HOMETHREATSWhiteCobra
APT / THREAT GROUP

WhiteCobra

1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

WhiteCobra is a threat actor that has infiltrated the Visual Studio Code marketplace and Open VSX registry, deploying 24 malicious extensions targeting cryptocurrency development tools, particularly Solidity. The group employs social engineering tactics, manipulates download counts and reviews, and uses fake branding to establish credibility for their extensions, which deliver LummaStealer on Windows and unknown malware on macOS. WhiteCobra has been linked to a $500,000 cryptocurrency theft in July 2025 and maintains detailed playbooks with revenue targets, showcasing their organized and persistent operations. Despite ongoing efforts by security researchers to remove their malicious extensions, WhiteCobra continues to upload new threats weekly, highlighting the sophistication of their TTPs.

Threat Analysis

WhiteCobra is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases1
SourceMalpedia

Also Known As

WhiteCobra

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.