Malware

SleepyDuck RAT

SleepyDuck RAT is a remote access trojan reported in 2025. It was observed being deployed via booby-trapped Visual Studio Code extensions distributed through the Open VSX open-source registry, where it masqueraded as popular extensions. Reporting states that it uses the Ether blockchain as a command-and-control mechanism. SleepyDuck RAT was identified as one of the novel malware families that emerged alongside the Betruger backdoor, and the available context indicates it supported ransomware campaigns. High-confidence details in the provided content are limited to its RAT functionality, malicious VS Code/Open VSX extension delivery vector, blockchain-based C2 using Ether, and its association with ransomware activity.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1195Supply Chain CompromiseEvidence1

the widely used Solidity VSCode extension has been spoofed in the open-source Open VSX registry to distribute the new SleepyDuck remote access trojan to unsuspecting developers.

Execution

2 techniques

T1059Command and Scripting InterpreterEvidence1

SleepyDuck RAT also establishes a command execution sandbox

T1204.002Malicious FileEvidence1

Secure Annex researchers discovered that the fake Solidity extension, which has amassed over 53,000 downloads so far, had been embedded with malicious code only a day after it was uploaded on Oct. 31.

Discovery

1 technique

T1082System Information DiscoveryEvidence1

Apart from obtaining system data, including hostnames, usernames, timezones, and MAC addresses

Command and Control

1 technique

T1071Application Layer ProtocolEvidence1

SleepyDuck RAT, which leverages Ethereum contracts for command-and-control server updates ... the Ethereum blockchain harnessed by the malware to ensure continued receipt of instructions even in the event of an offline primary command server.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

sentinelone blogNews

Dec 25, 2025

The Best, the Worst and the Ugliest in Cybersecurity | 2025 Edition

Remote Access Trojan masquerading as a popular extension on the Open VSX registry.

risky biz rssNews

Nov 3, 2025

Risky Bulletin: Norway skittish of its Chinese electric buses

SleepyDuck is a remote access trojan (RAT) that uses the Ether blockchain for command and control, and is distributed via malicious VS Code extensions.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.