Pulse Detail — Threat Intelligence

PULSE NAME

Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor

WHITE PetrP.73 2026-03-29 Modified: 2026-03-29

IOCs

MEDIUM VOLUME

StepSecurity's analysis reveals a significant supply chain attack targeting Solidity developers through compromised Visual Studio Code (VSCode) extensions published by IoliteLabs. The affected extensions—solidity-macos, solidity-windows, and solidity-linux, were abruptly updated to version 0.1.8 on March 25, 2026, after being dormant since 2018. Each extension contains a multi-stage backdoor that silently activates on every startup of VSCode, downloading platform-specific payloads from attacker-controlled domains.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1005 T1027 T1036.005 T1041 T1056.001 T1059.003 T1059.004 T1059.007 T1071.001 T1105

Indicators of Compromise (22)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	67f51fd22786e2ac0162903e742a6770	MD5 of e7ec4e35d94d01a2e4ee5dca62b8fb08ac7411596edb54b398651f4eb563561d	2026-03-29
FileHash-SHA1	2af09bc8ab0de9f6f585e4c3d03fa6ba3291f317	SHA1 of e7ec4e35d94d01a2e4ee5dca62b8fb08ac7411596edb54b398651f4eb563561d	2026-03-29
FileHash-SHA256	37516a0a420b21ef3b68129f8d089be706974a597a821ec83e598cd180716f60	—	2026-03-29
FileHash-SHA256	38cb0e1209a721a565e71f9dc0593437723dc32c4d2fe2d23de141f4d306ccea	—	2026-03-29
FileHash-SHA256	40a6bbc8260bc17faa583dd3c3954a0e3c4b0abb923baaecd2ad7901311d5d82	—	2026-03-29
FileHash-SHA256	5886a9b659c05fb3e3077c80bb6a8be6acb1064683db542fae90e3bf9757f95f	—	2026-03-29
FileHash-SHA256	5f9c09c2c432a6b94f2200455065bcfd1237f8a01b913a7c9e37f164ff99a84c	—	2026-03-29
FileHash-SHA256	8e7213940a2f590af145226d22a96d416bcca4bc6cba3400a8a96fd3e7018080	—	2026-03-29
FileHash-SHA256	e0f206aac2c3fa733b0c466d2ebb86ba038cf1fe2edeee21e94a4d943a27f63b	—	2026-03-29
FileHash-SHA256	e7ec4e35d94d01a2e4ee5dca62b8fb08ac7411596edb54b398651f4eb563561d	—	2026-03-29
FileHash-SHA256	e903ae267bf7ed1d02b218c1dc7cf6d87257e87de9fbda411a13f9154716bfa3	—	2026-03-29
FileHash-SHA256	fcd398abc51fd16e8bc93ef8d88a23d7dec28081b6dfce4b933020322a610508	—	2026-03-29
URL	http://cdn.rraghh.com/gt/doc	—	2026-03-29
URL	http://cdn.rraghh.com/gt/doc1	—	2026-03-29
URL	http://oortt.com/gt	—	2026-03-29
URL	http://rraghh.com/gt/calc.bat	—	2026-03-29
URL	https://cdn.rraghh.com/gt/doc.sh	—	2026-03-29
URL	https://rraghh.com/gt/calc.bat	—	2026-03-29
domain	oortt.com	—	2026-03-29
domain	rraghh.com	—	2026-03-29
hostname	calc.batcdn.rraghh.com	—	2026-03-29
hostname	cdn.rraghh.com	—	2026-03-29

References (1)

↗ https://www.stepsecurity.io/blog/malicious-iolitelabs-vscode-extensions-target-solidity-developers-on-windows-macos-and-linux-with-backdoor