EDDIESTEALER Malware Campaign Exploits ClickFix Tactics to Steal Sensitive Data

A newly identified malware campaign is distributing a Rust-based information stealer named EDDIESTEALER, using the ClickFix social engineering technique. This method lures victims through deceptive CAPTCHA prompts, ultimately leading to data theft from browsers, cryptocurrency wallets, and system files.

Researchers at Elastic Security Labs have published an in-depth analysis of the malware, highlighting its stealth capabilities, persistence mechanisms, and its use of Rust, which is becoming increasingly common among threat actors for developing robust and evasive malware.

Infection Chain: From Fake CAPTCHA to Malware Execution

The campaign begins with compromised legitimate websites that serve malicious JavaScript. When a visitor accesses the site, they are presented with a bogus CAPTCHA verification page that mimics common “prove you are not a robot” challenges.

Victims are instructed to:

1. Open the Windows Run dialog.

2. Paste a pre-copied command.

3. Press Enter.

This executes an obfuscated PowerShell script that downloads a JavaScript payload (gverify.js) from a remote domain (llll[.]fit). The script, saved to the Downloads folder, uses cscript to fetch and run the main payload: EDDIESTEALER.

Malware Capabilities

EDDIESTEALER, developed in Rust, is a modular information stealer designed to:

• Collect system metadata

• Receive task instructions from a command-and-control (C2) server

• Exfiltrate files and credentials from:

  • Web browsers

  • Cryptocurrency wallets

  • Password managers

  • Messaging apps

  • FTP clients

Advanced Techniques

• File access is performed using native Windows API calls such as CreateFileW, ReadFile, and CloseHandle.

• String encryption and a custom WinAPI lookup method help evade detection.

• Sandbox evasion: If detected, the malware deletes itself using NTFS alternate data stream renaming.

• Concurrency control via a mutex ensures only one instance is running.

Chromium Data Extraction and ChromeKatz Integration

One of EDDIESTEALER’s most notable features is its ability to bypass Chromium browser encryption using a Rust version of ChromeKatz, an open-source credential dumper. If the browser is not running, the malware starts it using off-screen coordinates, effectively hiding it from the user.

It then accesses memory from the browser's network service process, using it to extract unencrypted cookies and login credentials.

Enhanced Variants and Communication Shifts

Recent versions of EDDIESTEALER include:

• Preemptive host information transmission to the C2 server.

• A hard-coded encryption key for secure data transmission.

• Use of the --remote-debugging-port=<port_num> flag to launch a Chrome DevTools session, enabling headless browser interaction via WebSockets.

Expansion to Multi-Platform Attacks

The same ClickFix strategy is also being observed on macOS, Android, and iOS:

• On macOS, victims are redirected to run shell commands via Terminal, downloading malware such as AMOS (Atomic macOS Stealer).

• On Windows, Android, and iOS, a drive-by download is triggered, leading to the deployment of various trojans.

Emergence of Other Infostealers

The report coincides with the discovery of new malware families:

Katz Stealer

• Targets Windows systems

• Bypasses Chromium encryption using DLL injection

• Uses gzip-packed JavaScript to initiate PowerShell-based payload delivery

AppleProcessHub Stealer

• Targets macOS

• Steals:

  • .bash_history, .zsh_history

  • GitHub and SSH credentials

  • iCloud Keychain data

• Delivered via a Mach-O binary, which downloads a bash script from appleprocesshub[.]com

Conclusion

The use of Rust in EDDIESTEALER demonstrates a strategic shift in malware development, as attackers seek more efficient, stealthy, and platform-flexible tools. Combined with the increasingly common ClickFix technique, this malware family poses a significant risk to users across multiple platforms.

Organizations and individuals should remain vigilant against CAPTCHA-based lures and ensure that JavaScript execution, PowerShell commands, and file downloads are strictly monitored and controlled.