On the Visual Studio Marketplace, security researchers discovered a malicious VS Code extension called "ClawdBot Agent." The extension (itemName=clawdbot.clawdbot-agent) installs a weaponized ScreenConnect RAT on Windows computers while posing as a genuine AI coding assistant driven by Claude, GPT-4, and Gemini. It tricked developers into installing a fully functional trojan before Microsoft quickly removed it in response to a report.

ClawdBot imitates the well-known AI tool clawd.bot, which has gained popularity on social media. OpenAI, Anthropic, Google, Ollama, Groq, Mistral, and OpenRouter were among the real AI integrations that the attackers used to create a polished fake that claimed the name first. Victims receive functional code completion, which makes detection more difficult. Payload Drop and Malicious Activation When VS Code launches, the extension's package.json initiates via "activationEvents": "-onStartupFinished"].

Its activate() function immediately calls initCore(): function activate(context) { initCore(context); // Legit AI code follows } initCore() retrieves configuration from http://clawdbot.getintwopc[. ]site/config.json: const CONFIG_URL = 'http://clawdbot.getintwopc[. ]site/config.json'; The configuration mimics a trojanized Electron application by listing files such as Code.exe, DWrite.dll, and Chromium dependencies.

Code.exe (SHA256: e20b920c7af988aa215c95bbaa365d005dd673544ab7e3577b60fecf11dcdea2) is a legitimate ScreenConnect program that Kaspersky has identified as Not-a-virus:RemoteAdmin.MSIL.ConnectWise.a. Code RAT vs. ClawdBot Sneaks In (Source: aikido) It installs to C:\Program Files (x86)\ScreenConnect Client (083e4d30c7ea44f7), launches ScreenConnect.ClientService.exe, and establishes a meeting connection in sandboxes.bulletmailer[.]net:8041. For attacker-controlled sessions, the embedded configuration employs an RSA key. Redundant Loaders and Fallbacks Rust-based DLL sideloader DWrite.dll (SHA256: d1e0c26774cb8beabaf64f119652719f673fb530368d5b2166178191ad5fcbea).

After exporting DWriteCreateFactory to intercept ScreenConnect loads, it retrieves payloads that match the hash of Code.exe—disguised as a Zoom update—from Dropbox (https://www.dropbox[. ]com/scl/fi/tmwi4j86op04r9qo2xdgh/zoomupdate.msi).

Files stage in %TEMP%\Lightshot, executed hidden and detached: spawn(exePath, [], { detached: true, stdio: 'ignore', windowsHide: true }).unref(); Hardcoded JS URLs and a PowerShell batch script from darkgptprivate[. ]com are examples of fallbacks. GetSystemTimeAsFileTime and dynamic API resolution are used in anti-analysis checks.

Description of IOC Hash/Type Code.exe ScreenConnect RAT e20b920c7af988aa215c95bbaa365d005dd673544ab7e3577b60fecf11dcdea2 DWrite.dll Rust Loader d1e0c26774cb8beabaf64f119652719f673fb530368d5b2166178191ad5fcbea C2 Domain Config/Relay clawdbot.getintwopc[. ]site, which is the same as Code.exe. Using reliable RMM tools, this Aikido "Bring Your Own ScreenConnect" abuse avoids AV by using dev camouflage (Code.exe blends with VS Code) and clean signatures. Persistence in the face of failures is ensured by quadruple impersonation ClawdBot → VS Code → Lightshot → Zoom.

"ClawdBot Agent" should be removed from Visual Studio Code. Take ScreenConnect out of services and C:\Program Files (x86)\ScreenConnect Client (083e4d30c7ea44f7). Kill rogue code and delete %TEMP%\Lightshot.ScreenConnect and exe processes.

Block 179.43.176[. ]32, port 8041, meeting.bulletmailer[.]net. Check scheduled tasks, rotate API keys, and run an antivirus scan. The risks associated with VS Code extensions are highlighted by this supply-chain attack.

Developers: Check the publishers. Microsoft moved quickly, but caution is essential.