A malicious Visual Studio Code extension named “ClawdBot Agent - AI Coding Assistant” was discovered on the official VS Code Extension Marketplace, posing as a free AI coding assistant while silently deploying remote access malware on Windows machines. The attack used quadruple impersonation tactics and weaponized legitimate IT support software.
Discovery
| Attribute | Details |
|---|---|
| Detection date | January 27, 2026 |
| Discovered by | Aikido Security |
| Extension name | ClawdBot Agent - AI Coding Assistant |
| Publisher | clawdbot (clawdbot.clawdbot-agent) |
| Installs before removal | 77 |
| Status | Removed by Microsoft |
Critical note: The real Clawdbot team never published an official VS Code extension. The attackers simply claimed the name first.
Attack chain
Stage 1: Extension installation
The malicious extension appears as a legitimate AI coding assistant:
- Professional marketplace listing
- Functional AI features (surface-level)
- No obvious malicious indicators
Stage 2: Automatic activation
Every time VS Code launches, the extension:
- Activates automatically (no user interaction required)
- Contacts C2 server at
clawdbot.getintwopc[.]site - Retrieves
config.jsonwith instructions - Suppresses error handling to prevent alerts
Stage 3: Payload delivery
The extension downloads and executes:
Code.exe— Malicious binary disguised as VS Code- Supporting DLLs for ScreenConnect deployment
Stage 4: ScreenConnect installation
ConnectWise ScreenConnect (legitimate remote desktop software) is installed and configured to connect to attacker infrastructure at meeting.bulletmailer[.]net:8041.
Stage 5: Persistent access
The attacker gains:
- Full remote control of the system
- Persistence across reboots
- Access appearing as legitimate IT support traffic
Quadruple impersonation
The campaign employed sophisticated layered disguises:
| Layer | Impersonation | Purpose |
|---|---|---|
| 1 | Clawdbot AI assistant | Gain initial trust/installation |
| 2 | Code.exe (VS Code binary) | Blend with legitimate IDE files |
| 3 | %TEMP%\Lightshot folder | Appear as screenshot tool |
| 4 | Zoom update (Dropbox) | Backup delivery disguise |
Each layer provides plausible explanation if any component is discovered.
Backup delivery mechanism
A Rust-based backup loader (DWrite.dll) provides redundancy:
| Component | Function |
|---|---|
| DWrite.dll | DLL sideloading attack vector |
| Dropbox payload | Same ScreenConnect installer |
| Zoom disguise | Payload named as Zoom update |
If the primary C2 fails, the backup fetches the same payload from Dropbox, ensuring delivery success.
”Bring Your Own ScreenConnect”
This attack uses a technique known as “Bring Your Own ScreenConnect” (or “RMM abuse”):
| Characteristic | Advantage for Attackers |
|---|---|
| Legitimate software | Trusted by security tools |
| Signed binaries | Passes code signing checks |
| IT support tool | Expected network behavior |
| Encrypted traffic | Blends with normal admin activity |
IT support tools like ScreenConnect, AnyDesk, and TeamViewer are increasingly weaponized because security tools often allowlist them.
Infrastructure
| Component | Value |
|---|---|
| C2 domain | clawdbot.getintwopc[.]site |
| Relay server | meeting.bulletmailer[.]net:8041 |
| IP address | 178.16.54[.]253 |
| Hosting | Omegatech LTD (Seychelles) |
| SSL cert issued | January 10, 2026 |
| Extension published | January 27, 2026 |
The infrastructure was established just 17 days before the extension appeared—indicating rapid operational tempo.
Impact assessment
Potential data exposure
If the extension was installed, attackers could access:
| Data Type | Risk |
|---|---|
| Source code | Full repository access via VS Code |
| API keys/secrets | Entered into extension or visible in code |
| Credentials | Password managers, SSH keys |
| Development environment | CI/CD access, cloud credentials |
| Corporate network | Lateral movement from developer machine |
Developer targeting rationale
Developers are high-value targets:
- Access to source code and intellectual property
- Credentials for production systems
- CI/CD pipeline access
- Often have elevated privileges
- Trust development tools implicitly
Remediation
If you installed ClawdBot Agent
| Step | Action |
|---|---|
| 1 | Remove extension from VS Code |
| 2 | Check for ScreenConnect at C:\Program Files (x86)\ScreenConnect Client (083e4d30c7ea44f7)\ |
| 3 | Uninstall ScreenConnect client service |
| 4 | Delete %TEMP%\Lightshot directory |
| 5 | Block C2 domains and IPs at firewall |
| 6 | Rotate all credentials entered into extension |
| 7 | Rotate API keys visible in open projects |
| 8 | Scan for additional persistence mechanisms |
| 9 | Report to security team for IR assessment |
Indicators of compromise
Domains:
clawdbot.getintwopc[.]site
meeting.bulletmailer[.]netIP addresses:
178.16.54[.]253File paths:
C:\Program Files (x86)\ScreenConnect Client (083e4d30c7ea44f7)\
%TEMP%\Lightshot\Processes:
ScreenConnect client service
Code.exe (in unexpected locations)VS Code Marketplace security
This incident continues a troubling pattern:
| Timeframe | Incidents |
|---|---|
| Late 2025 | 19 malicious extensions discovered |
| January 2026 | ClawdBot Agent |
| Ongoing | Additional campaigns likely |
Marketplace limitations
| Challenge | Impact |
|---|---|
| Open publishing | Anyone can upload extensions |
| Limited vetting | Automated scans miss sophisticated malware |
| Name squatting | Attackers claim legitimate product names |
| Trust by default | Users assume marketplace curation |
Recommendations
For developers
| Practice | Benefit |
|---|---|
| Verify publishers | Check official sources before installing |
| Review permissions | Understand what extensions can access |
| Check install counts | Low counts may indicate new/suspicious extensions |
| Read reviews | Look for warnings from other users |
| Use organizational allowlists | Only approved extensions |
For organizations
| Control | Implementation |
|---|---|
| Extension allowlisting | Centrally managed approved list |
| EDR on developer machines | Detect ScreenConnect-style abuse |
| Network monitoring | Alert on unexpected remote access tool traffic |
| Secret scanning | Detect exposed credentials in repositories |
| Regular audits | Review installed extensions periodically |
For extension verification
Before installing any VS Code extension:
- Check the publisher’s official website for extension links
- Verify the publisher ID matches official sources
- Review the extension’s source code if available
- Check when the extension was first published
- Look for verified publisher badges
Context
The ClawdBot attack demonstrates the maturation of developer tool supply chain attacks. By combining:
- Name squatting of legitimate AI tools
- Functional trojan behavior
- Weaponized IT support software
- Multiple fallback delivery mechanisms
…attackers create sophisticated campaigns that bypass traditional security controls.
The use of ScreenConnect is particularly clever—it’s legitimate software that security teams often allowlist, providing attackers with trusted, encrypted remote access that blends with normal IT operations.
Organizations should treat extension marketplace security with the same rigor applied to other software supply chain risks. Developer machines are high-value targets, and the tools developers trust implicitly are increasingly weaponized against them.