# [HIGH] Cursor IDE Malware Extension Compromise in $500k Crypto Heist **Source:** Snyk **Published:** 2025-07-21 **Article:** https://snyk.io/blog/cursor-ide-malware-extension-compromise-in-usd500k-crypto-heist/ ## Threat Profile Snyk Blog In this article Written by Liran Tal July 21, 2025 0 mins read Cursor IDE, as many are aware, is a fork of the open source and popular VS Code IDE project from Microsoft. Similarly to VS Code, Cursor has support for IDE extensions, which prompts many developers to migrate over with their favorite extensions and long-lived workflows, shortcuts, themes, and other configurations. Back in May 2021, Snyk’s Security Labs conducted research that uncovered VS Code extensions vulnerable to ins… ## Indicators of Compromise (high-fidelity only) - **IPv4 (defanged):** `144.172.112.84` - **Domain (defanged):** `angelic.su` - **Domain (defanged):** `staketree.net` - **Domain (defanged):** `lmfao.su` - **Domain (defanged):** `relay.lmfao.su` - **Domain (defanged):** `solidity.bot` - **Domain (defanged):** `myaunet.su` - **Domain (defanged):** `m-vn.ws` - **Domain (defanged):** `begalinokotobananinotrippitroppacrocofanclub.su` - **SHA256:** `2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb` - **SHA256:** `404dd413f10ccfeea23bfb00b0e403532fa8651bfb456d84b6a16953355a800a` - **SHA256:** `70309bf3d2aed946bba51fc3eedb2daa3e8044b60151f0b5c1550831fbc6df17` - **SHA256:** `84d4a4c6d7e55e201b20327ca2068992180d9ec08a6827faa4ff3534b96c3d6f` - **SHA256:** `eb5b35057dedb235940b2c41da9e3ae0553969f1c89a16e3f66ba6f6005c6fa8` - **SHA256:** `f4721f32b8d6eb856364327c21ea3c703f1787cfb4c043f87435a8876d903b2c` - **SHA256:** `ce72b79e324371134db762fe70b8b1789af899d7217461bc3658a6bd84743eb6` - **SHA256:** `e19d5d8f941b9a98fbb3b65e1e6077fa00d97529e351e455297b0204ec07e9ed` - **SHA256:** `209fb5bb2440ffe1a631dfe3b574229105a33c5153eded023cc77d8e8f81d1de` - **SHA256:** `e0ca66c1a9a68b319b24a7c6b8fdca219dffd802dd4de2d59f602c4d90f40d6c` - **SHA256:** `c5c0228a1e0ba2bb748219325f66acf17078a26165b45728d8e98150377aa068` - **SHA256:** `a1eadd41327bd8736e275627d3953944fe7089c032d72a3e429ff18ad0958ada` - **SHA256:** `c3684164933c3f54d5b0b242a8a906a85d633de479079a820bb804c0f73c0f58` ## MITRE ATT&CK Techniques - **T1176** — Browser Extensions - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1059.001** — PowerShell - **T1027** — Obfuscated Files or Information - **T1195.002** — Compromise Software Supply Chain - **T1071** — Application Layer Protocol - **T1204.002** — User Execution: Malicious File - **T1059.001** — Command and Scripting Interpreter: PowerShell - **T1195.002** — Supply Chain Compromise: Compromise Software Supply Chain - **T1071.001** — Application Layer Protocol: Web Protocols - **T1568** — Dynamic Resolution - **T1219** — Remote Access Software - **T1105** — Ingress Tool Transfer - **T1195.002** — Supply Chain Compromise ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Cursor IDE or VS Code spawning PowerShell/WScript from extensions folder (Solidity Language malware chain) `UC_842_7` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.process_hash) as hash values(Processes.user) as user from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("Cursor.exe","Code.exe") AND Processes.process_name IN ("powershell.exe","pwsh.exe","wscript.exe","cscript.exe","cmd.exe")) AND (Processes.process="*angelic.su*" OR Processes.process="*lmfao.su*" OR Processes.process="*staketree.net*" OR Processes.process="*paste.ee/d/*" OR Processes.process="*ab498.pythonanywhere.com*" OR Processes.parent_process="*\\.cursor\\extensions\\*" OR Processes.parent_process="*\\.vscode\\extensions\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(14d) | where InitiatingProcessFileName in~ ("Cursor.exe","Code.exe") | where FileName in~ ("powershell.exe","pwsh.exe","wscript.exe","cscript.exe","cmd.exe") | where ProcessCommandLine has_any ("angelic.su","lmfao.su","staketree.net","paste.ee/d/","ab498.pythonanywhere.com") or InitiatingProcessCommandLine has_any (@"\.cursor\extensions\", @"\.vscode\extensions\") or InitiatingProcessFolderPath has_any (@"\.cursor\", @"\.vscode\") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256, InitiatingProcessSHA256 | order by Timestamp desc ``` ### Egress to Solidity Language Cursor extension C2 infrastructure (angelic.su / lmfao.su / staketree.net / ab498.pythonanywhere.com / 144.172.1 `UC_842_8` · phase: **c2** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.src) as src values(All_Traffic.dest) as dest values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.app) as app from datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest IN ("angelic.su","relay.lmfao.su","lmfao.su","staketree.net","ab498.pythonanywhere.com") OR All_Traffic.dest_ip="144.172.112.84") by All_Traffic.src All_Traffic.user All_Traffic.dest All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | appendpipe [| tstats `summariesonly` count from datamodel=Network_Resolution.DNS where DNS.query IN ("angelic.su","relay.lmfao.su","lmfao.su","staketree.net","ab498.pythonanywhere.com","*.angelic.su","*.lmfao.su","*.staketree.net") by DNS.src DNS.query | `drop_dm_object_name(DNS)`] ``` **Defender KQL:** ```kql let badHosts = dynamic(["angelic.su","relay.lmfao.su","lmfao.su","staketree.net","ab498.pythonanywhere.com"]); let badIps = dynamic(["144.172.112.84"]); DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteUrl has_any (badHosts) or RemoteIP in (badIps) or RemoteUrl endswith ".angelic.su" or RemoteUrl endswith ".lmfao.su" or RemoteUrl endswith ".staketree.net" | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, Protocol | order by Timestamp desc ``` ### Solidity Language malicious Cursor/VS Code extension folder created on disk (solidityai.solidity-* and related) `UC_842_9` · phase: **delivery** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as path values(Filesystem.process_name) as proc values(Filesystem.user) as user from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\\.cursor\\extensions\\solidityai.solidity-*\\*" OR Filesystem.file_path="*\\.cursor\\extensions\\*solaibot*\\*" OR Filesystem.file_path="*\\.cursor\\extensions\\*among-eth*\\*" OR Filesystem.file_path="*\\.cursor\\extensions\\*blankebesxstnion*\\*" OR Filesystem.file_path="*\\.cursor\\extensions\\*pythonformat*\\*" OR Filesystem.file_path="*\\.vscode\\extensions\\*solaibot*\\*" OR Filesystem.file_path="*\\.vscode\\extensions\\*among-eth*\\*" OR Filesystem.file_path="*\\.vscode\\extensions\\*blankebesxstnion*\\*") by Filesystem.dest Filesystem.user Filesystem.file_path Filesystem.file_name Filesystem.process_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has @"\.cursor\extensions\" or FolderPath has @"\.vscode\extensions\") | where FolderPath has_any ("solidityai.solidity-","solaibot","among-eth","blankebesxstnion","pythonformat","cppplayground","c++ playground","httpformat","http format") or (FileName =~ "extension.js" and FolderPath has_any ("solidityai.solidity-","solaibot","among-eth","blankebesxstnion","pythonformat")) | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, SHA256, FileSize | order by Timestamp desc ``` ### ScreenConnect MSI sideload from lmfao.su (Solidity Language post-exploit RAT install) `UC_842_10` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.parent_process) as parent_cmd values(Processes.user) as user from datamodel=Endpoint.Processes where (Processes.process_name IN ("msiexec.exe","powershell.exe","pwsh.exe","curl.exe","certutil.exe","bitsadmin.exe")) AND (Processes.process="*lmfao.su/Bin/ScreenConnect*" OR Processes.process="*ScreenConnect.ClientSetup.msi*" OR Processes.process="*?e=Access&y=Guest*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(30d) | where FileName in~ ("msiexec.exe","powershell.exe","pwsh.exe","curl.exe","certutil.exe","bitsadmin.exe") | where ProcessCommandLine has "lmfao.su" or ProcessCommandLine has "ScreenConnect.ClientSetup.msi" and ProcessCommandLine has_any ("e=Access&y=Guest","lmfao") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, ParentName = InitiatingProcessFileName, ParentCmd = InitiatingProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Solidity Language Cursor extension known malicious SHA-256 hash present on disk or executed `UC_842_11` · phase: **weapon** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.user) as user values(Processes.parent_process_name) as parent from datamodel=Endpoint.Processes where Processes.process_hash IN ("2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb","404dd413f10ccfeea23bfb00b0e403532fa8651bfb456d84b6a16953355a800a","70309bf3d2aed946bba51fc3eedb2daa3e8044b60151f0b5c1550831fbc6df17","84d4a4c6d7e55e201b20327ca2068992180d9ec08a6827faa4ff3534b96c3d6f","eb5b35057dedb235940b2c41da9e3ae0553969f1c89a16e3f66ba6f6005c6fa8","f4721f32b8d6eb856364327c21ea3c703f1787cfb4c043f87435a8876d903b2c") by Processes.dest Processes.process_name Processes.process_hash | `drop_dm_object_name(Processes)` | appendpipe [| tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.file_hash IN ("2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb","404dd413f10ccfeea23bfb00b0e403532fa8651bfb456d84b6a16953355a800a","70309bf3d2aed946bba51fc3eedb2daa3e8044b60151f0b5c1550831fbc6df17","84d4a4c6d7e55e201b20327ca2068992180d9ec08a6827faa4ff3534b96c3d6f","eb5b35057dedb235940b2c41da9e3ae0553969f1c89a16e3f66ba6f6005c6fa8","f4721f32b8d6eb856364327c21ea3c703f1787cfb4c043f87435a8876d903b2c") by Filesystem.dest Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)`] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql let badHashes = dynamic(["2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb","404dd413f10ccfeea23bfb00b0e403532fa8651bfb456d84b6a16953355a800a","70309bf3d2aed946bba51fc3eedb2daa3e8044b60151f0b5c1550831fbc6df17","84d4a4c6d7e55e201b20327ca2068992180d9ec08a6827faa4ff3534b96c3d6f","eb5b35057dedb235940b2c41da9e3ae0553969f1c89a16e3f66ba6f6005c6fa8","f4721f32b8d6eb856364327c21ea3c703f1787cfb4c043f87435a8876d903b2c"]); union isfuzzy=true (DeviceProcessEvents | where Timestamp > ago(90d) | where SHA256 in (badHashes) or InitiatingProcessSHA256 in (badHashes) | project Timestamp, Source="Process", DeviceName, AccountName, FileName, FolderPath, SHA256, ProcessCommandLine), (DeviceFileEvents | where Timestamp > ago(90d) | where SHA256 in (badHashes) | project Timestamp, Source="FileWrite", DeviceName, AccountName=InitiatingProcessAccountName, FileName, FolderPath, SHA256, ProcessCommandLine=InitiatingProcessCommandLine), (DeviceImageLoadEvents | where Timestamp > ago(90d) | where SHA256 in (badHashes) | project Timestamp, Source="ImageLoad", DeviceName, AccountName=InitiatingProcessAccountName, FileName, FolderPath, SHA256, ProcessCommandLine=InitiatingProcessCommandLine) | order by Timestamp desc ``` ### Suspicious browser extension installation `UC_BROWSER_EXT` · phase: **install** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path="*\Software\Google\Chrome\Extensions\*" OR Registry.registry_path="*\Software\Microsoft\Edge\Extensions\*" OR Registry.registry_path="*\Software\Mozilla\Firefox\Extensions\*") by Registry.dest, Registry.registry_path, Registry.registry_value_data, Registry.registry_value_name, Registry.user | `drop_dm_object_name(Registry)` ``` **Defender KQL:** ```kql DeviceRegistryEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where RegistryKey has_any ("\Software\Google\Chrome\Extensions\","\Software\Microsoft\Edge\Extensions\","\Software\Mozilla\Firefox\Extensions\") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### PowerShell encoded / obfuscated command `UC_PS_OBFUSCATED` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("powershell.exe","pwsh.exe") AND (Processes.process="*-enc *" OR Processes.process="*EncodedCommand*" OR Processes.process="*FromBase64String*" OR Processes.process="*-nop*" OR Processes.process="*-w hidden*" OR Processes.process="*Invoke-Expression*" OR Processes.process="*IEX(*" OR Processes.process="*DownloadString*" OR Processes.process="*Net.WebClient*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("powershell.exe","pwsh.exe") | where ProcessCommandLine matches regex @"(?i)(-enc|encodedcommand|frombase64string|-nop|-w\s+hidden|invoke-expression|iex\s*\(|downloadstring|net\.webclient)" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine ``` ### Trusted vendor binary / installer launching unusual children `UC_SUPPLY_CHAIN` · phase: **exploit** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("setup.exe","installer.exe","update.exe") AND Processes.process_name IN ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where InitiatingProcessFileName in~ ("setup.exe","installer.exe","update.exe") | where FileName in~ ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine ``` ### Article-specific behavioural hunt — Cursor IDE Malware Extension Compromise in $500k Crypto Heist `UC_842_6` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — Cursor IDE Malware Extension Compromise in $500k Crypto Heist ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("extension.js")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("extension.js")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — Cursor IDE Malware Extension Compromise in $500k Crypto Heist // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("extension.js")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("extension.js")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `144.172.112.84`, `angelic.su`, `staketree.net`, `lmfao.su`, `relay.lmfao.su`, `solidity.bot`, `myaunet.su`, `m-vn.ws` _(+1 more)_ - **File hash IOCs — endpoint file/process match** ([template](../_TEMPLATES.md#hash-ioc)) — phase: **install**, confidence: **High** - file hash IOC(s): `2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb`, `404dd413f10ccfeea23bfb00b0e403532fa8651bfb456d84b6a16953355a800a`, `70309bf3d2aed946bba51fc3eedb2daa3e8044b60151f0b5c1550831fbc6df17`, `84d4a4c6d7e55e201b20327ca2068992180d9ec08a6827faa4ff3534b96c3d6f`, `eb5b35057dedb235940b2c41da9e3ae0553969f1c89a16e3f66ba6f6005c6fa8`, `f4721f32b8d6eb856364327c21ea3c703f1787cfb4c043f87435a8876d903b2c`, `ce72b79e324371134db762fe70b8b1789af899d7217461bc3658a6bd84743eb6`, `e19d5d8f941b9a98fbb3b65e1e6077fa00d97529e351e455297b0204ec07e9ed` _(+5 more)_ ## Why this matters Severity classified as **HIGH** based on: IOCs present, 12 use case(s) fired, 15 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.