Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns

May 29, 2025, 7:42 p.m.

Description

A novel Rust-based infostealer called EDDIESTEALER has been discovered, distributed through fake CAPTCHA campaigns. The malware uses deceptive verification pages to trick users into executing a malicious PowerShell script, which deploys the infostealer. EDDIESTEALER targets sensitive data including credentials, browser information, and cryptocurrency wallet details. It communicates with a command and control server to receive tasks and exfiltrate data. The malware employs string obfuscation, API obfuscation, and other evasion techniques. It specifically targets various crypto wallets, browsers, password managers, FTP clients, and messaging applications. The use of Rust in its development reflects a growing trend among threat actors seeking enhanced stealth and resilience against traditional analysis methods.

External References

https://www.elastic.co/security-labs/eddiestealer
https://otx.alienvault.com/pulse/6838b480f31c059165ae1733
Tags
powershell
infostealer
cryptocurrency
rust
data exfiltration
captcha
2025-05-29
eddiestealer

Date

  • Created: May 29, 2025, 7:24 p.m.
  • Published: May 29, 2025, 7:24 p.m.
  • Modified: May 29, 2025, 7:42 p.m.

Indicators

  • f8b4e2ca107c4a91e180a17a845e1d7daac388bd1bb4708c222cda0eff793e7a
  • f6536045ab63849c57859bbff9e6615180055c268b89c613dfed2db1f1a370f2
  • e8942805238f1ead8304cfdcf3d6076fa0cdf57533a5fae36380074a90d642e4
  • d905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa
  • d318a70d7f4158e3fe5f38f23a241787359c55d352cb4b26a4bd007fd44d5b80
  • b8b379ba5aff7e4ef2838517930bf20d83a1cfec5f7b284f9ee783518cb989a7
  • acae8a4d92d24b7e7cb20c0c13fd07c8ab6ed8c5f9969504a905287df1af179b
  • 53f803179304e4fa957146507c9f936b38da21c2a3af4f9ea002a7f35f5bc23d
  • 73b9259fecc2a4d0eeb0afef4f542642c26af46aa8f0ce2552241ee5507ec37f
  • 7930d6469461af84d3c47c8e40b3d6d33f169283df42d2f58206f43d42d4c9f4
  • 5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42
  • 47409e09afa05fcc9c9eff2c08baca3084d923c8d82159005dbae2029e1959d0
  • 2bef71355b37c4d9cd976e0c6450bfed5f62d8ab2cf096a4f3b77f6c0cb77a3b
  • 218ec38e8d749ae7a6d53e0d4d58e3acf459687c7a34f5697908aec6a2d7274d
  • 20eeae4222ff11e306fded294bebea7d3e5c5c2d8c5724792abf56997f30aaf9
  • 1bdc2455f32d740502e001fce51dbf2494c00f4dcadd772ea551ed231c35b9a2
  • 162a8521f6156070b9a97b488ee902ac0c395714aba970a688d54305cb3e163f
  • 0f5717b98e2b44964c4a5dfec4126fc35f5504f7f8dec386c0e0b0229e3482e7
  • 84.200.154.47
  • 45.144.53.145
  • https://cxiao.net/posts/2023-12-08-rust-reversing-panic-metadata/
  • https://docs.binary.ninja/dev/uidf.html
  • xxxivi.com
  • shiglimugli.xyz
  • plasetplastik.com
  • militrex.wiki
  • llll.fit
Download all indicators here!

Attack Patterns

  • EDDIESTEALER