FlagThis - #clickfix

A new Rust-based infostealer, EDDIESTEALER, is being spread using the ClickFix social engineering technique, according to a report by Elastic Security Labs on May 30, 2025. This method leverages fake CAPTCHA prompts on compromised websites. Users are tricked into copying and pasting a PowerShell command into their Windows terminal, believing they are verifying they aren't a robot. This command then downloads and executes a malicious JavaScript file, gverify.js, which in turn retrieves the final EDDIESTEALER payload.

The EDDIESTEALER malware is designed to steal sensitive information from infected hosts. Written in Rust, it avoids static analysis through various obfuscation techniques, including XOR string encryption and stripping of function symbols. The malware dynamically retrieves a task list from the attacker's command-and-control (C2) server, enabling it to adapt its behavior over time. Elastic Security Labs has observed it targeting a range of cryptocurrency wallets, web browsers, password managers, FTP clients, and the Telegram messaging app.

EDDIESTEALER also employs several evasion techniques, including a basic anti-sandbox check, a self-deletion mechanism, and a custom Windows API lookup method to avoid static analysis of its API interactions. The dynamic C2 tasking method allows attackers to update the list of targeted apps as needed, providing greater flexibility and adaptability. Security experts emphasize the continued popularity of the ClickFix social engineering method and the increasing use of the Rust programming language among malware developers in campaigns like this.


References :

• Anonymous ???????? :af:: “Prove you're not a robot” — turns into full system breach! Hackers are using fake CAPTCHA checks to deploy a stealthy new Rust malware, EDDIESTEALER, via ClickFix—a social engineering trick abusing PowerShell on Windows , ,
• securityonline.info: EDDIESTEALER: New Rust Infostealer Uses Fake CAPTCHAs to Hijack Crypto Wallets & Data
• The Hacker News: New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data
• www.scworld.com: ClickFix used to spread novel Rust-based infostealer

Classification:

• HashTags: #EDDIESTEALER #RustMalware #ClickFix
• Company: Elastic
• Target: Windows Users, Crypto Wallets
• Attacker: elastic.co
• Product: Windows
• Feature: ClickFix Social Engineering
• Malware: EDDIESTEALER
• Type: Malware
• Severity: HighRisk

A Vietnam-based cybercriminal group, identified as UNC6032, is exploiting the public's fascination with AI to distribute malware. The group has been actively using malicious advertisements on platforms like Facebook and LinkedIn since mid-2024, luring users with promises of access to popular prompt-to-video AI generation tools such as Luma AI, Canva Dream Lab, and Kling AI. These ads direct victims to fake websites mimicking legitimate dashboards, where they are tricked into downloading ZIP files containing infostealers and backdoors.

The multi-stage attack involves sophisticated social engineering techniques. The initial ZIP file contains an executable disguised as a harmless video file using Braille characters to hide the ".exe" extension. Once executed, this binary, named STARKVEIL and written in Rust, unpacks legitimate binaries and malicious DLLs to the "C:\winsystem\" folder. It then prompts the user to re-launch the program after displaying a fake error message. On the second run, STARKVEIL deploys a Python loader called COILHATCH, which decrypts and side-loads further malicious payloads.

This campaign has impacted a wide range of industries and geographic areas, with the United States being the most frequently targeted. The malware steals sensitive data, including login credentials, cookies, credit card information, and Facebook data, and establishes persistent access to compromised systems. UNC6032 constantly refreshes domains to evade detection, and while Meta has removed many of these malicious ads, users are urged to exercise caution and verify the legitimacy of AI tools before using them.


References :

• Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
• The Register - Security: GO The Register reports that miscreants are using text-to-AI-video tools and Facebook ads to distribute malware and steal credentials.
• PCMag UK security: Warning AI-Generated TikTok Videos Want to Trick You Into Installing Malware
• Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
• cloud.google.com: Google's Threat Intelligence Unit, Mandiant, reported that social media platforms are being used to distribute malware-laden ads impersonating legitimate AI video generator tools.
• Malwarebytes: Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware
• hackread.com: Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers
• www.techradar.com: Millions of users could fall for fake Facebook ad for a text-to-AI-video tool that is just malware
• CyberInsider: CyberInsider: Cybercriminals Use Fake AI Video Tools to Deliver Infostealers
• Metacurity: Metacurity for a concise rundown of the most critical developments you should know, including UNC6032 uses prompt-to-video AI tools to lure malware victims
• PCMag UK security: Cybercriminals have been posting Facebook ads for fake AI video generators to distribute malware, Google’s threat intelligence unit Mandiant .
• Virus Bulletin: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
• hackread.com: Fake ChatGPT and InVideo AI Downloads Deliver Ransomware
• PCMag Middle East ai: Be Careful With Facebook Ads for AI Video Generators: They Could Be Malware
• Threat Intelligence: Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
• ciso2ciso.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools
• aboutdfir.com: Google warns of Vietnam-based hackers using bogus AI video generators to spread malware
• BleepingComputer: Cybercriminals exploit AI hype to spread ransomware, malware
• www.pcrisk.com: Novel infostealer with Vietnamese attribution
• ciso2ciso.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools – Source:thehackernews.com
• securityonline.info: Warning: Fake AI Tools Spread CyberLock Ransomware and Numero Destructive Malware
• Vulnerable U: Fake AI Video Generators Deliver Rust-Based Malware via Malicious Ads Analysis of UNC6032’s Facebook and LinkedIn ad blitz shows social-engineered ZIPs leading to multi-stage Python and DLL side-loading toolkits
• oodaloop.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools
• OODAloop: Artificial intelligence tools are being used by cybercriminals to target users and propagate threats. The CyberLock and Lucky_Gh0$t ransomware families are some of the threats involved in the operations. The cybercriminals are using fake installers for popular AI tools like OpenAI’s ChatGPT and InVideoAI to lure in their victims.
• bsky.app: LinkedIn is littered with links to lurking infostealers, disguised as AI video tools Deceptive ads for AI video tools posted on LinkedIn and Facebook are directing unsuspecting users to fraudulent websites, mimicking legitimate AI tools such as Luma AI, Canva Dream Lab, and Kling AI.
• bgr.com: AI products that sound too good to be true might be malware in disguise
• Security Risk Advisors: Cisco Talos Uncovers Multiple Malware Families Disguised as Legitimate AI Tool Installers
• blog.talosintelligence.com: Cisco Talos discovers malware campaign exploiting #AI tool installers. #CyberLock #ransomware #Lucky_Gh0$t & new "Numero" malware disguised as legitimate AI installers.
• cyberpress.org: ClickFix Technique Used by Threat Actors to Spread EddieStealer Malware
• phishingtackle.com: Hackers Exploit TikTok Trends to Spread Malware Via ClickFix
• gbhackers.com: Threat Actors Leverage ClickFix Technique to Deploy EddieStealer Malware

Classification:

• HashTags: #AI #Malware #SocialEngineering
• Company: Mandiant
• Target: AI Users
• Attacker: UNC6032
• Feature: Malvertising
• Malware: EDDIESTEALER
• Type: Malware
• Severity: Major

Elastic Security Labs has identified a new information stealer called EDDIESTEALER, a Rust-based malware distributed through fake CAPTCHA campaigns. These campaigns trick users into executing malicious PowerShell scripts, which then deploy the infostealer onto their systems. EDDIESTEALER is hosted on multiple adversary-controlled web properties and employs the ClickFix social engineering tactic, luring unsuspecting individuals with the promise of CAPTCHA verification. The malware aims to harvest sensitive data, including credentials, browser information, and cryptocurrency wallet details.

This attack chain begins with threat actors compromising legitimate websites, injecting malicious JavaScript payloads that present bogus CAPTCHA check pages. Users are instructed to copy and paste a PowerShell command into their Windows terminal as verification, which retrieves and executes a JavaScript file called gverify.js. This script, in turn, fetches the EDDIESTEALER binary from a remote server, saving it in the downloads folder with a pseudorandom filename. The malware dynamically retrieves configuration data from a command-and-control server, allowing it to adapt its behavior and target specific programs.

EDDIESTEALER is designed to gather system metadata and siphon data of interest from infected hosts, including cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging apps like Telegram. The malware incorporates string encryption, a custom WinAPI lookup mechanism, and a mutex to prevent multiple instances from running. It also includes anti-sandbox checks and a self-deletion technique using NTFS Alternate Data Streams to evade detection. The dynamic C2 tasking gives attackers flexibility, highlighting the ongoing threat of ClickFix campaigns and the increasing use of Rust in malware development.


References :

• Virus Bulletin: Elastic Security Labs has uncovered a novel Rust-based infostealer distributed via Fake CAPTCHA campaigns that trick users into executing a malicious PowerShell script. EDDIESTEALER is hosted on multiple adversary-controlled web properties.
• The Hacker News: New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data
• www.scworld.com: ClickFix used to spread novel Rust-based infostealer
• Anonymous ???????? :af:: “Prove you're not a robot†— turns into full system breach! Hackers are using fake CAPTCHA checks to deploy a stealthy new Rust malware, EDDIESTEALER, via ClickFix—a social engineering trick abusing PowerShell on Windows , ,
• securityonline.info: EDDIESTEALER: New Rust Infostealer Uses Fake CAPTCHAs to Hijack Crypto Wallets & Data
• malware.news: Cybersecurity researchers have identified a sophisticated malware campaign utilizing deceptive CAPTCHA interfaces to distribute EddieStealer, a Rust-based information stealing malware that targets sensitive user data across multiple platforms.
• cyberpress.org: ClickFix Technique Used by Threat Actors to Spread EddieStealer Malware
• gbhackers.com: Threat Actors Leverage ClickFix Technique to Deploy EddieStealer Malware

Classification:

• HashTags: #EDDIESTEALER #InfoStealer #FakeCAPTCHA
• Company: Elastic
• Target: Users
• Product: Elastic Security Labs
• Feature: data theft
• Malware: EDDIESTEALER
• Type: Malware
• Severity: Medium