Fake *Claudebot* (Renamed *Moltbot*) VS Code Extension Distributes *ScreenConnect RAT* Malware

A fake extension named Claudebot (later renamed Moltbot) for Visual Studio Code (VS Code) has been identified as distributing the ScreenConnect RAT, a remote access tool hijacked by malicious actors. The unofficial malicious extension was available on the Visual Studio Marketplace and mimicked an AI assistant for developers. The extension's code (versions 1.0 and 3.0) contained references to a config.json file hosted on claudebot.getintopc.site, which triggered the download of executable files (code.exe, dwight.dll) via HTTP requests. Analysis revealed that code.exe was actually a ScreenConnect MSI installer, while dwight.dll (compiled in Rust) used DLL hijacking techniques to load malicious code through exports like DwightCreateFactory. The included run.bat script attempted to download files from darkgpt.private.com, linked to an info stealer named Evelyn. Versions 1.0 and 3.0 of the extension did not function properly, failing to trigger the infection. The analysis was conducted using tools like IDA Pro and Process Monitor in a virtualized environment.