EDDIESTEALER Infostealer Targets Windows Systems with Fake CAPTCHA Campaigns

EDDIESTEALER Infostealer Targets Windows Systems with Fake CAPTCHA Campaigns

Threat Group: Unknown
Threat Type: Infostealer Malware
Exploited Vulnerabilities: None (Relies on social engineering and fake CAPTCHA delivery)
Malware Used: EDDIESTEALER
Threat Score: 🔴 High (7.8/10) – Due to its novel Rust implementation, evasive delivery methods, and rapid credential exfiltration techniques.
Last Threat Observation: May 30, 2025


Overview

EDDIESTEALER is a newly identified, Rust-based information-stealing malware distributed via sophisticated fake CAPTCHA campaigns. The malware uses social engineering to convince users to execute malicious PowerShell commands, initiating a multi-stage infection chain that ultimately delivers a data exfiltration payload.

The infostealer harvests credentials, browser data, crypto wallet files, password manager records, and system metadata. It exfiltrates these using encrypted HTTP POST requests to attacker-controlled C2 servers. EDDIESTEALER employs evasion features such as XOR-encrypted strings, dynamic WinAPI resolution, sandbox detection, and function inlining.

This malware does not establish persistence. Instead, it performs a "smash and grab" operation, deleting itself after data theft or if sandbox checks fail.


Key Details

Target: Windows systems (via user-initiated execution). Focus is placed on home users, corporate endpoints, and devices with administrative PowerShell permissions enabled. Machines without strong endpoint controls or script restrictions are especially vulnerable.

Functions:

  • Credential Theft from Browsers and Password Managers (including Chrome, Edge, Firefox, Bitwarden, KeePass)
  • Collection of Crypto Wallet Files (from Electrum, Coinomi, Exodus, etc.)
  • Host System Profiling (CPU, GPU, OS version, RAM, username, locale)
  • Application-Specific Data Harvesting (e.g., Telegram, FileZilla)
  • Modular Task Execution via C2-defined task lists
  • Encrypted Data Exfiltration via HTTP POST, with AES-CBC encryption
  • Multi-stage infection through JavaScript and PowerShell loaders
  • Optional self-deletion triggered after task completion or analysis detection

Obfuscation:

  • XOR string encryption with sample-specific key derivation functions
  • Function inlining to avoid isolated code block detection
  • Custom dynamic WinAPI resolution to evade static import tables and EDR
  • Use of stripped function symbols and alternate data streams for stealth
  • No reliance on known packers, making detection through heuristic signatures more difficult

EDDIESTEALER’s design reflects a balance between simplicity for deployment and sophistication for evasion. The modular execution flow allows operators to define specific data collection routines per infection, minimizing redundancy and potentially avoiding detection by signature-based anomaly engines.

EDDIESTEALER’s infection begins with the user visiting a compromised website that mimics a CAPTCHA page. When the user follows the on-screen instructions, a PowerShell command is pasted and executed. This command downloads a JavaScript loader that fetches the EDDIESTEALER executable.

The infection stages:

  1. PowerShell Download – Fetches JavaScript (gverify.js) from malicious URL.
  2. JavaScript Loader Execution – Runs via cscript.exe, downloading the Rust-based EXE.
  3. Payload Execution – The binary harvests data and communicates with the C2.

Each stage is designed to evade traditional perimeter detection by using Living off the Land (LotL) techniques and social engineering.


Attack Vectors

EDDIESTEALER relies heavily on social engineering rather than software vulnerabilities. Its primary attack vector involves the use of fake CAPTCHA campaigns embedded in compromised or malicious websites. These CAPTCHAs instruct users to copy and execute a PowerShell command, a tactic which bypasses many security mechanisms reliant on automated payload detection.

Once the PowerShell command is executed, it downloads a JavaScript loader which is subsequently executed using cscript.exe. This script then downloads and launches the final EDDIESTEALER payload—typically a Rust-based binary with obfuscated content. This multi-stage infection method masks intent and makes forensic tracing more difficult.

Key aspects of the attack vector include:

  • No file downloads initiated by the browser directly – All execution stems from user input.
  • Command Execution via Clipboard – JavaScript’s document.execCommand('copy') automatically places the malicious PowerShell command into the user’s clipboard.
  • User Deception – Users are directed to paste and run the command manually using Win + R, bypassing automated defenses.
  • Living off the Land Techniques – Use of built-in Windows utilities such as PowerShell and cscript.exe to minimize new process fingerprints.
  • Staged Execution – Initial access, loader execution, and payload deployment are all split across multiple tools and file formats, helping to evade detection tools relying on single-stage analysis.
  • Network Obfuscation – Use of HTTP (not HTTPS) with encrypted payloads frustrates both SSL inspection and standard IDS/IPS rules.

These delivery methods make EDDIESTEALER particularly effective at bypassing legacy antivirus and perimeter defenses that are not designed to detect multi-stage, user-initiated attacks. Organizations that allow unrestricted internet access or have minimal PowerShell execution restrictions are at a heightened risk.


Known Indicators of Compromise (IoCs)

MD5 Hashes

  • 64d3d33cba202938a01ee2af728a5813
  • ec45ccb0b9114b304f76b8c0eb1c79bc

SHA1 Hashes

  • 9e06155f24320783be182d70b0c61f8574605424
  • ec29ce94832ca4367922bcfc9c0b829dde1da584

SHA256 Hashes

  • 0f5717b98e2b44964c4a5dfec4126fc35f5504f7f8dec386c0e0b0229e3482e7
  • 162a8521f6156070b9a97b488ee902ac0c395714aba970a688d54305cb3e163f
  • 1bdc2455f32d740502e001fce51dbf2494c00f4dcadd772ea551ed231c35b9a2
  • 20eeae4222ff11e306fded294bebea7d3e5c5c2d8c5724792abf56997f30aaf9
  • 218ec38e8d749ae7a6d53e0d4d58e3acf459687c7a34f5697908aec6a2d7274d
  • 2bef71355b37c4d9cd976e0c6450bfed5f62d8ab2cf096a4f3b77f6c0cb77a3b
  • 47409e09afa05fcc9c9eff2c08baca3084d923c8d82159005dbae2029e1959d0
  • 5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42
  • 53f803179304e4fa957146507c9f936b38da21c2a3af4f9ea002a7f35f5bc23d
  • 73b9259fecc2a4d0eeb0afef4f542642c26af46aa8f0ce2552241ee5507ec37f
  • 7930d6469461af84d3c47c8e40b3d6d33f169283df42d2f58206f43d42d4c9f4
  • acae8a4d92d24b7e7cb20c0c13fd07c8ab6ed8c5f9969504a905287df1af179b
  • b8b379ba5aff7e4ef2838517930bf20d83a1cfec5f7b284f9ee783518cb989a7
  • d318a70d7f4158e3fe5f38f23a241787359c55d352cb4b26a4bd007fd44d5b80
  • d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa
  • e8942805238f1ead8304cfdcf3d6076fa0cdf57533a5fae36380074a90d642e4
  • f6536045ab63849c57859bbff9e6615180055c268b89c613dfed2db1f1a370f2
  • f8b4e2ca107c4a91e180a17a845e1d7daac388bd1bb4708c222cda0eff793e7a

IPv4 Addresses

  • 45[.]144[.]53[.]145
  • 84[.]200[.]154[.]47

URLs

  • hxxps://cxiao[.]net/posts/2023-12-08-rust-reversing-panic-metadata/
  • hxxps://docs[.]binary[.]ninja/dev/uidf.html

Domains

  • llll[.]fit
  • militrex[.]wiki
  • plasetplastik[.]com
  • shiglimugli[.]xyz
  • xxxivi[.]com

YARA Rule for IoC Detection

import "hash"

rule EddieStealer_IoCs
{
    meta:
        description = "Detects file hashes and domains related to observed threat activity"
        author = "CyberSecSentinel"
        date = "2025-05-40"
        threat_name = "EddieStealer"

    condition:
        hash.md5("64d3d33cba202938a01ee2af728a5813") or
        hash.md5("ec45ccb0b9114b304f76b8c0eb1c79bc") or

        hash.sha1("9e06155f24320783be182d70b0c61f8574605424") or
        hash.sha1("ec29ce94832ca4367922bcfc9c0b829dde1da584") or

        hash.sha256("0f5717b98e2b44964c4a5dfec4126fc35f5504f7f8dec386c0e0b0229e3482e7") or
        hash.sha256("162a8521f6156070b9a97b488ee902ac0c395714aba970a688d54305cb3e163f") or
        hash.sha256("1bdc2455f32d740502e001fce51dbf2494c00f4dcadd772ea551ed231c35b9a2") or
        hash.sha256("20eeae4222ff11e306fded294bebea7d3e5c5c2d8c5724792abf56997f30aaf9") or
        hash.sha256("218ec38e8d749ae7a6d53e0d4d58e3acf459687c7a34f5697908aec6a2d7274d") or
        hash.sha256("2bef71355b37c4d9cd976e0c6450bfed5f62d8ab2cf096a4f3b77f6c0cb77a3b") or
        hash.sha256("47409e09afa05fcc9c9eff2c08baca3084d923c8d82159005dbae2029e1959d0") or
        hash.sha256("5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42") or
        hash.sha256("53f803179304e4fa957146507c9f936b38da21c2a3af4f9ea002a7f35f5bc23d") or
        hash.sha256("73b9259fecc2a4d0eeb0afef4f542642c26af46aa8f0ce2552241ee5507ec37f") or
        hash.sha256("7930d6469461af84d3c47c8e40b3d6d33f169283df42d2f58206f43d42d4c9f4") or
        hash.sha256("acae8a4d92d24b7e7cb20c0c13fd07c8ab6ed8c5f9969504a905287df1af179b") or
        hash.sha256("b8b379ba5aff7e4ef2838517930bf20d83a1cfec5f7b284f9ee783518cb989a7") or
        hash.sha256("d318a70d7f4158e3fe5f38f23a241787359c55d352cb4b26a4bd007fd44d5b80") or
        hash.sha256("d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa") or
        hash.sha256("e8942805238f1ead8304cfdcf3d6076fa0cdf57533a5fae36380074a90d642e4") or
        hash.sha256("f6536045ab63849c57859bbff9e6615180055c268b89c613dfed2db1f1a370f2") or
        hash.sha256("f8b4e2ca107c4a91e180a17a845e1d7daac388bd1bb4708c222cda0eff793e7a")
}

Mitigation and Prevention

User Awareness:

  • Train users to recognise fake CAPTCHA attacks and avoid executing unsolicited clipboard content.

Email Filtering:

  • Block known malicious infrastructure and detect clipboard-based obfuscation attempts.

Antivirus Protection:

  • Deploy YARA: Windows.Infostealer.EddieStealer
  • Monitor for process trees involving PowerShell -> cscript.exe -> Random EXE in Downloads

Two-Factor Authentication (2FA):

  • Mandatory for all applications and logins targeted by credential theft

Monitor Logs:

  • Look for unencrypted HTTP POSTs to uncommon domains
  • Flag multi-stage scripting behavior from browser-induced sessions

Regular Updates:

  • Keep browser, AV, PowerShell policies, and OS fully patched

Risk Assessment

EDDIESTEALER is assessed as High Risk (7.8/10) due to its modern language implementation, deceptive social engineering, and broad data theft capabilities. Although it lacks persistence or lateral movement functionality, its speed and modularity amplify potential damage in a short time.

Organizations with unfiltered user browsing or inadequate PowerShell logging are at elevated risk.


Conclusion

EDDIESTEALER underscores a rising trend in infostealers built with Rust and distributed using fake CAPTCHA campaigns. With multi-layered evasion, encrypted C2, and modular exfiltration, this malware represents a fast-moving, highly evasive threat.

Security teams must prioritize behavioral detection and establish hardened scripting controls. The absence of persistence does not diminish impact—EDDIESTEALER is designed to get in, exfiltrate, and vanish before traditional tools can respond.


Sources: