bigblack_publisher_threat_actor

BigBlack is the publisher associated with malicious Visual Studio Code extensions removed from the VS Code Marketplace by Microsoft in December 2025. Known associated extensions include BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme. The activity described is a software supply chain campaign targeting developers through trojanized VS Code extensions disguised as a dark theme and an AI coding assistant. The extensions were reported by Koi Security and were designed to infect developer machines and exfiltrate sensitive data. BigBlack.bitcoin-black was configured to activate on every VS Code action, while BigBlack.codo-ai embedded malicious code within a functioning tool to reduce suspicion. Earlier versions used PowerShell to download a password-protected ZIP archive from syn1112223334445556667778889990[.]org, with extraction performed via Windows Expand-Archive, .NET System.IO.Compression, DotNetZip, or 7-Zip. Later versions shifted to a batch-script-and-curl download chain to retrieve an executable and DLL while hiding the PowerShell window. The malware used the legitimate Lightshot binary together with a rogue Lightshot.dll for DLL hijacking. The payload collected clipboard contents, installed applications, running processes, screenshots, WiFi credentials, and system information. It also launched Google Chrome and Microsoft Edge in headless mode to steal cookies and hijack browser sessions, then exfiltrated the stolen data to attacker-controlled infrastructure. The content does not attribute BigBlack to a nation state, and no additional aliases or sub-groups are directly supported beyond the BigBlack publisher name and the associated extension names.