EDDIESTEALER

EDDIESTEALER Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: None

Executive Summary

EDDIESTEALER is a Rust-based infostealer distributed through deceptive CAPTCHA campaigns, leveraging social engineering to steal sensitive data like credentials and cryptocurrency wallet details. Its advanced obfuscation and ChromeKatz integration highlight the growing sophistication of commodity malware.

Key Takeaways

EDDIESTEALER uses fake CAPTCHA pages to trick users into executing a malicious PowerShell script, deploying the infostealer.
Written in Rust, the malware employs XOR-encrypted strings and a custom WinAPI lookup to evade detection.
It bypasses Chromium’s app-bound encryption using a Rust-based ChromeKatz implementation to extract cookies and credentials.
The malware self-deletes via NTFS Alternate Data Streams, minimizing forensic traces.

What is EDDIESTEALER?

In May 2025, Elastic Security Labs uncovered EDDIESTEALER, a lightweight Rust-based infostealer deployed through sophisticated CAPTCHA-based campaigns. This malware exploits the ClickFix social engineering tactic, tricking users into executing malicious PowerShell scripts via fake “I’m not a robot” verification pages hosted on compromised websites. These pages, often laced with obfuscated React-based JavaScript, prompt users to paste a PowerShell command, initiating a multi-stage infection chain that harvests credentials, browser data, and cryptocurrency wallet details.

The attack begins with a malicious JavaScript payload, which downloads the EDDIESTEALER executable with a pseudorandom 12-character filename. The PowerShell script serves as an initial loader, fetching secondary payloads from attacker-controlled infrastructure. Once executed, EDDIESTEALER decrypts its core using XOR ciphers with custom key derivation functions, dynamically resolves Windows API calls via a hashtable-based lookup, and establishes HTTP-based command-and-control (C2) communication. Data, including system metadata and stolen assets, is AES-encrypted and exfiltrated via POST requests to endpoints.

EDDIESTEALER’s capabilities include targeting cryptocurrency wallets, password managers, FTP clients, and messaging apps, with tasks configurable by the C2 operator. Its integration of a Rust-based ChromeKatz tool enables it to bypass Chromium’s app-bound encryption, extracting sensitive data like cookies directly from memory. If the target browser is inactive, it spawns an off-screen instance to facilitate theft. The malware’s self-deletion mechanism uses NTFS Alternate Data Streams to bypass file locks, complicating forensic analysis.

The use of Rust enhances EDDIESTEALER’s stealth, leveraging the language’s compilation optimizations to obscure code structure. Static analysis is further hindered by stripped function symbols and limited external crate usage, with tools like rustbinsign identifying only hashbrown and rustc-demangle. Manual crate identification via unique strings remains viable but labor-intensive. The malware’s reliance on HTTP over HTTPS for C2 generates distinct traffic patterns, offering detection opportunities for network monitoring.

This campaign underscores the evolving threat of Rust-based malware, combining modern programming with social engineering to maximize impact. EDDIESTEALER’s adaptability signals a need for proactive security measures to counter emerging infostealers. PolySwarm analysts consider EDDIESTEALER to be an emerging threat.