EDDIESTEALER Unmasked: A Rust Infostealer Hidden in Fake CAPTCHA Screens

Executive Summary

Elastic Security Labs recently published a blog post that described a newly identified piece of malware. This malware, named EDDIESTEALER, is an infostealer developed using the Rust programming language and specifically targets Windows operating systems. The distribution of EDDIESTEALER is occurring through misleading "Fake CAPTCHA" campaigns that are designed to look like genuine reCAPTCHA pages. These campaigns deceive users into copying and executing a malicious PowerShell script. This script operates covertly to download and run a second-stage JavaScript payload. Subsequently, this JavaScript script retrieves and installs the primary malware, EDDIESTEALER. The primary function of EDDIESTEALER is to steal various types of sensitive information, including user credentials, browser-related data, and cryptocurrency wallet details.

This campaign highlights a growing trend of malware authors adopting Rust for its stealth, performance, and difficulty in reverse engineering. The initial infection is typically triggered through compromised websites running obfuscated JavaScript that manipulates the user's clipboard and instructs them to run malicious commands manually. Elastic’s telemetry links this campaign to earlier activity involving GHOSTPULSE in late 2024, indicating continued evolution in socially engineered malware delivery techniques.

Figure 1 - EDDIESTEALER’s execution chain (source: Elastic)

Technical Analysis

Initial Access: Social Engineering via Fake CAPTCHA
Attackers leverage fake CAPTCHA screens mimicking Google’s reCAPTCHA to lure users into executing a malicious PowerShell command. This tactic relies on social engineering, convincing users to perform actions manually that execute malware.

▪ Attack starts from compromised websites showing a fake “I’m not a robot” prompt.
▪ The page uses document.execCommand("copy") to copy a PowerShell command to the clipboard.
▪ Users are instructed to press Win + R, then Ctrl + V, and Enter—executing the malicious command.
▪ This command downloads and saves a JavaScript file (gverify.js) from hxxps://llll.fit/version/ into the user’s Downloads folder.

Figure 2 - Fake CAPTCHA GUI (source: elastic)

Stage Two: JavaScript Loader (gverify.js)

The second-stage payload (gverify.js) acts as a dropper, fetching the main malware payload, EDDIESTEALER

▪ It is obfuscated JavaScript that downloads the main infostealer from “hxxps://llll.fit/io”

▪ The downloaded executable is saved with a pseudorandom 12-character filename.

▪ The script executes it using “cscript.exe” in a hidden window.

Main Payload: EDDIESTEALER Overview

EDDIESTEALER is a Rust-based commodity infostealer focusing on exfiltrating sensitive data from infected systems, primarily targeting Chromium browsers.

▪ Written in Rust, with obfuscated and encrypted strings using XOR.

▪ Includes basic anti-sandbox detection (e.g., memory check).

▪ Employs a self-delete mechanism to avoid detection after execution.

▪ Receives configuration tasks from the C2 server and performs file-based exfiltration

Stealth & Obfuscation Techniques

EDDIESTEALER uses multiple mechanisms to stay hidden and avoid analysis.

▪ String encryption: XOR with dynamically derived keys.

▪ API obfuscation: Custom loader and resolver using decrypted names.

▪ Mutex creation: Prevents multiple instances (mutex is a unique UUID per sample).

▪ VM detection: Checks if physical memory is below ~4 GB.

▪ Self-deletion: Uses NTFS Alternate Data Streams to rename and delete itself silently.

Figure 3 - Memory check (source: Elastic)

Configuration & Command and Control (C2)

The malware communicates with its C2 server in multiple stages using a custom encrypted protocol over HTTP.

▪ Sends a GET request to /api/handler/ to fetch task configuration.

▪ The configuration is AES-CBC encrypted and Base64-encoded.

▪ The key is stored in the binary and used for both encryption and decryption.

▪ C2 communications follow the format:

o System profiling → POST /info/

o Task results → POST

Figure 4 - C2 traffic log (source: Elastic)

Data Collection Capabilities

EDDIESTEALER gathers a broad range of system and browser data, with an emphasis on Chromiumbased browsers.

▪ System Profiling:

o Executable path

o Username and locale

o OS version and physical memory

▪ Browser Exfiltration:

o Uses Chrome’s remote debugging port to extract credentials

o Opens Chrome with an invisible window to trigger credential load

o Reads memory directly to steal passwords using techniques similar to ChromeKatz

▪ Targets also include browser extensions, cookies, and login data

Figure 5 - Setting up Chrome process with remote debugging (source: Elastic)

Cryptocurrency Wallet Theft

EDDIESTEALER also targets cryptocurrency wallets, a common behavior among modern infostealers. The malware searches for known wallet directories and browser extensions associated with crypto wallets like MetaMask, Exodus, and Atomic. It exfiltrates wallet-related files, including unencrypted JSON keystores or configuration files that may contain sensitive data.

Key behaviors:

• Scans directories such as “%APPDATA%, %LOCALAPPDATA%”, and browser-specific extension folders.

• Identifies popular Chrome-based wallet extensions using hardcoded paths and names.

• Steals recovery phrases, wallet.dat files, and other artifacts when available.

• Exfiltrates these via task-specific POST requests to the command-and-control (C2) server.

Advanced Features in Recent Variants

More advanced versions of EDDIESTEALER show enhanced evasion and collection techniques.

▪ Pre-C2 system profiling before requesting tasks.

▪ Hardcoded encryption keys instead of retrieving them from the server.

▪ Collects more hardware data: CPU/GPU info, process list.

▪ More aggressive use of LLVM inlining and stack slot reuse, making analysis harder.

▪ Maintains panic metadata in error logs sent to C2, aiding malware debugging by exposing source file paths and line numbers.

Conclusion

This attack campaign leverages fake CAPTCHA screens to deceive users into executing malicious PowerShell commands, leading to the stealthy deployment of the Rust-based infostealer EDDIESTEALER. With advanced evasion, browser memory scraping, and modular C2 tasking, it poses a significant risk to data confidentiality. The malware evolves quickly, showing signs of sandbox detection and code obfuscation to avoid analysis and detection.

Recommendations

• Educate users to never execute clipboard commands blindly or trust CAPTCHA prompts outside known login flows. Phishing simulations and regular awareness campaigns help reduce social engineering risks. .

• Deploy advanced endpoint protection and EDR solutions that monitor clipboard use, PowerShell execution, and suspicious JavaScript behavior. Configure detection rules for uncommon cscript usage and hidden process execution.

• Monitor outbound HTTP traffic, especially to uncommon domains or IPs, and inspect for patterns like Base64-encrypted payloads or repeated task-based POST requests. Proactively block known malicious infrastructure domains

• Monitor outbound HTTP traffic for unusual behavior, including requests containing nonstandard headers like X-API-KEY: jieruidashabi, which could indicate communication with a C&C server.

• Restrict unnecessary browser debugging features like --remote-debugging-port, and monitor for unusual browser launch parameters. Implement controls to prevent memory scraping through off-screen browser manipulation.