Security News New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data

Parkinsond

Parkinsond

Level 18
Thread author
Dec 6, 2023
895
Content source
https://thehackernews.com/2025/05/eddiestealer-malware-uses-clickfix.html
A new malware campaign is distributing a novel Rust-based information stealer dubbed EDDIESTEALER using the popular ClickFix social engineering tactic initiated via fake CAPTCHA verification pages.

"Based on a similar self-deletion technique observed in Latrodectus, EDDIESTEALER is capable of deleting itself through NTFS Alternate Data Streams renaming, to bypass file locks," Elastic noted.

Another noteworthy feature built into the stealer is its ability to bypass Chromium's app-bound encryption to gain access to unencrypted sensitive data, such as cookies. This is accomplished by including a Rust implementation of ChromeKatz, an open-source tool that can dump cookies and credentials from the memory of Chromium-based browsers.

Katz Stealer, like EDDIESTEALER, is engineered to circumvent Chrome's app-bound encryption, but in a different way by employing DLL injection to obtain the encryption key without administrator privileges and use it to decrypt encrypted cookies and passwords from Chromium-based browsers.

thehackernews.com

New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data

New Rust-based EDDIESTEALER spreads via fake CAPTCHA pages, stealing credentials and bypassing Chrome encryption.
thehackernews.com thehackernews.com
Click to expand...
 
  • Like
Reactions: Andy Ful, Zero Knowledge, [correlate] and 5 others
Khushal

Khushal

Level 4
Verified
Well-known
Apr 4, 2024
150
The complete list of IOCs was not provided in the report. Only two script based malware were mentioned which were first stages of each of the exe(s) mentioned in the report. For example: sample d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa mentioned in the report has its first stage loader js VirusTotal not mentioned in the report which had six detections at the time of its initial upload.
1748672086414.png

1748672062308.png
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Andy Ful, [correlate], simmerskool and 2 others
Parkinsond

Parkinsond

Level 18
Thread author
Dec 6, 2023
895
Khushal said:
The complete list of IOCs was not provided in the report. Only two script based malware were mentioned which were first stages of each of the exe(s) mentioned in the report. For example: sample d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa mentioned in the report has its first stage loader js VirusTotal not mentioned in the report which had six detections at the time of its initial upload.View attachment 288868
View attachment 288867
Click to expand...
Good job, Symantec 👏
 
  • Like
Reactions: Zero Knowledge, [correlate], Jonny Quest and 1 other person
Wrecker4923

Wrecker4923

Level 2
Apr 11, 2024
86
Khushal said:
Great insight albeit i have analyzed few samples from the IOC list provided. It is a stealthy stealer nonetheless it's still shocking to see a lot of top 5 AVs unable to detect this threat as ofnow.
Click to expand...
Even the top solutions will miss some. It's probably a mistake to assume that the greatest we are using will catch everything. A few will catch more than most.
 
  • Like
  • Applause
  • Hundred Points
Reactions: oldschool, Khushal, Parkinsond and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
9,050
Khushal said:
The complete list of IOCs was not provided in the report. Only two script based malware were mentioned which were first stages of each of the exe(s) mentioned in the report. For example: sample d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa mentioned in the report has its first stage loader js VirusTotal not mentioned in the report which had six detections at the time of its initial upload.
Click to expand...

The JScript loader does nothing except download and execute an EXE file, resulting in low detection. However, all EXE samples downloaded by this script are currently well detected.
www.elastic.co

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns — Elastic Security Labs

Elastic Security Labs walks through EDDIESTEALER, a lightweight commodity infostealer used in emerging CAPTCHA-based campaigns.
www.elastic.co www.elastic.co

Anyway, the malware is relatively old (7 April 2025), so we do not know how efficient the detection was in the beginning (possibly not great).
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: simmerskool, oldschool, Khushal and 2 others

Similar threads

Gandalf_The_Grey
    • Wow
    • Like
    • +Reputation
Malware News Infostealer malware bypasses Chrome’s new cookie-theft defenses
Replies
0
Views
2,254
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • Applause
Security News Lumma infostealer malware operation disrupted, 2,300 domains seized
Replies
1
Views
576
Security News
Sandbox Breaker - DFIR
Sandbox Breaker - DFIR
Gandalf_The_Grey
    • Wow
    • HaHa
    • +Reputation
  • Locked
Security News The U.K. government can now access your iCloud data after forcing Apple to weaken encryption
Replies
11
Views
1,480
Security News
blackice
blackice

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top