New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data

[Parkinsond]

Content source

https://thehackernews.com/2025/05/eddiestealer-malware-uses-clickfix.html

A new malware campaign is distributing a novel Rust-based information stealer dubbed EDDIESTEALER using the popular ClickFix social engineering tactic initiated via fake CAPTCHA verification pages.

"Based on a similar self-deletion technique observed in Latrodectus, EDDIESTEALER is capable of deleting itself through NTFS Alternate Data Streams renaming, to bypass file locks," Elastic noted.

Another noteworthy feature built into the stealer is its ability to bypass Chromium's app-bound encryption to gain access to unencrypted sensitive data, such as cookies. This is accomplished by including a Rust implementation of ChromeKatz, an open-source tool that can dump cookies and credentials from the memory of Chromium-based browsers.

Katz Stealer, like EDDIESTEALER, is engineered to circumvent Chrome's app-bound encryption, but in a different way by employing DLL injection to obtain the encryption key without administrator privileges and use it to decrypt encrypted cookies and passwords from Chromium-based browsers.

New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data

New Rust-based EDDIESTEALER spreads via fake CAPTCHA pages, stealing credentials and bypassing Chrome encryption.

thehackernews.com

 

[Khushal]

Great insight albeit i have analyzed few samples from the IOC list provided. It is a stealthy stealer nonetheless it's still shocking to see a lot of top 5 AVs unable to detect this threat as ofnow.

 

[Parkinsond]

Great insight albeit i have analyzed few samples from the IOC list provided. It is a stealthy stealer nonetheless it's still shocking to see a lot of top 3 AVs unable to detect this threat as ofnow.

ESET, K, and B?

 

[Khushal]

ESET, K, and B?

ESET for now

 

[Khushal]

The complete list of IOCs was not provided in the report. Only two script based malware were mentioned which were first stages of each of the exe(s) mentioned in the report. For example: sample d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa mentioned in the report has its first stage loader js VirusTotal not mentioned in the report which had six detections at the time of its initial upload.

 

[Parkinsond]

The complete list of IOCs was not provided in the report. Only two script based malware were mentioned which were first stages of each of the exe(s) mentioned in the report. For example: sample d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa mentioned in the report has its first stage loader js VirusTotal not mentioned in the report which had six detections at the time of its initial upload.View attachment 288868
View attachment 288867

Good job, Symantec

 

[Khushal]

Good job, Symantec

I am not happy to see old og symantec removed almost completely from Norton which now has almost become 100 percent avast

 

[Parkinsond]

I am not happy to see old og symantec removed almost completely from Norton which now has almost become 100 percent avast

Norton has decided to be avasted.

 

[Wrecker4923]

Great insight albeit i have analyzed few samples from the IOC list provided. It is a stealthy stealer nonetheless it's still shocking to see a lot of top 5 AVs unable to detect this threat as ofnow.

Even the top solutions will miss some. It's probably a mistake to assume that the greatest we are using will catch everything. A few will catch more than most.

 

[Andy Ful]

The complete list of IOCs was not provided in the report. Only two script based malware were mentioned which were first stages of each of the exe(s) mentioned in the report. For example: sample d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa mentioned in the report has its first stage loader js VirusTotal not mentioned in the report which had six detections at the time of its initial upload.

The JScript loader does nothing except download and execute an EXE file, resulting in low detection. However, all EXE samples downloaded by this script are currently well detected.

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns — Elastic Security Labs

Elastic Security Labs walks through EDDIESTEALER, a lightweight commodity infostealer used in emerging CAPTCHA-based campaigns.

www.elastic.co

Anyway, the malware is relatively old (7 April 2025), so we do not know how efficient the detection was in the beginning (possibly not great).