EDDIESTEALER Malware Bypasses Chrome’s Encryption to Steal Browser Data

Published:

spot_img

New Malware Campaign: The Rise of EDDIESTEALER

A recent cybersecurity report has unveiled a concerning trend involving a new malware campaign that disseminates a Rust-based information stealer called EDDIESTEALER. The attack utilizes well-known social engineering techniques, notably a method known as ClickFix, which revolves around deceptive CAPTCHA verification pages designed to trick unsuspecting users.

How the Attack Works

Experts from Elastic Security Labs, notably researcher Jia Yu Chan, have detailed the mechanics behind this sophisticated campaign. Initially, attackers compromise legitimate websites by embedding malicious JavaScript payloads within them. These compromised sites present fake CAPTCHA verification pages, prompting victims to confirm their identity by following an outlined process.

Victims are instructed to open the Windows Run dialog, where they paste a command that executes an obfuscated PowerShell script. This script retrieves a subsequent payload from a specified external server, marking the beginning of a chain that serves to install the EDDIESTEALER malware on the victim’s system.

The Payload Delivery Process

Once the PowerShell command is executed, a JavaScript file named gverify.js is downloaded to the victim’s Downloads folder. This script runs silently in a hidden window, fetching the EDDIESTEALER binary from the same remote server and assigning it a randomly generated 12-character filename.

EDDIESTEALER is designed to gather a wide range of system data. It can communicate with a command-and-control (C2) server, collecting sensitive information from the infected device. Targets for data exfiltration include cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging applications.

Techniques Employed by the Malware

Elastic points out that EDDIESTEALER employs several advanced techniques to enhance its effectiveness and evade detection. The malware utilizes string encryption and a custom WinAPI lookup mechanism for API calls. Additionally, it creates a mutex to ensure that only one instance of the malware operates at any time.

It includes checks to determine whether it’s running in a sandboxed environment, and if it detects such conditions, it deletes itself from the disk, minimizing the risk of detection.

Handling Sensitive Data

One of the more concerning features of EDDIESTEALER is its ability to bypass Chrominium’s application-level encryption to access unencrypted sensitive data. By using a Rust version of ChromeKatz, an open-source tool, the malware can extract cookies and credentials from memory, even spawning a new Chrome instance when necessary. This new instance is positioned off-screen, remaining invisible to the user while it gathers sensitive data from the target’s browser.

Recent Developments

Recently, new iterations of EDDIESTEALER have surfaced with additional functionalities, such as the ability to harvest more detailed system information, including CPU details and GPU specifications. These enhanced features allow the malware to transmit host data to the C2 server proactively before executing specific commands.

Notably, the communication between the malware and the server is fortified by a hardcoded encryption key, mitigating risks associated with potential server-side exposure.

Broader Impact

The emergence of EDDIESTEALER coincides with a wave of new stealer malware families, including Katz Stealer and the AppleProcessHub Stealer. While EDDIESTEALER focuses on Windows systems, the AppleProcessHub Stealer is designed specifically for macOS environments, capable of harvesting a variety of user data like GitHub configurations and iCloud Keychain entries.

Recent reports highlight the attackers’ use of obfuscated JavaScript files that can trigger PowerShell scripts for malware installation. For macOS users, the campaign incorporates additional steps where the Terminal is initiated to execute shell scripts that ultimately lead to data theft.

These developments emphasize a growing sophistication in malware distribution techniques, consolidating the need for users and organizations to maintain robust cybersecurity practices to safeguard sensitive information.


As this narrative unfolds, it’s clear that staying informed about evolving threats like EDDIESTEALER is crucial for effective defense against increasingly sophisticated cyber threats. By understanding how these attacks are executed, users can better protect themselves against potential breaches.

spot_img

Related articles

Recent articles

NSU Launches Cybersecurity Center to Enhance Research and Workforce Development in Bangladesh

North South University (NSU) has inaugurated its Cybersecurity Center to advance research, develop skilled professionals, and strengthen Bangladesh's resilience against emerging cyber threats. This...

Siemens ROX II Switches Vulnerable: Update to Firmware V2.17.1 to Mitigate CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949 Exploits

Siemens has issued an advisory regarding three critical zero-day vulnerabilities (CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949) affecting its ROX II operational technology (OT) switches. These vulnerabilities...

UK Regulator Launches Investigation into TikTok Age Verification Amid Strengthened Child Safety Measures

UK Regulator Launches Investigation into TikTok Age Verification Amid Strengthened Child Safety Measures The UK's communications regulator, Ofcom, has initiated a formal investigation into TikTok's...

Legacy Systems, Real-World Risks: Navigating the Challenges of OT Security

Legacy Systems, Real-World Risks: Navigating the Challenges of OT Security Operational Technology (OT) security presents unique challenges that differ significantly from traditional Information Technology (IT)...