMP%\svchost.vbs)
Stage 3: sellmysoul.bat (batch crypter, 969 KB, runs as %TEMP%\gay1.bat)
Stage 4: in-memory PowerShell injector (22,554 B, decrypted from carved blob)
Stage 3 carves icon.png (decoy, 558 KB) from '::' lines and logo.jpg (real payload) from '@' line
logo.jpg decode: base64 → XOR (key 'qc', 0x71 0x63) → iEx
Persistence: C:\ProgramData\IntelDriver\ (hidden+system) + *.cmd self-copy
Masquerade / LOLBin: %USERPROFILE%\Downloads\svchost.exe (renamed powershell.exe)
Stage 4 actions: schtasks /create /tn <random> /xml … /f; process injection (VirtualAlloc + WriteProcessMemory + CreateRemoteThread); ETW patching; no hard-coded C2 in observed final-stage code
Anti-analysis: exit if Admin + %TEMP%\VBE\mapping.csv present; anti-VM exit if TotalPhysicalMemory < 3 GB
Crypter family: BatCloak / Somalifuscator-style polymorphic batch
Stage URLs:
hxxps://giantapplebees[.]shop/gay.vbs
hxxps://giantapplebees[.]shop/sellmysoul.bat
SHA-256 (payload artifacts, not the VSIX):
newly.js 4bb573dc1b0044bd45f4d06eec6930d16ba14ec13a078e666a0f8f6af845879b
gay.vbs a87340cfc16a7ea2fa8337f4b37c0a3c6faca056fecf37b505b56f0dd2f595ac
sellmysoul.bat 25cabbfa2526fdd9f8cc535bd468f176fc958754f6ff9a837f51bf4168b97855
decoy icon.png (decoded) 380d5c8d2e56298bf66b55240c29ce70984276aa71e0f2c3cb30525dd3bfb9eb
final_payload.ps1 (decrypted stage 4) d9aef6529ace1b8d1bac85a55b232bfd7a362015ecb1e160ad0006c23b862214
VS Code Marketplace | Rating 4.00 (6 reviews) | Publisher: TrelloBlox (unverified)
AgentMesh Link: https://agentmesh.knostic.ai/extensions/136509
Marketplace ID: TrelloBlox.TrelloBlox
Published: May 30, 2026 | Manual validation: May 31, 2026
File analysed: extension/src/extension.js
SHA-256: 8852c7fc9c924b0664b0d6466081100011ee3cfe541549c02ef8f921b5d4c9ec
Behavior: TrelloBlox is not a Trello client. It is a runtime loader that downloads a JavaScript payload from rogiant[.]com and executes it via Windows Script Host every time VS Code starts. The VSIX itself does not contain the final payload; it is fetched at runtime, so the attacker can change what runs without publishing a new extension version.
Indicators of Compromise (IoCs):
Payload URL: hxxps://www.rogiant[.]com/javas.js
Staged file: %TEMP%\nice.js
Process spawned: cscript.exe //nologo //e:jscript %TEMP%\nice.js
Process relationship: code.exe → cscript.exe
Final payload automated analysis (rogiant[.]com chain. Captured & statically analyzed):
Kill chain:
Stage 1: javas.js (WSH JScript) on rogiant[.]com
Stage 2: 555.vbs (VBS launcher, 365 B; downloads stage 3 via Cloudflare Workers; drops it to %TEMP%\u640541.bat then self-deletes via timeout 2 & del /f /q)
Stage 3: mami.bat (batch crypter, 1,188,933 B; persisted on disk as C:\ProgramData\IntelDriver\wow.cmd)
Stage 4: in-memory PowerShell loader (22,158 B, decrypted from carved blob)
Stage-3 delivery host (Cloudflare Workers):
hxxps://red-shape-34d7.aledreamer1234.workers[.]dev/mami.bat
Post-loader / next-stage host (different subdomain, same Workers account):
crimson-shadow-5337.aledreamer1234.workers[.]dev
Persistence: self-copy "%~f0" → C:\ProgramData\IntelDriver\wow.cmd
Hidden relaunch via PowerShell: Start-Process -ArgumentList 'silent' -WindowStyle Hidden
Stage 3 carves icon.png (decoy, 719,829 B) from '::' lines and logo.jpg (real loader) from '@' line
logo.jpg decode: FromBase64String → XOR (key 'tx') → iEx
Masquerade / LOLBin: %USERPROFILE%\Downloads\svchost.exe (renamed powershell.exe; deletes pre-existing copy first)
Payload is Windows-only (WSH / ActiveX / cmd / PowerShell)
SHA-256 (payload artifacts, not the VSIX):
555.vbs be1b3c7ad7965512027915b738e63ebf4ece64e7831029c3abf408f8a19e23fd
mami.bat 7b6cfebbe4def48437c1a1237e8d0036fbe42b817d562e37cb7283df4696a989
decoy icon.png (decoded) afec87c0098b0a3c64216cc53c17e684a4d33614b777c695b1ab5278a4c9997d
logo.jpg decrypted (stage 4 loader) 7b137a477a51785931cfb2611087af6e0d54a09c309ff377768e831450d82263
Origin ETags (durable content IoCs):
555.vbs: 5c330a084cf96b4158a867950da6c661
mami.bat: 01e8f1858345998085a79a4c484de58e
Same builder/operator toolkit, two distinct campaign instances.
Strongest anchor: 555.vbs (rogiant) is byte-for-byte the same builder as gay.vbs (giantapplebees), identical Dim voqjzy665 / voqjzy665.Run "powershell -NoP -WindowStyle Hidden …DownloadFile(…)…cmd /c … & timeout /t 2 >nul & del /f /q …" structure, only the URL and temp-file name differ.
Both chains share family-level anchors:
C:\ProgramData\IntelDriver\ persistence path, %USERPROFILE%\Downloads\svchost.exe rename of powershell.exe, ::/@ dual-blob carving inside the stage 3 batch crypter, and base64 + XOR → iEx loader. Per-campaign IoCs differ: domains (giantapplebees[.]shop vs rogiant[.]com), stage 1 filenames (newly.js vs javas.js), stage 2 filenames (gay.vbs vs 555.vbs), stage 3 filenames (sellmysoul.bat vs mami.bat), stage-3 delivery (direct on giantapplebees[.]shop vs Cloudflare Workers red-shape-34d7.aledreamer1234.workers[.]dev), XOR keys (qc vs tx), decoy blob sizes (558 KB vs 719,829 B), final-loader sizes (22,554 B vs 22,158 B); the rogiant chain adds Cloudflare Workers infrastructure for both stage-3 delivery and post-loader next-stage.
Family-level detection anchors (apply to both):
powershell.exe copied/renamed and run from %USERPROFILE%\Downloads
svchost.exe executing outside System32 / SysWOW64
Batch files carving '::' / '@' lines into icon.png / logo.jpg
C:\ProgramData\IntelDriver\ with hidden+system attributes
We’ve done limited analysis on the final stage.
Both final-payload chains have been captured and statically analyzed automatically, with SHA-256 hashes available for both. Stage 4 (PowerShell loader) is decoded for both. Giantapplebees stage 4 has no hard-coded C2 in observed code; rogiant stage 4 reaches the Cloudflare Workers next-stage subdomain crimson-shadow-5337.aledreamer1234.workers[.]dev.
Both Workers subdomains involved in the rogiant chain belong to the same account (aledreamer1234.workers[.]dev).