A new malware campaign is distributing a novel Rust-based information stealer dubbed EDDIESTEALER using the popular ClickFix social engineering tactic initiated via fake CAPTCHA verification pages.
“This campaign leverages deceptive CAPTCHA verification pages that trick users into executing a malicious PowerShell script, which ultimately deploys the infostealer, harvesting sensitive data such as credentials, browser information, and cryptocurrency wallet details,” Elastic Security Labs researcher Jia Yu Chan said in an analysis.
The attack chains begin with threat actors compromising legitimate websites with malicious JavaScript payloads that serve bogus CAPTCHA check pages, which prompt site visitors to “prove you are not [a] robot” by following a three-step process, a prevalent tactic called ClickFix.
This involves instructing the potential victim to open the Windows Run dialog prompt, paste an already copied command into the “verification window” (i.e., the Run dialog), and press enter. This effectively causes the obfuscated PowerShell command to be executed, resulting in the retrieval of a next-stage payload from an external server (“llll[.]fit”).
The JavaScript payload (“gverify.js”) is subsequently saved to the victim’s Downloads folder and executed using cscript in a hidden window. The main goal of the intermediate script is to fetch the EDDIESTEALER binary from the same remote server and store it in the Downloads folder with a pseudorandom 12-character file name.
Written in Rust, EDDIESTEALER is a commodity stealer malware that can gather system metadata, receive tasks from a command-and-control (C2) server, and siphon data of interest from the infected host. The exfiltration targets include cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging apps.
“These targets are subject to change as they are configurable by the C2 operator,” Elastic explained. “EDDIESTEALER then reads the targeted files using standard kernel32.dll functions like CreateFileW, GetFileSizeEx, ReadFile, and CloseHandle.”
The collected host information is encrypted and transmitted to the C2 server in a separate HTTP POST request after the completion of each task.
Besides incorporating string encryption, the malware employs a custom WinAPI lookup mechanism for resolving API calls and creates a mutex to ensure that only one version is running at any given time. It also incorporates checks to determine if it’s being executed in a sandboxed environment, and if so, deletes itself from disk.
“Based on a similar self-deletion technique observed in Latrodectus, EDDIESTEALER is capable of deleting itself through NTFS Alternate Data Streams renaming, to bypass file locks,” Elastic noted.
Another noteworthy feature built into the stealer is its ability to bypass Chromium’s app-bound encryption to gain access to unencrypted sensitive data, such as cookies. This is accomplished by including a Rust implementation of ChromeKatz, an open-source tool that can dump cookies and credentials from the memory of Chromium-based browsers.
The Rust version of ChromeKatz also incorporates changes to handle scenarios where the targeted Chromium browser is not running. In such cases, it spawns a new browser instance using the command-line arguments “–window-position=-3000,-3000 https://google.com,” effectively positioning the new window far off-screen and making its invisible to the user.
In opening the browser, the objective is to enable the malware to read the memory associated with the network service child process of Chrome that’s identified by the “-utility-sub-type=network.mojom.NetworkService” flag and ultimately extract the credentials.
Elastic said it also identified updated versions of the malware with features to harvest running processes, GPU information, number of CPU cores, CPU name, and CPU vendor. In addition, the new variants tweak the C2 communication pattern by preemptively sending the host information to the server before receiving the task configuration.
That’s not all. The encryption key used for client-to-server communication is hard-coded into the binary, as opposed to retrieving it dynamically from the server. Furthermore, the stealer has been found to launch a new Chrome process with the –remote-debugging-port=<port_num> flag to enable DevTools Protocol over a local WebSocket interface so as to interact with the browser in a headless manner, without requiring any user interaction.
“This adoption of Rust in malware development reflects a growing trend among threat actors seeking to leverage modern language features for enhanced stealth, stability, and resilience against traditional analysis workflows and threat detection engines,” the company said.
The disclosure comes as c/side revealed details of a ClickFix campaign that targets multiple platforms, such as Apple macOS, Android, and iOS, using techniques like browser-based redirections, fake UI prompts, and drive-by download techniques.
The attack chain starts with an obfuscated JavaScript hosted on a website, that when visited from macOS, initiates a series of redirections to a page that guides victims to launch Terminal and run a shell script, which leads to the download of a stealer malware that has been flagged on VirusTotal as the Atomic macOS Stealer (AMOS).
However, the same campaign has been configured to initiate a drive-by download scheme when visiting the web page from an Android, iOS, or Windows device, leading to the deployment of another trojan malware.
The disclosures coincide with the emergence of new stealer malware families like Katz Stealer and AppleProcessHub Stealer targeting Windows and macOS respectively, and are capable of harvesting a wide range of information from infected hosts, according to Nextron and Kandji.
Katz Stealer, like EDDIESTEALER, is engineered to circumvent Chrome’s app-bound encryption, but in a different way by employing DLL injection to obtain the encryption key without administrator privileges and use it to decrypt encrypted cookies and passwords from Chromium-based browsers.
“Attackers conceal malicious JavaScript in gzip files, which, when opened, trigger the download of a PowerShell script,” Nextron said. “This script retrieves a .NET-based loader payload, which injects the stealer into a legitimate process. Once active, it exfiltrates stolen data to the command and control server.”
AppleProcessHub Stealer, on the other hand, is designed to exfiltrate user files including bash history, zsh history, GitHub configurations, SSH information, and iCloud Keychain.
Attack sequences distributing the malware entail the use of a Mach-O binary that downloads a second-stage bash stealer script from the server “appleprocesshub[.]com” and runs it, the results of which are then exfiltrated back to the C2 server. Details of the malware were first shared by the MalwareHunterTeam on May 15, 2025, and by MacPaw’s Moonlock Lab last week.
“This is an example of a Mach-O written in Objective-C which communicates with a command and control server to execute scripts,” Kandji researcher Christopher Lopez said.
