The Ultimate Guide To Cybersecurity In The Real World. - Register Here
The Ultimate Guide To Cybersecurity In The Real World. - Register Here
Schedule a Consultation
Hoplon InfoSec Logo
  • Products
  • Services

Hoplon Infosec · Threat Intelligence

EDDIESTEALER: The Rise of a Rust-Based Infostealer in CAPTCHA Campaigns

ByHoplon Infosec
Published01 Jun, 2025
EDDIESTEALER: The Rise of a Rust-Based Infostealer in CAPTCHA Campaigns
Hoplon Infosec01 Jun, 2025

In the ever-evolving landscape of cybersecurity threats, a new player has emerged, leveraging modern programming languages and sophisticated social engineering tactics. Dubbed EDDIESTEALER, this Rust-based infostealer has been identified by Elastic Security Labs as a significant threat, primarily distributed through deceptive CAPTCHA verification pages. This comprehensive analysis delves into the intricacies of EDDIESTEALER, its deployment mechanisms, technical architecture, and the broader implications for cybersecurity.

EDDIESTEALER represents a novel approach in the realm of infostealers, utilizing the Rust programming language to enhance stealth, stability, and resistance against traditional analysis workflows. Its primary objective is to harvest sensitive data, including credentials, browser information, and cryptocurrency wallet details, from Windows hosts.

Distribution via Deceptive CAPTCHA Campaigns

The initial vector for EDDIESTEALER involves compromised websites deploying obfuscated React-based JavaScript payloads that mimic legitimate CAPTCHA systems, such as Google’s reCAPTCHA. These fake CAPTCHAs serve as gateways for malware, leveraging social engineering to deceive users.

Attack Chain Overview:

  1. Fake CAPTCHA Presentation: Users encounter a prompt like “Verify you are a human,” blending seamlessly into compromised websites.

  • Clipboard Manipulation: The malicious JavaScript uses document.execCommand(“copy”) to copy a PowerShell command into the user’s clipboard.

  • User Execution: Users are instructed to press Windows + R, paste the clipboard contents, and press Enter, executing the malicious PowerShell command.

  • Payload Retrieval: The command downloads a second-stage payload (gverify.js) from an attacker-controlled domain (e.g., hxxps://llll.fit/version/) and saves it to the user’s Downloads folder.

  • Compromised Websites: Threat actors compromise legitimate websites, injecting obfuscated React-based JavaScript payloads.

  • Execution of gverify.js: The script is executed using cscript in a hidden window, which then fetches the EDDIESTEALER executable from hxxps://llll.fit/io, saving it under a pseudorandom 12-character filename.

This method exploits user trust and browser familiarity, facilitating the stealthy delivery of the infostealer.

Technical Architecture EDDIESTEALERand Obfuscation Techniques

EDDIESTEALER’s architecture is meticulously designed to evade detection and complicate analysis. Key features include:

  • String Obfuscation: To hinder static analysis, EDDIESTEALER encrypts most strings using a simple XOR cipher. Decryption occurs at runtime, with each routine utilizing distinct key derivation functions. Additionally, the malware employs a custom WinAPI lookup mechanism, dynamically resolving API calls and caching them for efficiency.

  • API Obfuscation: The malware utilizes a custom WinAPI lookup mechanism, decrypting module and function names at runtime, and dynamically loading required modules using a custom LoadLibrary wrapper.

  • Mutex Creation: To prevent multiple instances, EDDIESTEALER creates a mutex using a decrypted UUID string, ensuring only one instance runs at a time.

  • Sandbox Detection: A basic check assesses whether the total physical memory exceeds ~4.0 GB. If not, the malware deletes itself, avoiding execution in sandbox environments.

  • Self-Deletion: The malware can delete itself through NTFS Alternate Data Streams renaming, bypassing file locks. This technique involves renaming the default stream $DATA to :metadata, then setting a “delete on close handle” flag to remove the file upon closing. These techniques collectively enhance the malware’s stealth and persistence.

Command and Control (C2) Communication

Upon execution, EDDIESTEALER communicates with its C2 server to receive configuration data and exfiltrate collected information. The process involves:

  • Configuration Retrieval: An HTTP GET request is sent to the C2 server, retrieving AES CBC encrypted and Base64 encoded configuration data. The AES key for decryption is stored unencrypted within the binary.

  • Task Execution: The decrypted configuration contains a list of tasks targeting specific data, such as crypto wallets, browsers, password managers, FTP clients, and messaging applications.

  • Data Exfiltration: Collected data is encrypted and transmitted to the C2 server via HTTP POST requests, following a distinct pattern characterized by multiple, task-specific POST requests.

Data Exfiltrate

This communication strategy allows for dynamic task assignment and efficient data exfiltration.

Targeted Applications and Data

EDDIESTEALER is configured to target a wide array of applications and data types, including:

  • Cryptocurrency Wallets: Files associated with wallets like Armory, Bitcoin, WalletWasabi, Daedalus Mainnet, Coinomi, Electrum, Exodus, DashCore, ElectronCash, Electrum-DASH, Guarda, and Atomic.

  • Web Browsers: User data from browsers such as Microsoft Edge, Brave, Google Chrome, and Mozilla Firefox, including history, bookmarks, cookies, and login data.

  • Password Managers: Data from applications like Bitwarden, 1Password, and KeePass.

  • FTP Clients: Configuration files from clients like FileZilla, FTP Manager Lite, FTPbox, FTP Commander Deluxe, Auto FTP Manager, 3D-FTP, FTPGetter, and Total Commander.

  • Messaging Applications: Data from Telegram Desktop.

EDDIESTEALER reads the targeted files using standard Windows API functions, encrypts the data using AES encryption, and transmits it to the C2 server in separate HTTP POST requests for each completed task

Advanced Capabilities and Variants

Recent variants of EDDIESTEALER exhibit additional capabilities:

  • System Profiling: Collecting information such as running processes, GPU details, number of CPU cores, CPU name, and vendor.

  • Modified C2 Communication: In some instances, the malware sends host system information to the C2 server before requesting its configuration, allowing the server to withhold tasks if a sandbox environment is detected.

  • Hardcoded AES Keys: Later versions have hardcoded AES keys for both client-to-server and server-to-client communication, eliminating the need to retrieve them dynamically.

  • Function Inlining: Extensive use of function inline expansion, resulting in larger functions and complicating code analysis.

  • Chrome DevTools Protocol Exploitation: To extract credentials from Chrome’s Password Manager, EDDIESTEALER spawns a new Chrome process with the remote-debugging-port flag, enabling DevTools Protocol over a local WebSocket interface. It then opens the internal password manager page, causing Chrome to decrypt and load stored credentials into memory, which the malware subsequently extracts.

Hacker with browser

These enhancements indicate active development and adaptation by threat actors to improve the malware’s effectiveness and stealth.

Detection and Mitigation Strategies

Elastic Security Labs has developed YARA rules and behavioral prevention rules to detect EDDIESTEALER:

  • YARA Rule: Windows.Infostealer.EddieStealer

  • Behavioral Prevention Rules:

    • Suspicious PowerShell Execution

    • Ingress Tool Transfer via PowerShell

    • Potential Browser Information Discovery

    • Potential Self Deletion of a Running Executable

Implementing these rules within security solutions can aid in early detection and prevention of EDDIESTEALER infections.

Broader Implications and Trends

EDDIESTEALER’s emergence underscores several broader trends in cybersecurity:

  • Adoption of Modern Programming Languages: The use of Rust reflects a shift towards languages that offer enhanced memory safety and performance, complicating traditional analysis techniques.

  • Sophisticated Social Engineering: Leveraging familiar interfaces like CAPTCHA challenges increases the likelihood of user interaction and malware execution.

  • Dynamic Malware Capabilities: The ability to receive task lists and adapt targets indicates a move towards more flexible and customizable malware frameworks.

These trends highlight the need for continuous evolution in defensive strategies and user education to counteract increasingly sophisticated threats.

Conclusion

EDDIESTEALER represents a significant advancement in infostealer malware, combining modern programming techniques with effective social engineering to compromise systems and exfiltrate sensitive data. Its modular architecture, obfuscation strategies, and dynamic capabilities pose substantial challenges to detection and analysis. As threat actors continue to innovate, it is imperative for cybersecurity professionals to stay informed and adapt their defenses accordingly.

Did you find this article helpful? Follow us on Twitter and LinkedIn for more Cyber Security news and updates. Stay connected on Facebook and Instagram as well. At Hoplon Infosec, we’re committed to securing your digital world.

About the author

Hoplon Infosec

Hoplon Infosec

Was this useful?

React, leave a note, or share it forward.

Leave a note

Share this article

Share this :

Free · Weekly · No noise

Get the threats that matter, before they reach you.

One short email a week with the breaches, zero-days, and fixes worth your attention — written in plain English, no fear-mongering.

Hoplon InfoSec Logo
Address : 1415 West 22nd Street, Tower Floor, Oak Brook, IL 60523

Phone : +1 (773) 904-3136

Email : info@hoploninfosec.com

Services

  • Penetration Testing
  • Cyber Security Assessment
  • AI Development
  • Incident Readiness & Response Recovery

Products

  • IBM Flash Storage Solutions
  • Mobile Security
  • Endpoint Security
  • Deep and Dark Web Monitoring

Sign Up For Newsletter

Get the latest updates on new products and upcoming news

Copyright © Hoplon InfoSec, LLC and its group of companies.
About usContact usTerms & ConditionsCookie PolicyPrivacy Policy
03Latest posts

Keep reading.

SonicWall SMA1000 Zero-Day Vulnerabilities: Patch Now
15 Jul, 2026

SonicWall SMA1000 Zero-Day Vulnerabilities: Patch Now

SonicWall SMA1000 zero-day vulnerabilities are under active attack. See affected versions, CVE details, IOC checks and the patch you need right now.

Read More
Windows 11 KB5101650 Dell Issue: Causes and Full Fix Guide
15 Jul, 2026

Windows 11 KB5101650 Dell Issue: Causes and Full Fix Guide

Windows 11 KB5101650 is blocked on some Dell PCs after an Intel driver conflict triggered shutdowns and overheating. Here is what happened and what to do.

Read More
OFAC Sanctions First VPN Service Over Ransomware
14 Jul, 2026

OFAC Sanctions First VPN Service Over Ransomware

Learn why OFAC sanctioned First VPN Service and a malware cryptor seller, how 1VPNS helped ransomware groups, and how to defend against FSB router attacks.

Read More
CVE-2026-57807: Critical WordPress SSO Flaw Explained
13 Jul, 2026

CVE-2026-57807: Critical WordPress SSO Flaw Explained

CVE-2026-57807 affects miniOrange OAuth SSO through 38.5.8. Learn who is exposed, how the flaw works, plus safe mitigation and incident response steps.

Read More
Mobile App Security Guide: Risks, Fixes and Best Practices
13 Jul, 2026

Mobile App Security Guide: Risks, Fixes and Best Practices

Mobile app security explained simply, covering real risks, OWASP threats, encryption and practical steps to protect any app from hackers.

Read More
Apple OpenAI Lawsuit: Inside the Trade Secret Theft Claims
13 Jul, 2026

Apple OpenAI Lawsuit: Inside the Trade Secret Theft Claims

Apple OpenAI lawsuit explained. See what Apple accuses Tang Tan, Chang Liu and OpenAI of stealing, and what it means for hardware security.

Read More