Fake VS Code Extension ‘ClawdBot Agent’ Found Installing Remote Access Trojan on Developer Machines

Aegiron 12 mins0

Executive Summary

In late January, a malicious Visual Studio Code extension named ClawdBot Agent was identified actively compromising developer workstations. The extension posed as a legitimate developer or AI productivity tool but secretly installed a remote access capability using ConnectWise ScreenConnect.

Once installed, attackers obtained persistent, interactive access to developer machines without user awareness. Because the affected systems belonged to developers, the incident carried a high risk of source code theft, credential compromise, cloud account abuse, CI/CD pipeline tampering, and downstream supply-chain impact.

This incident did not involve exploitation of a software vulnerability in Visual Studio Code itself. Instead, it relied on social engineering, abuse of trusted tooling, and use of legitimate remote administration software for malicious purposes.

What Happened

Developers installed what appeared to be a normal VS Code extension. The extension claimed to provide automation or agent-style functionality and did not initially display obvious malicious behavior.

During installation and activation, the extension executed background scripts that downloaded and installed a remote access client without the user’s knowledge. From that point forward, the attacker had live remote access to the developer’s system.

Because the tooling used was legitimate and signed, there were no obvious alerts, pop-ups, or antivirus warnings in many cases.

How the Attack Worked

1. Initial Access – Malicious Extension Installation

The initial access vector was a user-installed Visual Studio Code extension named ClawdBot Agent.

Key characteristics:

  • Not published by a trusted or well-known publisher
  • Marketed as a developer productivity or AI-related tool
  • Installed manually by developers
  • No exploit or privilege escalation required

The success of this stage depended entirely on trust and curiosity, not on technical weakness.

2. Execution – Abuse of Extension Capabilities

VS Code extensions are allowed to:

  • Execute JavaScript
  • Run activation scripts
  • Spawn child processes
  • Make outbound network requests

The ClawdBot extension abused these features to execute operating system commands during installation and activation. This behavior is permitted by design and therefore did not trigger built-in security controls.

Observed behaviors included:

  • Spawning shell processes from VS Code
  • Downloading external installers
  • Writing files outside the extension directory

3. Payload Delivery – Remote Access Tool Installation

Rather than deploying custom malware, the extension installed ScreenConnect, a legitimate remote desktop and support tool.

This choice was intentional:

  • ScreenConnect is trusted and widely used
  • Binaries are signed and recognized by security software
  • Network traffic appears legitimate and encrypted
  • It provides full interactive access out of the box

The extension silently:

  1. Downloaded the ScreenConnect client
  2. Installed it without user prompts
  3. Registered it as a background service or daemon
  4. Configured it to connect to an attacker-controlled server

4. Persistence

Persistence was achieved through native operating system mechanisms:

  • Windows
    • Services
    • Registry run keys
    • Scheduled tasks
  • macOS
    • LaunchAgents
    • LaunchDaemons
  • Linux
    • systemd services
    • Cron jobs

This ensured the attacker retained access after reboots and user logouts.

5. Command and Control

Once installed, the ScreenConnect client established outbound encrypted connections to an attacker-controlled instance.

Characteristics of command-and-control traffic:

  • Long-lived sessions
  • Encrypted
  • Outbound only (no inbound firewall rules required)
  • Reconnection after network interruption or reboot

From this channel, attackers could interact with the system in real time.

Vulnerability Analysis

No vulnerability was exploited in:

  • Visual Studio Code
  • The operating system
  • ScreenConnect itself

This was a trust abuse and living-off-the-land attack. All actions used legitimate, documented functionality.

Impact Assessment

Direct Impact

Any compromised system should be assumed to have exposed:

  • Source code
  • Local repositories
  • Configuration files
  • Environment variables
  • SSH keys
  • API tokens
  • Browser session data
  • Password managers (if unlocked)

Potential Secondary Impact

Because developer systems often have privileged access, secondary risk included:

  • Unauthorized Git commits or pushes
  • CI/CD pipeline manipulation
  • Cloud resource abuse
  • Introduction of backdoors into production code
  • Supply-chain compromise affecting customers or downstream users

Indicators of Compromise (IOC’s)

VS Code Extension Artifacts

Suspicious extension characteristics:

  • Obfuscated JavaScript (base64 blobs, eval usage)
  • Activation scripts executing shell commands
  • Hardcoded URLs or IP addresses
  • Use of child_process.exec or spawn

Common extension paths:

  • Windows C:\Users\<user>\.vscode\extensions\
  • macOS / Linux ~/.vscode/extensions/

ScreenConnect Installation Artifacts

Windows

  • Unexpected directories: C:\Program Files (x86)\ScreenConnect Client\ C:\ProgramData\ScreenConnect\
  • Unknown services referencing ScreenConnect binaries
  • Registry persistence: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run

macOS

  • Launch agents or daemons referencing ScreenConnect: ~/Library/LaunchAgents/ /Library/LaunchDaemons/
  • Unsigned or hidden binaries in: /Applications/ /usr/local/bin/

Linux

  • systemd service files in: /etc/systemd/system/
  • Cron jobs created without administrative approval
  • Executables in /tmp, /opt, or user home directories

Process and Behavioral Indicators

  • VS Code spawning:
    • powershell.exe
    • cmd.exe
    • bash, sh, zsh
    • curl or wget
  • ScreenConnect running on developer machines without IT approval
  • Remote desktop sessions active while the user is idle
  • System activity during off-hours

Network Indicators

  • Persistent outbound connections to non-corporate ScreenConnect servers
  • Encrypted remote desktop traffic from developer endpoints
  • Long-lived sessions that reconnect after reboot

Detection Rules and Threat Hunting Queries

Detect VS Code Spawning System Commands

process.name == "Code.exe" OR process.name == "code"
AND
child_process.name IN ("powershell.exe","cmd.exe","bash","sh","zsh","curl","wget")

This behavior is rare in legitimate development workflows and should be treated as high risk.

Detect Silent ScreenConnect Installation

Windows

process.name IN ("msiexec.exe","powershell.exe")
AND
command_line CONTAINS "ScreenConnect"
AND
parent_process.name IN ("Code.exe","code")

macOS

process.name == "installer"
AND
parent_process.name == "code"

Detect Unauthorized Remote Access Tools

process.name CONTAINS "screenconnect"
AND
host.role == "developer_workstation"
AND
user NOT IN approved_IT_admins

Any match here warrants immediate investigation.

Persistence Detection

Windows Registry

registry.path CONTAINS "Run"
AND
registry.value CONTAINS "ScreenConnect"

macOS Launch Agents

file.path CONTAINS "LaunchAgents"
AND
file.content CONTAINS "screenconnect"

Network Detection Logic

destination.application == "remote_desktop"
AND
destination.domain NOT IN corporate_allowlist
AND
source.host.role == "developer_workstation"

Increase severity if:

  • Session duration exceeds one hour
  • Activity occurs outside business hours
  • Reconnection happens after reboot

Credential and Supply-Chain Hunting

Review activity after the extension install date for:

  • Git commits from unfamiliar IPs
  • Force-pushes or rewritten history
  • Cloud API calls from new locations
  • CI/CD configuration changes without change tickets
  • Token usage without interactive login events

How ScreenConnect Was Abused

  1. Extension executes shell command
  2. ScreenConnect client is downloaded and installed
  3. Client registers persistence
  4. Client connects to attacker-controlled server
  5. Attacker gains:
    • Full desktop view
    • Command execution
    • File transfer
    • Continuous access

Because the tool is legitimate, the activity blends into normal system behavior.

How to Spot Malicious VS Code Extensions

Warning signs before installation:

  • Unknown or newly created publishers
  • Vague descriptions promising “AI agents” or automation
  • No clear explanation of functionality

Warning signs after installation:

  • Network traffic originating from VS Code
  • New background services appearing
  • Extension executing OS commands
  • Extension installing other software

Any extension that installs binaries or requires system-level access should be treated as high risk.

Secure Extension Policy Recommendations

Preventive Controls

  • Allow extensions only from approved sources
  • Enforce an extension allowlist
  • Disable CLI-based extension installation
  • Restrict IDEs from spawning shell processes

Detective Controls

  • Monitor extension install events
  • Alert on remote access tools on developer machines
  • Log IDE child process execution

Response Guidance

  • Treat infected developer machines as credential breaches
  • Rotate all secrets used on the system
  • Audit all code and deployment activity after compromise

Final Takeaway

This incident highlights a growing shift in attacker strategy. Instead of exploiting software flaws, attackers are exploiting developer trust.

The malware itself was not sophisticated. The placement was.

When a developer workstation is compromised, the blast radius extends far beyond a single machine. That is what makes attacks like ClawdBot particularly dangerous.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.