May 30, 2025Ravie LakshmananBrowser Security / Malware A new malware campaign is distributing a novel Rust-based information stealer dubbed EDDIESTEALER using the popular ClickFix social engineering tactic initiated via fake CAPTCHA verification pages. "This campaign leverages deceptive CAPTCHA verification pages that trick users into executing a malicious PowerShell script, which ultimately deploys the infostealer, harvesting sensitive data such as credentials, browser information, and cryptocurrency wallet details," Elastic Security Labs researcher Jia Yu Chan said in an analysis. The attack chains begin with threat actors compromising legitimate websites with malicious JavaScript payloads that serve bogus CAPTCHA check pages, which prompt site visitors to "prove you are not [a] robot" by following a three-step process, a prevalent tactic called ClickFix. This involves instructing the potential victim to open the Windows Run dialog prompt, paste an already copied command into the "verification window" (i.e., the Run dialog), and press enter. This effectively causes the obfuscated PowerShell command to be executed, resulting in the retrieval of a next-stage payload from an external server ("llll[.]fit"). The JavaScript payload ("gverify.js") is subsequently saved to the victim's Downloads folder and executed using cscript in a hidden window. The main goal of the intermediate script is to fetch the EDDIESTEALER binary from the same remote server and store it in the Downloads folder with a pseudorandom 12-character file name. Written in Rust, EDDIESTEALER is a commodity stealer malware that can gather system metadata, receive tasks from a command-and-control (C2) server, and siphon data of interest from the infected host. The exfiltration targets include cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging apps. "These targets are subject to change as they are configurable by the C2 operator," Elastic explained. "EDDIESTEALER then reads the targeted files using standard kernel32.dll functions like CreateFileW, GetFileSizeEx, ReadFile, and CloseHandle." The collected host information is encrypted and transmitted to the C2 server in a separate HTTP POST request after the completion of each task. Besides incorporating string encryption, the malware employs a custom WinAPI lookup mechanism for resolving API calls and creates a mutex to ensure that only one version is running at any given time. It also incorporates checks to determine if it's being executed in a sandboxed environment, and if so, deletes itself from disk. "Based on a similar self-deletion technique observed in Latrodectus, EDDIESTEALER is capable of deleting itself through NTFS Alternate Data Streams renaming, to bypass file locks," Elastic noted. Another noteworthy feature built into the stealer is its ability to bypass Chromium's app-bound encryption to gain access to unencrypted sensitive data, such as cookies. This is accomplished by including a Rust implementation of ChromeKatz, an open-source tool that can dump cookies and credentials from the memory of Chromium-based browsers. The Rust version of ChromeKatz also incorporates changes to handle scenarios where the targeted Chromium browser is not running. In such cases, it spawns a new browser instance using the command-line arguments "--window-position=-3000,-3000 https://google.com," effectively positioning the new window far off-screen and making its invisible to the user. In opening the browser, the objective is to enable the malware to read the memory associated with the network service child process of Chrome that's identified by the "-utility-sub-type=network.mojom.NetworkService" flag and ultimately extract the credentials. Elastic said it also identified updated versions of the malware with features to harvest running processes, GPU information, number of CPU cores, CPU name, and CPU vendor. In addition, the new variants tweak the C2 communication pattern by preemptively sending the host information to the server before receiving the task configuration. That's not all. The encryption key used for client-to-server communication is hard-coded into the binary, as opposed to retrieving it dynamically from the server. Furthermore, the stealer has been found to launch a new Chrome process with the --remote-debugging-port=<port_num> flag to enable DevTools Protocol over a local WebSocket interface so as to interact with the browser in a headless manner, without requiring any user interaction. "This adoption of Rust in malware development reflects a growing trend among threat actors seeking to leverage modern language features for enhanced stealth, stability, and resilience against traditional analysis workflows and threat detection engines," the company said. The disclosure comes as c/side revealed details of a ClickFix campaign that targets multiple platforms, such as Apple macOS, Android, and iOS, using techniques like browser-based redirections, fake UI prompts, and drive-by download techniques. The attack chain starts with an obfuscated JavaScript hosted on a website, that when visited from macOS, initiates a series of redirections to a page that guides victims to launch Terminal and run a shell script, which leads to the download of a stealer malware that has been flagged on VirusTotal as the Atomic macOS Stealer (AMOS). However, the same campaign has been configured to initiate a drive-by download scheme when visiting the web page from an Android, iOS, or Windows device, leading to the deployment of another trojan malware. The disclosures coincide with the emergence of new stealer malware families like Katz Stealer and AppleProcessHub Stealer targeting Windows and macOS respectively, and are capable of harvesting a wide range of information from infected hosts, according to Nextron and Kandji. Katz Stealer, like EDDIESTEALER, is engineered to circumvent Chrome's app-bound encryption, but in a different way by employing DLL injection to obtain the encryption key without administrator privileges and use it to decrypt encrypted cookies and passwords from Chromium-based browsers. "Attackers conceal malicious JavaScript in gzip files, which, when opened, trigger the download of a PowerShell script," Nextron said. "This script retrieves a .NET-based loader payload, which injects the stealer into a legitimate process. Once active, it exfiltrates stolen data to the command and control server." AppleProcessHub Stealer, on the other hand, is designed to exfiltrate user files including bash history, zsh history, GitHub configurations, SSH information, and iCloud Keychain. Attack sequences distributing the malware entail the use of a Mach-O binary that downloads a second-stage bash stealer script from the server "appleprocesshub[.]com" and runs it, the results of which are then exfiltrated back to the C2 server. Details of the malware were first shared by the MalwareHunterTeam on May 15, 2025, and by MacPaw's Moonlock Lab last week. "This is an example of a Mach-O written in Objective-C which communicates with a command and control server to execute scripts," Kandji researcher Christopher Lopez said. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Earlier this month, the father of a wealthy cryptocurrency entrepreneur was abducted in Paris while walking his dog. The attackers, wearing balaclavas, forced him into a van, later severing one of his fingers and sending a video of the mutilation to his son alongside a demand for millions of euros in ransom. The incident joined a growing list of violent crimes in France linked to crypto wealth. Victims have included a prominent entrepreneur and his wife who were held hostage, a man doused in petrol, and a child targeted in an attempted abduction. As fear spreads within France’s crypto community, some industry figures are accusing the EU’s landmark digital asset regulations of exposing holders to greater risk. Their concerns centre on the transparency requirements, which could make it easier to track down crypto owners. However, other insiders argue that the EU rules make a convenient scapegoat. Stanislas Barthélemi, president of the French crypto lobbying group ADAN, told the New York Times this week that the rules may inadvertently have put holders in danger. By creating a traceable digital footprint, he said, criminals could potentially monitor blockchain activity to identify wealthy targets. Register Now Alexandre Stachchenko, director of strategy at French crypto exchange Paymium, echoed the concern. He said the industry “wants to be discrete and anonymous,” but EU law “tells us it’s criminal.” Yet others in the industry dispute the claim that the EU’s regulations have played a role in the surge in attacks. ‘Strategic deflection’ Marit Rødevand, CEO & co-founder of Norwegian anti-money laundering firm Strise, said there was “little evidence” of a connection between the union’s rules and crypto kidnappings.  “While it is easy for champions of crypto to postulate that the increased physical attacks on those operating in the space are a product of regulations, this is both reductive and a strategic deflection away from legitimate security concerns,” she said. According to Rødevand, it is just as likely that information about potential targets was accessed through hacks, social media exposure, or publicity. Many crypto entrepreneurs are also prominent influencers.  Christopher Whitehouse, a crypto expert and solicitor at London-based law firm RPC, also made no connection. Instead, he said those holding high amounts of cryptocurrency were “obvious targets.” “The recent surge in crypto-motivated kidnappings in France is alarming but not surprising,” Whitehouse told TNW.  He noted that cryptocurrencies have several features that make them attractive for ransom. They can be transferred instantly, are difficult to trace if moved by sophisticated criminals, and lack the safeguards of traditional bank accounts. Traditional currency, in contrast, can be tracked via serial numbers.  Exploiting human vulnerability The recent violence in France, while brutal, is also not anything new. According to data compiled by crypto security advocate Jameson Lopp, over 200 physical attacks against Bitcoin and cryptocurrency holders have been reported since 2014. Some have been fatal.   Matt Green, head of blockchain technology disputes at London law firm Lawrence Stephens, contends that the violence boils down to criminals exploiting the weakest link in the crypto chain: people.    “The only thing stopping criminals [from] gaining access is human error or force, so kidnapping aims to break down the integrity of that human-led security,” he told TNW. To protect themselves, some high-wealth crypto holders have beefed up their personal security, including hiring bodyguards.  Green suggests another layer of protection: multisignature wallets, a type of crypto wallet that requires multiple users to perform certain tasks, such as making transfers.  Just as some shops display signs saying no cash is kept on premises, crypto holders would do well to make it clear that a single individual cannot access funds, Green said. Story by Siôn Geschwindt Siôn is a freelance science and technology reporter, specialising in climate and energy. From nuclear fusion breakthroughs to electric vehic (show all) Siôn is a freelance science and technology reporter, specialising in climate and energy. From nuclear fusion breakthroughs to electric vehicles, he's happiest sourcing a scoop, investigating the impact of emerging technologies, and even putting them to the test. He has five years of journalism experience and holds a dual degree in media and environmental science from the University of Cape Town, South Africa. When he's not writing, you can probably find Siôn out hiking, surfing, playing the drums or catering to his moderate caffeine addiction. You can contact him at: sion.geschwindt [at] protonmail [dot] com Get the TNW newsletter Get the most important tech news in your inbox each week.