EffetMer.darkgpt@1.2.0Suspicious

Unverified

Analysed at: Dec 8, 2025, 11:25 PM

Source: https://EffetMer.gallery.vsassets.io/_apis/public/gallery/publisher/EffetMer/extension/darkgpt/1.2.0/assetbyname/Microsoft.VisualStudio.Services.VSIXPackage

SHA256: a6c3e274ebb631d3d1abd8292c45d64f63b9c8a49b965bb69031455e3df9d1ae

Confidence: Medium

Summary

The package downloads and executes a hidden executable from a suspicious URL, indicating malicious behavior. High entropy images add to suspicion.

Verification Record

No verification record available.

Details

The package contains a batch script (extension/scripts/run.bat) that downloads an executable and a DLL from a suspicious URL (http://syn1112223334445556667778889990.org/Lightshot.exe and http://syn1112223334445556667778889990.org/Lightshot.dll). The script then executes the downloaded executable silently in the background and uses a '.done' file to ensure the actions are only performed once. The images icon.png and f.png have very high entropy. These factors combined strongly suggest malicious intent.