Threat Actor Targeting Developers via Trojanized MS Visual Studio

Cookie Stealer Leveraging Telegram for Data Exfiltration


Microsoft’s Visual Studio is a highly popular Integrated Development Environment (IDE) that empowers developers to create diverse applications. However, the software’s widespread usage has attracted the attention of cybercriminals, leading them to craft nefarious schemes aimed at deceiving and victimizing unsuspecting users.

In response to the continued popularity of Visual Studio among developers, cyber attackers have seized the opportunity to develop malicious software. As unsuspecting individuals search for legitimate development tools, they may inadvertently download this fraudulent installer, unwittingly exposing themselves to malicious files alongside the genuine Visual Studio software.

Cyble Research and Intelligence Labs (CRIL) recently uncovered a deceitful installer masquerading as an authentic Microsoft Visual Studio installer delivering a Cookie Stealer. This stealer is specifically designed to infiltrate and extract sensitive information stored in browser cookies, allowing attackers to compromise user accounts and invade privacy.

Information stealers target software developers because they have valuable data and access to sensitive resources such as passwords and secret codes. Attackers can gain unauthorized access to various services and databases by stealing certain information. Developers often have high-level access, making it easy for malware to spread across the network.

Trojan, Visual Studio, Installer
Figure 1 – Icon of the Trojanized Visual Studio installer file


These malicious installers can be delivered through various deceptive methods such as phishing websites, third-party websites, file-sharing platforms, social engineering tactics, misleading advertisements, etc.

Technical Details


The malicious installer file bearing the filename “VisualStudio.exe”, and can be identified by its SHA256 hash: 7e8f18c60e35472bf921d3b67fd427933bd150f57d6e83d1472b990a786976db. The figure below shows the trojanized installer file.

Installer, Stealer
Figure 2 – Installer bundled with information stealer
Cyble Vision


Accompanying the installer is an information-stealing malware named “MainProject.exe.” This GUI-based .NET executable file operates on a 32-bit system and is associated with the SHA256 hash: e8a449e692f1b21f1bc4d49d8b27068b03dd7e8df583d429266fdfb261ddeed5.

The figure below shows the executable file.

Stealer, File details
Figure 3 – Stealer File Details


When the malicious “VisualStudio.exe” installer is executed, it not only installs the legitimate Visual Studio software but also triggers the execution of the information-stealing malware, “MainProject.exe”. In this deceptive method, unsuspecting users unwittingly install both the genuine development environment and the malicious information stealer simultaneously.

The figure below shows the process tree of the malicious Visual Studio installer.

Process Tree, Microsoft, Visual Studio
Figure 4 – Process Tree of the Malicious Visual Studio Installer


Once executed, the information stealer proceeds to extract various system details. These details include the Machine name, username, processor bit version, operating system version, platform, and IP address.

The figure below shows the code to extract the data from the victim’s machine.

Data extraction, System
Figure 5 – Data Extracted from the System


Upon successfully extracting the data, the information stealer creates a folder named “Temp” within the working directory, where the malware was executed. Additionally, the stealer generates a subfolder within the newly created “Temp” folder, naming it as “<System name>_<machine IP>_timestamp.”

Following the folder creation, the extracted data is stored in a file called “system.txt,” which resides within the newly generated subfolder inside the “Temp” directory. The figure below shows the code to create the ” Temp ” folder and the “system.txt” file.

Stealer, Temp folder, System.txt
Figure 6 – Information Stealer creating a temp folder and dropping the System.txt file



After successfully extracting the system data, the information stealer proceeds to target cookies from a range of web browsers, including Google Chrome, Firefox, Opera, and Edge. Furthermore, the stealer specifically targets acquiring cookies containing information related to well-known social media websites. The figure below shows the routine to target various browsers.

Stealer, Browser, Cookies
Figure 7 – Information Stealer targeting various browsers


To extract cookies from Google Chrome, the stealer initiates by listing the user profiles found in the Chrome path “C:\Users<user>\AppData\Local\Google\Chrome\User Data”. This is because the cookies and other relevant data are stored within the browser user profile directory.

The figure below illustrates the stealer in the process of listing Chrome profiles.

User profiles, list
Figure 8 – Stealer Creating List of User Profiles


Once the stealer obtains a Chrome user profile from a targeted system, the stealer initiates the process of stealing cookies. These extracted cookies are then stored in a text file named “Chrome_<profile>_cookies.txt.” Furthermore, the stealer generates separate text files specifically for social media website cookies. All these files are subsequently placed in the temporary folder created by the stealer, as shown in the figure below.

Stealer, Cookie
Figure 9 – Stealer stealing Cookie Data


After targeting Google Chrome, the stealer proceeds to target Mozilla Firefox. Firefox stores its cookie data in an SQLite database, which is located in the path “C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles”. Like in the case of Chrome, the stealer then saves the extracted cookies from Firefox in the form of text files within the Temp folder.

The figure below shows the code to steal cookies from Firefox.

Firefox, data
Figure 10 – Stealer Code to Steal Firefox Data


The stealer now advances to the exfiltration stage by compressing the entire folder containing stolen text files into a zip file.

The figure below shows the code to compress the data into a zip file.

 Zip file, code
Figure 11 – Stealer Code to Create Zip File


For exfiltration, the information stealer utilizes Telegram to transmit the zip file to a designated Telegram bot.

The code below shows the Telegram API to send the zip file to the TA.

Telegram, API, Zip
Figure 12 – Telegram API to send the ZIP File


After successful exfiltration, the stealer proceeds to execute the legitimate Visual Studio application “vs-professional.exe”, deletes the temporary folder containing stolen data, and abruptly terminates the stealer to hide its tracks.

The figure below shows the code starting the actual application and deleting the stolen data.

Operation, Stealer
Figure 13 – Final operation performed by the Stealer




The widespread popularity of certain software renders them attractive targets for cybercriminals. When these criminals steal cookies and other data from a system, they gain access to sensitive information that can be used for malicious purposes.

By acquiring such cookies, TAs can gain unauthorized entry into a user’s social media accounts, enabling them to potentially extract personal information, send harmful messages, or engage in other malicious activities.

Our Recommendations


  • Avoid downloading files from untrusted sources.
  • Clear browsing history and reset passwords at regular intervals.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques


Tactic  Technique ID  Technique Name 
Execution T1204.002 User Execution: Malicious File
Defense Evasion T1564.001 Hide Artifacts: Hidden Files and Directories
Discovery T1217 Browser Information Discovery
Exfiltration T1567 Exfiltration Over Web Service

Indicators Of Compromise


Indicators Indicator Type Description

Scroll to Top