EDDIESTEALER Infostealer Targets Windows Systems with Fake CAPTCHA Campaigns

Threat Group: Unknown
Threat Type: Infostealer Malware
Exploited Vulnerabilities: None (Relies on social engineering and fake CAPTCHA delivery)
Malware Used: EDDIESTEALER
Threat Score: 🔴 High (7.8/10) – Due to its novel Rust implementation, evasive delivery methods, and rapid credential exfiltration techniques.
Last Threat Observation: May 30, 2025
Overview
EDDIESTEALER is a newly identified, Rust-based information-stealing malware distributed via sophisticated fake CAPTCHA campaigns. The malware uses social engineering to convince users to execute malicious PowerShell commands, initiating a multi-stage infection chain that ultimately delivers a data exfiltration payload.
The infostealer harvests credentials, browser data, crypto wallet files, password manager records, and system metadata. It exfiltrates these using encrypted HTTP POST requests to attacker-controlled C2 servers. EDDIESTEALER employs evasion features such as XOR-encrypted strings, dynamic WinAPI resolution, sandbox detection, and function inlining.
This malware does not establish persistence. Instead, it performs a "smash and grab" operation, deleting itself after data theft or if sandbox checks fail.
Key Details
Target: Windows systems (via user-initiated execution). Focus is placed on home users, corporate endpoints, and devices with administrative PowerShell permissions enabled. Machines without strong endpoint controls or script restrictions are especially vulnerable.
Functions:
- Credential Theft from Browsers and Password Managers (including Chrome, Edge, Firefox, Bitwarden, KeePass)
- Collection of Crypto Wallet Files (from Electrum, Coinomi, Exodus, etc.)
- Host System Profiling (CPU, GPU, OS version, RAM, username, locale)
- Application-Specific Data Harvesting (e.g., Telegram, FileZilla)
- Modular Task Execution via C2-defined task lists
- Encrypted Data Exfiltration via HTTP POST, with AES-CBC encryption
- Multi-stage infection through JavaScript and PowerShell loaders
- Optional self-deletion triggered after task completion or analysis detection
Obfuscation:
- XOR string encryption with sample-specific key derivation functions
- Function inlining to avoid isolated code block detection
- Custom dynamic WinAPI resolution to evade static import tables and EDR
- Use of stripped function symbols and alternate data streams for stealth
- No reliance on known packers, making detection through heuristic signatures more difficult
EDDIESTEALER’s design reflects a balance between simplicity for deployment and sophistication for evasion. The modular execution flow allows operators to define specific data collection routines per infection, minimizing redundancy and potentially avoiding detection by signature-based anomaly engines.
EDDIESTEALER’s infection begins with the user visiting a compromised website that mimics a CAPTCHA page. When the user follows the on-screen instructions, a PowerShell command is pasted and executed. This command downloads a JavaScript loader that fetches the EDDIESTEALER executable.
The infection stages:
- PowerShell Download – Fetches JavaScript (
gverify.js
) from malicious URL. - JavaScript Loader Execution – Runs via
cscript.exe
, downloading the Rust-based EXE. - Payload Execution – The binary harvests data and communicates with the C2.
Each stage is designed to evade traditional perimeter detection by using Living off the Land (LotL) techniques and social engineering.
Attack Vectors
EDDIESTEALER relies heavily on social engineering rather than software vulnerabilities. Its primary attack vector involves the use of fake CAPTCHA campaigns embedded in compromised or malicious websites. These CAPTCHAs instruct users to copy and execute a PowerShell command, a tactic which bypasses many security mechanisms reliant on automated payload detection.
Once the PowerShell command is executed, it downloads a JavaScript loader which is subsequently executed using cscript.exe
. This script then downloads and launches the final EDDIESTEALER payload—typically a Rust-based binary with obfuscated content. This multi-stage infection method masks intent and makes forensic tracing more difficult.
Key aspects of the attack vector include:
- No file downloads initiated by the browser directly – All execution stems from user input.
- Command Execution via Clipboard – JavaScript’s
document.execCommand('copy')
automatically places the malicious PowerShell command into the user’s clipboard. - User Deception – Users are directed to paste and run the command manually using Win + R, bypassing automated defenses.
- Living off the Land Techniques – Use of built-in Windows utilities such as PowerShell and
cscript.exe
to minimize new process fingerprints. - Staged Execution – Initial access, loader execution, and payload deployment are all split across multiple tools and file formats, helping to evade detection tools relying on single-stage analysis.
- Network Obfuscation – Use of HTTP (not HTTPS) with encrypted payloads frustrates both SSL inspection and standard IDS/IPS rules.
These delivery methods make EDDIESTEALER particularly effective at bypassing legacy antivirus and perimeter defenses that are not designed to detect multi-stage, user-initiated attacks. Organizations that allow unrestricted internet access or have minimal PowerShell execution restrictions are at a heightened risk.
Known Indicators of Compromise (IoCs)
MD5 Hashes
64d3d33cba202938a01ee2af728a5813
ec45ccb0b9114b304f76b8c0eb1c79bc
SHA1 Hashes
9e06155f24320783be182d70b0c61f8574605424
ec29ce94832ca4367922bcfc9c0b829dde1da584
SHA256 Hashes
0f5717b98e2b44964c4a5dfec4126fc35f5504f7f8dec386c0e0b0229e3482e7
162a8521f6156070b9a97b488ee902ac0c395714aba970a688d54305cb3e163f
1bdc2455f32d740502e001fce51dbf2494c00f4dcadd772ea551ed231c35b9a2
20eeae4222ff11e306fded294bebea7d3e5c5c2d8c5724792abf56997f30aaf9
218ec38e8d749ae7a6d53e0d4d58e3acf459687c7a34f5697908aec6a2d7274d
2bef71355b37c4d9cd976e0c6450bfed5f62d8ab2cf096a4f3b77f6c0cb77a3b
47409e09afa05fcc9c9eff2c08baca3084d923c8d82159005dbae2029e1959d0
5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42
53f803179304e4fa957146507c9f936b38da21c2a3af4f9ea002a7f35f5bc23d
73b9259fecc2a4d0eeb0afef4f542642c26af46aa8f0ce2552241ee5507ec37f
7930d6469461af84d3c47c8e40b3d6d33f169283df42d2f58206f43d42d4c9f4
acae8a4d92d24b7e7cb20c0c13fd07c8ab6ed8c5f9969504a905287df1af179b
b8b379ba5aff7e4ef2838517930bf20d83a1cfec5f7b284f9ee783518cb989a7
d318a70d7f4158e3fe5f38f23a241787359c55d352cb4b26a4bd007fd44d5b80
d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa
e8942805238f1ead8304cfdcf3d6076fa0cdf57533a5fae36380074a90d642e4
f6536045ab63849c57859bbff9e6615180055c268b89c613dfed2db1f1a370f2
f8b4e2ca107c4a91e180a17a845e1d7daac388bd1bb4708c222cda0eff793e7a
IPv4 Addresses
45[.]144[.]53[.]145
84[.]200[.]154[.]47
URLs
hxxps://cxiao[.]net/posts/2023-12-08-rust-reversing-panic-metadata/
hxxps://docs[.]binary[.]ninja/dev/uidf.html
Domains
llll[.]fit
militrex[.]wiki
plasetplastik[.]com
shiglimugli[.]xyz
xxxivi[.]com
YARA Rule for IoC Detection
import "hash"
rule EddieStealer_IoCs
{
meta:
description = "Detects file hashes and domains related to observed threat activity"
author = "CyberSecSentinel"
date = "2025-05-40"
threat_name = "EddieStealer"
condition:
hash.md5("64d3d33cba202938a01ee2af728a5813") or
hash.md5("ec45ccb0b9114b304f76b8c0eb1c79bc") or
hash.sha1("9e06155f24320783be182d70b0c61f8574605424") or
hash.sha1("ec29ce94832ca4367922bcfc9c0b829dde1da584") or
hash.sha256("0f5717b98e2b44964c4a5dfec4126fc35f5504f7f8dec386c0e0b0229e3482e7") or
hash.sha256("162a8521f6156070b9a97b488ee902ac0c395714aba970a688d54305cb3e163f") or
hash.sha256("1bdc2455f32d740502e001fce51dbf2494c00f4dcadd772ea551ed231c35b9a2") or
hash.sha256("20eeae4222ff11e306fded294bebea7d3e5c5c2d8c5724792abf56997f30aaf9") or
hash.sha256("218ec38e8d749ae7a6d53e0d4d58e3acf459687c7a34f5697908aec6a2d7274d") or
hash.sha256("2bef71355b37c4d9cd976e0c6450bfed5f62d8ab2cf096a4f3b77f6c0cb77a3b") or
hash.sha256("47409e09afa05fcc9c9eff2c08baca3084d923c8d82159005dbae2029e1959d0") or
hash.sha256("5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42") or
hash.sha256("53f803179304e4fa957146507c9f936b38da21c2a3af4f9ea002a7f35f5bc23d") or
hash.sha256("73b9259fecc2a4d0eeb0afef4f542642c26af46aa8f0ce2552241ee5507ec37f") or
hash.sha256("7930d6469461af84d3c47c8e40b3d6d33f169283df42d2f58206f43d42d4c9f4") or
hash.sha256("acae8a4d92d24b7e7cb20c0c13fd07c8ab6ed8c5f9969504a905287df1af179b") or
hash.sha256("b8b379ba5aff7e4ef2838517930bf20d83a1cfec5f7b284f9ee783518cb989a7") or
hash.sha256("d318a70d7f4158e3fe5f38f23a241787359c55d352cb4b26a4bd007fd44d5b80") or
hash.sha256("d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa") or
hash.sha256("e8942805238f1ead8304cfdcf3d6076fa0cdf57533a5fae36380074a90d642e4") or
hash.sha256("f6536045ab63849c57859bbff9e6615180055c268b89c613dfed2db1f1a370f2") or
hash.sha256("f8b4e2ca107c4a91e180a17a845e1d7daac388bd1bb4708c222cda0eff793e7a")
}
Mitigation and Prevention
User Awareness:
- Train users to recognise fake CAPTCHA attacks and avoid executing unsolicited clipboard content.
Email Filtering:
- Block known malicious infrastructure and detect clipboard-based obfuscation attempts.
Antivirus Protection:
- Deploy YARA:
Windows.Infostealer.EddieStealer
- Monitor for process trees involving PowerShell -> cscript.exe -> Random EXE in Downloads
Two-Factor Authentication (2FA):
- Mandatory for all applications and logins targeted by credential theft
Monitor Logs:
- Look for unencrypted HTTP POSTs to uncommon domains
- Flag multi-stage scripting behavior from browser-induced sessions
Regular Updates:
- Keep browser, AV, PowerShell policies, and OS fully patched
Risk Assessment
EDDIESTEALER is assessed as High Risk (7.8/10) due to its modern language implementation, deceptive social engineering, and broad data theft capabilities. Although it lacks persistence or lateral movement functionality, its speed and modularity amplify potential damage in a short time.
Organizations with unfiltered user browsing or inadequate PowerShell logging are at elevated risk.
Conclusion
EDDIESTEALER underscores a rising trend in infostealers built with Rust and distributed using fake CAPTCHA campaigns. With multi-layered evasion, encrypted C2, and modular exfiltration, this malware represents a fast-moving, highly evasive threat.
Security teams must prioritize behavioral detection and establish hardened scripting controls. The absence of persistence does not diminish impact—EDDIESTEALER is designed to get in, exfiltrate, and vanish before traditional tools can respond.
Sources:
- Elastic Security Labs – Chasing Eddies: New Rust- based InfoStealer used in CAPTCHA campaigns
- OTX AlienVault - Indicators Of Compromise