Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT
Essential information
- Published
- 04/12/2025 10:32
- Modified
- 21/12/2025 18:22
- Tags
- 2025-12-04 anivia developers extension multi-stage octorat process-hollowing remote-access-toolkit supply-chain uac bypass vscode
- Related entities
- 8 observables, 18 techniques (mitre), 2 malware
Description
A malicious Visual Studio Code extension named 'prettier-vscode-plus' was discovered on the official VSCode Marketplace, impersonating the legitimate Prettier formatter. This extension served as the entry point for a multi-stage malware chain, starting with the Anivia loader, which decrypted and executed further payloads in memory. The final stage, OctoRAT, is a comprehensive remote access toolkit providing over 70 commands for surveillance, file theft, remote desktop control, persistence, privilege escalation, and harassment. The attack chain employs sophisticated techniques like AES encryption, process hollowing, and UAC bypass. The threat actor's GitHub repository showed active payload rotation to evade detection. This supply-chain attack highlights the evolving threats targeting developers and the abuse of trusted tools in their ecosystem.