{"id":1962,"date":"2026-01-29T09:16:23","date_gmt":"2026-01-29T08:16:23","guid":{"rendered":"https:\/\/ilja-schlak.de\/?p=1962"},"modified":"2026-01-29T09:31:48","modified_gmt":"2026-01-29T08:31:48","slug":"vs-code-extension-malware-fake-clawdbot-agent","status":"publish","type":"post","link":"https:\/\/ilja-schlak.de\/en\/vs-code-extension-malware-fake-clawdbot-agent\/","title":{"rendered":"VS Code Extension Malware &#8211; Fake \u201eClawdBot Agent\u201c"},"content":{"rendered":"<section class=\"l-section wpb_row height_medium\"><div class=\"l-section-h i-cf\"><div class=\"g-cols vc_row via_flex valign_top type_default stacking_default\"><div class=\"vc_col-sm-12 wpb_column vc_column_container\"><div class=\"vc_column-inner\"><div class=\"wpb_wrapper\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>The <strong>VS Code Extension Malware<\/strong> \u201cClawdBot Agent\u201d disguised itself as an AI coding assistant, fetched a remote configuration when VS Code started, and installed a preconfigured <em>ConnectWise ScreenConnect<\/em> client. This allowed attackers to establish persistent remote access to Windows systems.<\/p>\n<h2>VS Code Extension Malware in the Marketplace: Fake \u201cClawdBot Agent\u201d installs ScreenConnect<\/h2>\n<p><strong>As of:<\/strong> 29 January 2026<\/p>\n<p>Researchers at <a href=\"https:\/\/www.aikido.dev\/blog\/fake-clawdbot-vscode-extension-malware\" rel=\"nofollow noopener\" target=\"_blank\">Aikido Security<\/a> analyzed a <strong>VS Code Extension Malware<\/strong> sample that appeared in the official Visual Studio Code Marketplace under the name \u201cClawdBot Agent \u2013 AI Coding Assistant.\u201d According to their analysis, the extension looked functional on the surface, but in the background it caused a ScreenConnect instance preconfigured for attacker use to be installed on Windows systems and automatically connected to attacker-controlled infrastructure.<\/p>\n<p>The listing was available under the extension ID <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=clawdbot.clawdbot-agent\" rel=\"nofollow noopener\" target=\"_blank\">clawdbot.clawdbot-agent<\/a> and showed <strong>77 installs<\/strong> at the time of research. Aikido reports that, after notifying Microsoft, the extension was removed quickly; a public Microsoft statement on this specific incident has not been published so far.<\/p>\n<h3>Timeline of the VS Code Extension Malware: discovery, reporting, removal<\/h3>\n<p>According to Aikido, the extension was flagged by their malware detection on <strong>27 January 2026<\/strong>, then validated and reported to Microsoft (see the <a href=\"https:\/\/www.aikido.dev\/blog\/fake-clawdbot-vscode-extension-malware\" rel=\"nofollow noopener\" target=\"_blank\">Aikido analysis<\/a>). The context and additional details (including background around Moltbot\/Clawdbot) were also covered shortly thereafter by <a href=\"https:\/\/thehackernews.com\/2026\/01\/fake-moltbot-ai-coding-assistant-on-vs.html\" rel=\"nofollow noopener\" target=\"_blank\">The Hacker News<\/a>.<\/p>\n<h3>How the VS Code Extension Malware works: the infection chain<\/h3>\n<p>The <strong>VS Code Extension Malware<\/strong> was configured to activate automatically when the IDE starts (<em>onStartupFinished<\/em>). First, it downloads a file called <em>config.json<\/em> from an external domain; in Aikido\u2019s analysis this is <code><em>clawdbot.getintwopc[.]site<\/em><\/code>. It then executes a binary named <strong>Code.exe<\/strong>.<\/p>\n<p>\u201cCode.exe\u201d is not necessarily \u201cclassic\u201d custom malware, but rather a legitimate ScreenConnect client that was preconfigured to connect to attacker infrastructure (Aikido cites <code><em>meeting.bulletmailer[.]net:8041<\/em><\/code> as a relay\/C2 indicator). This is what makes detection harder: the software itself is legitimate, but the <em>target configuration<\/em> is malicious.<\/p>\n<p>Aikido also describes fallback mechanisms: among other things, a tampered DLL (<code><em>DWrite.dll<\/em><\/code>) is used for sideloading so payloads can still be fetched if the primary infrastructure is unavailable\u2014also including retrieval via a Dropbox link. This significantly increases the robustness of the attack.<\/p>\n<h3>Why VS Code Extension Malware using \u201clegitimate tools\u201d is especially dangerous<\/h3>\n<p>This case highlights a pattern that frequently complicates incident response: remote admin and RMM tools (such as ScreenConnect) can look \u201cnormal\u201d in corporate environments, but are deliberately abused by attackers to establish stealthy remote access. In Aikido\u2019s analysis, this approach is explicitly described as \u201clegitimate remote software, weaponized configuration.\u201d<\/p>\n<h3>Checks &amp; immediate actions for VS Code Extension Malware<\/h3>\n<ul>\n<li><strong>Remove the extension!<\/strong> Search for \u201cClawdBot Agent\u201d\/\u201cclawdbot\u201d in VS Code and uninstall it (details at <a href=\"https:\/\/www.aikido.dev\/blog\/fake-clawdbot-vscode-extension-malware\" rel=\"nofollow noopener\" target=\"_blank\">Aikido<\/a>).<\/li>\n<li><strong>Check for ScreenConnect artifacts!<\/strong> Aikido lists <code>C:\\Program Files (x86)\\ScreenConnect Client (083e4d30c7ea44f7)\\<\/code> as an example path and notes a corresponding Windows service.<\/li>\n<li><strong>Check temp staging!<\/strong> Aikido mentions <code>%TEMP%\\Lightshot<\/code> as a storage location\u2014review the folder and contents and remove them.<\/li>\n<li><strong>Block\/monitor network indicators!<\/strong> Including <code><em>meeting.bulletmailer[.]net<\/em><\/code> (port 8041) and additional IOCs listed in the analysis.<\/li>\n<li><strong>Rotate API keys!<\/strong> If configurations\/keys were stored in the extension (e.g., LLM providers), treat them as compromised and replace them.<\/li>\n<li><strong>Treat it as an incident!<\/strong> If ScreenConnect inbound\/outbound activity is confirmed, don\u2019t just \u201cclean up\u201d\u2014preserve evidence, check for persistence, and rule out lateral movement.<\/li>\n<\/ul>\n<h3>Prevention against VS Code Extension Malware starts with basic hygiene in the developer stack<\/h3>\n<ul>\n<li><strong>Verify the publisher and provenance &#8211; <\/strong>For popular tools, first check official project pages\/GitHub to confirm whether a real Marketplace extension exists.<\/li>\n<li><strong>Principle of minimality &#8211; <\/strong>Install extensions only when truly needed; review permissions\/settings regularly.<\/li>\n<li><strong>Monitoring &amp; allowlisting<\/strong> &#8211; Treat IDE extensions as a supply-chain risk: EDR policies, network egress controls, hash\/publisher allowlisting (where possible).<\/li>\n<li><strong>Secrets handling &#8211; <\/strong>Don\u2019t leave API keys sitting in editor settings; use a secret manager and ensure you can rotate keys.<\/li>\n<\/ul>\n<\/div><\/div><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><h3>FAQ on VS Code Extension Malware<\/h3>\n<\/div><\/div><div class=\"w-tabs style_default switch_click accordion has_scrolling\" style=\"--sections-title-size:inherit\"><div class=\"w-tabs-sections titles-align_none icon_chevron cpos_right\"><div class=\"w-tabs-section\" id=\"o24e\"><button class=\"w-tabs-section-header\" aria-controls=\"content-o24e\" aria-expanded=\"false\"><h3 class=\"w-tabs-section-title\">Is this a &#8220;RAT&#8220; in the traditional sense?<\/h3><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-o24e\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>In effect, yes (remote access). Technically, however, it is often best categorized as abuse of a legitimate remote admin\/RMM tool. In the \u201cClawdBot Agent\u201d case, ScreenConnect is central (see <a href=\"https:\/\/www.aikido.dev\/blog\/fake-clawdbot-vscode-extension-malware\" rel=\"nofollow noopener\" target=\"_blank\">Aikido<\/a>).<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"a4a4\"><button class=\"w-tabs-section-header\" aria-controls=\"content-a4a4\" aria-expanded=\"false\"><h3 class=\"w-tabs-section-title\">How many systems were affected?<\/h3><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-a4a4\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>At the time of research, the Marketplace listing showed 77 installs (<a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=clawdbot.clawdbot-agent\" rel=\"nofollow noopener\" target=\"_blank\">Marketplace page<\/a>). This should not be confused with separate campaigns in which media reported much higher install counts for other AI extensions.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"w-tabs-section\" id=\"q755\"><button class=\"w-tabs-section-header\" aria-controls=\"content-q755\" aria-expanded=\"false\"><h3 class=\"w-tabs-section-title\">Why are \u201cAI tools\u201d so often used as bait?<\/h3><div class=\"w-tabs-section-control\"><\/div><\/button><div  class=\"w-tabs-section-content\" id=\"content-q755\"><div class=\"w-tabs-section-content-h i-cf\"><div class=\"wpb_text_column\"><div class=\"wpb_wrapper\"><p>AI extensions currently meet high demand and are easy to install. The World Economic Forum also describes AI as the dominant driver of change and highlights AI-related vulnerabilities as a fast-growing risk (see <a href=\"https:\/\/www.weforum.org\/publications\/global-cybersecurity-outlook-2026\/digest\/\" rel=\"nofollow noopener\" target=\"_blank\">WEF Global Cybersecurity Outlook 2026<\/a>).<\/p>\n<\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section>\n","protected":false},"excerpt":{"rendered":"<p>The VS Code Extension Malware \u201cClawdBot Agent\u201d disguised itself as an AI coding assistant, fetched a remote configuration when VS Code started, and installed a preconfigured ConnectWise ScreenConnect client. This allowed attackers to establish persistent remote access to Windows systems.<\/p>\n","protected":false},"author":1,"featured_media":1963,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[120],"tags":[],"class_list":["post-1962","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/posts\/1962","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/comments?post=1962"}],"version-history":[{"count":3,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/posts\/1962\/revisions"}],"predecessor-version":[{"id":1966,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/posts\/1962\/revisions\/1966"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/media\/1963"}],"wp:attachment":[{"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/media?parent=1962"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/categories?post=1962"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ilja-schlak.de\/en\/wp-json\/wp\/v2\/tags?post=1962"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}