A dangerous new remote access trojan (RAT), dubbed SleepyDuck, is leveraging an Ethereum blockchain contract to maintain an incredibly resilient command and control (C2) infrastructure. This isn’t just another piece of malware; it’s a sophisticated threat that can update its C2 server address on the fly, making it notoriously difficult to shut down. This innovative, troubling discovery comes from the sharp eyes of Secure Annex researchers.
The core of the problem lies in juan-bianco.solidity-vlang, an extension on the Open VSX IDE marketplace. What started as an innocent tool for Solidity developers turned malicious. After racking up around 14,000 downloads, the extension got a nasty update. Version 0.0.7 hit on October 31, 2025, but the real trouble started with version 0.0.8 on November 1, 2025, when the malware’s nasty capabilities were injected.
How SleepyDuck Spreads its Wings and Grabs Your Data
SleepyDuck doesn’t waste time. Initially, it was set to kick into action on specific IDE events, like when the startup finished or a Solidity language command was used. But attackers quickly refined their approach. Secure Annex observed an update to version 0.1.3, broadening activation to ["*"] – essentially, it could run almost anytime. Talk about persistent.
Once it’s in, it creates a lock file to ensure it’s the only instance running, keeping things tidy from its perspective. The first order of business is to find the fastest Ethereum RPC provider, initialize its sleepyduck module, tweak its settings, and start a polling loop. The default C2 server: sleepyduck[.]xyz, with a polling interval of 30 seconds. That’s right, every half-minute, it’s checking in.
During each cycle, SleepyDuck scoops up machine details: your hostname, username, MAC address, and timezone. The inclusion of the MAC address isn’t just random; it’s a smart move to potentially detect and evade sandboxed environments, something often seen in more advanced threats. Plus, it sets up a command execution sandbox using vm.createContext(sandbox); to neatly manage and run commands it gets from its C2 server. This isn’t just data theft; it’s about establishing deep control.
The Game-Changer: Blockchain-Based C2 Resilience
Here’s where SleepyDuck truly stands apart. Its C2 resilience isn’t just good; it’s revolutionary, powered by the Ethereum blockchain. If its primary C2 server goes dark, the malware doesn’t give up. Instead, it pulls new configuration details directly from an Ethereum contract. Secure Annex pinpointed the contract address: 0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465.
This contract is a digital dead drop, holding backup C2 server addresses, updated polling intervals, and even emergency commands. Imagine a traditional malware operation losing its server – it’s often game over. But by leveraging a decentralized blockchain, SleepyDuck guarantees it stays alive, even if its conventional infrastructure gets nuked. This is a terrifying evolution in malware design, making traditional takedown attempts a nightmare.
For context, the sleepyduck[.]xyz domain went live on November 1, 2025, but the associated Ethereum contract was created a day earlier, on October 31, 2025. Etherscan records confirm this contract’s role, showing five transactions, primarily shifting the C2 address from localhost to sleepyduck[.]xyz. This isn’t just theoretical; it’s actively being used.
A Broader Threat Landscape for Developers
SleepyDuck isn’t an isolated incident. Secure Annex points out that it’s part of a disturbing trend of malicious “solidity” extensions popping up across Open VSX and VS Code marketplaces since July 2025. The author behind juan-bianco.solidity-vlang reportedly had two other Solidity-related extensions scrubbed before SleepyDuck emerged.
This malware poses a severe threat to developers, especially those using IDEs like Cursor and Windsurf that rely on the Open VSX marketplace for extensions. The immediate danger is clear: a remote access trojan on your machine. This means data collection, potential arbitrary command execution, and a direct path to system compromise. For developers, this could easily lead to data theft, and even worse, supply chain attacks if compromised environments are used to build or publish software.
The blockchain-based C2 isn’t just a technical curiosity; it dramatically escalates the challenge. Traditional efforts to dismantle C2 infrastructure become far less effective, prolonging attacks and making mitigation a continuous, uphill battle. This isn’t just an evolving threat landscape; it’s a stark demonstration of how attackers are weaponizing decentralized technologies, pushing the boundaries of operational security and making detection an even greater challenge.