Analysis of the Rust implants found in the malicious VS Code extension

by Nextron Threat Research TeamNov 29, 2025

Yesterday we published a short write-up about the malicious VS Code extension posing as “Material Icon Theme”. That post covered the discovery, the extension’s release timeline, and the fact that version 5.29.1 shipped with two Rust implants. This follow-up focuses on what these implants actually do. The analysis below is based on Marius’ initial deep dive into the Windows and macOS binaries.

The Rust implants [1,2] are executed as soon as the VS Code extension is activated. The loader is the extension.js file [3] located next to the implants in dist/extension/desktop/.

The attackers placed the implants and the loader in that directory on purpose, because the legitimate “Material Icon Theme” extension uses a similar structure (dist/extension/desktop/extension.js). The malicious version mimics that layout to make the added files look inconspicuous.

On Windows, the extension calls the os.node DLL. On macOS, it calls the darwin.node dylib.

Both implants fetch their C2 instructions from a Solana blockchain wallet address [4]. This is the same technique used in the GlassWorm samples already described by Koi Security.

Once the implant retrieves the instruction data from the Solana chain, it base64-decodes the content and downloads the next-stage payload from the C2 [5].

Similar to GlassWorm, the C2 responds with a large base64 blob that turns out to be an AES-256-CBC encrypted JavaScript file [6].

The implant can fetch the next stage from the same C2 [7] or, as a fallback, from a Google Calendar event [8].

In this campaign, the attackers used invisible Unicode characters in the Google Calendar event title to hide the fallback C2 address [9].

We will share more information about the next-stage payloads next week.

References

[1] 6ebeb188f3cc3b647c4460c0b8e41b75d057747c662f4cd7912d77deaccfd2f2 os.node (Windows DLL)
[2] fb07743d139f72fca4616b01308f1f705f02fda72988027bc68e9316655eadda darwin.node (MacOS Dynlib)
[3] 9212a99a7730b9ee306e804af358955c3104e5afce23f7d5a207374482ab2f8f extension.js
[4] BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC Solana wallet address
[5] hxxp://217[.]69.11.60/uVK7ZJefmiIoJkIP6lxWXw==
[6] c32379e4567a926aa0d35d8123718e2ebeb15544a83a5b1da0269db5829d5ece decrypted JavaScript file from C2
[7] hxxp://217[.]69.11.60/get_arhive_npm/karMkkT87qcssRoaHL1zYQ==
[8] https://calendar.google.com/calendar/share?slt=1AXs0gW2ChIx550BJk0lEThoZf3_QvWIH_3UnB8o6GmkFhmRz2tKPa6Vqjn9sGOVi4_9apgcG27TRSQ
[9] hxxp://217[.]69.11.60/get_zombi_payload/uVK7ZJefmiIoJkIP6lxWXw%3D%3D

[A] https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace

Authors

Mohamed Ashraf
Marius Benthin

About the author:

Nextron Threat Research Team

The Nextron Threat Research Team builds the detection logic behind THOR, Aurora, Thunderstorm and the rest of the Nextron toolchain. The group analyses intrusions, reverse-engineers malware, tracks supply-chain incidents, and turns all of that into signatures, heuristics and rules used across our products. The team maintains YARA and Sigma content at scale, develops internal tooling and pipelines, and ships thousands of high-quality detections every year that help customers spot real attacker activity instead of noise.