EDDIESTEALER Malware Bypasses Chrome’s Encryption to Steal Browser Data

Published:

spot_img

New Malware Campaign: The Rise of EDDIESTEALER

A recent cybersecurity report has unveiled a concerning trend involving a new malware campaign that disseminates a Rust-based information stealer called EDDIESTEALER. The attack utilizes well-known social engineering techniques, notably a method known as ClickFix, which revolves around deceptive CAPTCHA verification pages designed to trick unsuspecting users.

How the Attack Works

Experts from Elastic Security Labs, notably researcher Jia Yu Chan, have detailed the mechanics behind this sophisticated campaign. Initially, attackers compromise legitimate websites by embedding malicious JavaScript payloads within them. These compromised sites present fake CAPTCHA verification pages, prompting victims to confirm their identity by following an outlined process.

Victims are instructed to open the Windows Run dialog, where they paste a command that executes an obfuscated PowerShell script. This script retrieves a subsequent payload from a specified external server, marking the beginning of a chain that serves to install the EDDIESTEALER malware on the victim’s system.

The Payload Delivery Process

Once the PowerShell command is executed, a JavaScript file named gverify.js is downloaded to the victim’s Downloads folder. This script runs silently in a hidden window, fetching the EDDIESTEALER binary from the same remote server and assigning it a randomly generated 12-character filename.

EDDIESTEALER is designed to gather a wide range of system data. It can communicate with a command-and-control (C2) server, collecting sensitive information from the infected device. Targets for data exfiltration include cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging applications.

Techniques Employed by the Malware

Elastic points out that EDDIESTEALER employs several advanced techniques to enhance its effectiveness and evade detection. The malware utilizes string encryption and a custom WinAPI lookup mechanism for API calls. Additionally, it creates a mutex to ensure that only one instance of the malware operates at any time.

It includes checks to determine whether it’s running in a sandboxed environment, and if it detects such conditions, it deletes itself from the disk, minimizing the risk of detection.

Handling Sensitive Data

One of the more concerning features of EDDIESTEALER is its ability to bypass Chrominium’s application-level encryption to access unencrypted sensitive data. By using a Rust version of ChromeKatz, an open-source tool, the malware can extract cookies and credentials from memory, even spawning a new Chrome instance when necessary. This new instance is positioned off-screen, remaining invisible to the user while it gathers sensitive data from the target’s browser.

Recent Developments

Recently, new iterations of EDDIESTEALER have surfaced with additional functionalities, such as the ability to harvest more detailed system information, including CPU details and GPU specifications. These enhanced features allow the malware to transmit host data to the C2 server proactively before executing specific commands.

Notably, the communication between the malware and the server is fortified by a hardcoded encryption key, mitigating risks associated with potential server-side exposure.

Broader Impact

The emergence of EDDIESTEALER coincides with a wave of new stealer malware families, including Katz Stealer and the AppleProcessHub Stealer. While EDDIESTEALER focuses on Windows systems, the AppleProcessHub Stealer is designed specifically for macOS environments, capable of harvesting a variety of user data like GitHub configurations and iCloud Keychain entries.

Recent reports highlight the attackers’ use of obfuscated JavaScript files that can trigger PowerShell scripts for malware installation. For macOS users, the campaign incorporates additional steps where the Terminal is initiated to execute shell scripts that ultimately lead to data theft.

These developments emphasize a growing sophistication in malware distribution techniques, consolidating the need for users and organizations to maintain robust cybersecurity practices to safeguard sensitive information.


As this narrative unfolds, it’s clear that staying informed about evolving threats like EDDIESTEALER is crucial for effective defense against increasingly sophisticated cyber threats. By understanding how these attacks are executed, users can better protect themselves against potential breaches.

spot_img

Related articles

Recent articles

OPEC+ Announces Increase in Oil Production

OPEC+ Announces Oil Production Increase for July OPEC+ member nations have officially revealed plans to significantly ramp up oil production levels starting in July. This...

APT41 Targets Google Calendar for Malware Control Operations

APT41’s Innovative Malware Tactics Exposed On May 29, 2025, Google reported a significant cybersecurity breach linked to the Chinese state-sponsored group known as APT41. This...

NVIDIA Hosts Exciting Launch Event for ‘DOOM: The Dark Ages’

NVIDIA Celebrates a Landmark Launch: DOOM: The Dark Ages RTX ON In a vibrant event that mingled technology with gaming culture, NVIDIA recently unveiled DOOM:...

Kaspersky Unveils Dark Web Threats Facing Brazilian Businesses

Rising Dark Web Threats to Brazilian Organizations A recent report by Kaspersky’s Digital Footprint Intelligence (DFI) team highlights a concerning trend for Brazilian organizations regarding...