{ "id": "55f7aeba-d574-4856-86ee-01863444e13f", "created_at": "2026-04-06T00:21:22.978048Z", "updated_at": "2026-04-10T03:37:08.84037Z", "deleted_at": null, "sha1_hash": "cf3d6517be71019c1e554a714d40672ffccae3d6", "title": "Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4445683, "plain_text": "Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA\r\ncampaigns\r\nBy Jia Yu Chan\r\nPublished: 2025-05-30 · Archived: 2026-04-05 18:22:01 UTC\r\nPreamble\r\nElastic Security Labs has uncovered a novel Rust-based infostealer distributed via Fake CAPTCHA campaigns. This\r\nmalware is hosted on multiple adversary-controlled web properties. This campaign leverages deceptive CAPTCHA\r\nverification pages that trick users into executing a malicious PowerShell script, which ultimately deploys the infostealer,\r\nharvesting sensitive data such as credentials, browser information, and cryptocurrency wallet details. We are calling this\r\nmalware EDDIESTEALER.\r\nThis adoption of Rust in malware development reflects a growing trend among threat actors seeking to leverage modern\r\nlanguage features for enhanced stealth, stability, and resilience against traditional analysis workflows and threat detection\r\nengines. A seemingly simple infostealer written in Rust often requires more dedicated analysis efforts compared to its C/C++\r\ncounterpart, owing to factors such as zero-cost abstractions, Rust’s type system, compiler optimizations, and inherent\r\ndifficulties in analyzing memory-safe binaries.\r\nEDDIESTEALER’s execution chain\r\nKey takeaways\r\nFake CAPTCHA campaign loads EDDIESTEALER\r\nEDDIESTEALER is a newly discovered Rust infostealer targeting Windows hosts\r\nEDDIESTEALER receives a task list from the C2 server identifying data to target\r\nIntial access\r\nOverview\r\nFake CAPTCHAs are malicious constructs that replicate the appearance and functionality of legitimate CAPTCHA systems,\r\nwhich are used to distinguish between human users and automated bots. Unlike their legitimate counterparts, fake\r\nCAPTCHAs serve as gateways for malware, leveraging social engineering to deceive users. They often appear as prompts\r\nlike \"Verify you are a human\" or \"I'm not a robot,\" blending seamlessly into compromised websites or phishing campaigns.\r\nWe have also encountered a similar campaign distributing GHOSTPULSE in late 2024.\r\nFrom our telemetry analysis leading up to the delivery of EDDIESTEALER, the initial vector was a compromised website\r\ndeploying an obfuscated React-based JavaScript payload that displays a fake “I'm not a robot” verification screen.\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 1 of 20\n\nFake CAPTCHA GUI\r\nMimicking Google's reCAPTCHA verification interface, the malware uses the document.execCommand(\"copy\") method to\r\ncopy a PowerShell command into the user’s clipboard, next, it instructs the user to press Windows + R (to open the\r\nWindows run dialog box), then Ctrl + V to paste the clipboard contents, and finally Enter to execute the malicious\r\nPowerShell command.\r\nThis command silently downloads a second-stage payload ( gverify.js ) from the attacker-controlled domain\r\nhxxps://llll.fit/version/ and saves it to the user’s Downloads folder.\r\nCopy PowerShell command to clipboard\r\nFinally, the malware executes gverify.js using cscript in a hidden window.\r\nPowerShell command to download and execute the second script\r\ngverify.js is another obfuscated JavaScript payload that can be deobfuscated using open-source tools. Its functionality is\r\nfairly simple: fetching an executable (EDDIESTEALER) from hxxps://llll.fit/io and saving the file under the user’s\r\nDownloads folder with a pseudorandom 12-character file name.\r\nPowerShell script to download and execute EDDIESTEALER\r\nEDDIESTEALER\r\nOverview\r\nEDDIESTEALER is a novel Rust-based commodity infostealer. The majority of strings that give away its malicious intent\r\nare encrypted. The malware lacks robust anti-sandbox/VM protections against behavioral fingerprinting. However, newer\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 2 of 20\n\nvariants suggest that the anti-sandbox/VM checks might be occurring on the server side. With relatively straightforward\r\ncapabilities, it receives a task list from the C2 server as part of its configuration to target specific data and can self-delete\r\nafter execution if specified.\r\nStripped Symbols\r\nEDDIESTEALER samples featured stripped function symbols, likely using Rust’s default compilation option, requiring\r\nsymbol restoration before static analysis. We used rustbinsign , which generates signatures for Rust standard libraries and\r\ncrates based on specific Rust/compiler/dependency versions. While rustbinsign only detected hashbrown and rustc-demangle , suggesting few external crates being used, it failed to identify crates such as tinyjson and tungstenite in\r\nnewer variants. This occurred due to the lack of clear string artifacts. It is still possible to manually identify crates by finding\r\nunique strings and searching for the repository on GitHub, then download, compile and build signatures for them using the\r\ndownload_sign mode. It is slightly cumbersome if we don’t know the exact version of the crate being used. However,\r\nrestoring the standard library and runtime symbols is sufficient to advance the static analysis process.\r\nrustbinsign “info” output\r\nString Obfuscation\r\nEDDIESTEALER encrypts most strings via a simple XOR cipher. Decryption involves two stages: first, the XOR key is\r\nderived by calling one of several key derivation functions; then, the decryption is performed inline within the function that\r\nuses the string.\r\nThe following example illustrates this, where sub_140020fd0 is the key derivation function, and data_14005ada8 is the\r\naddress of the encrypted blob.\r\nExample decryption operation\r\nEach decryption routine utilizes its own distinct key derivation function. These functions consistently accept two arguments:\r\nan address within the binary and a 4-byte constant value. Some basic operations are then performed on these arguments to\r\ncalculate the address where the XOR key resides.\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 3 of 20\n\nKey derivation functions\r\nBinary Ninja has a handy feature called User-Informed Data Flow (UIDF), which we can use to set the variables to known\r\nvalues to trigger a constant propagation analysis and simplify the expressions. Otherwise, a CPU emulator like Unicorn\r\npaired with a scriptable binary analysis tool can also be useful for batch analysis.\r\nBinary Ninja’s UIDF applied\r\nBatch processing to decrypt all strings\r\nThere is a general pattern for thread-safe, lazy initialization of shared resources, such as encrypted strings for module names,\r\nC2 domain and port, the sample’s unique identifier - that are decrypted only once but referenced many times during runtime.\r\nEach specific getter function checks a status flag for its resource; if uninitialized, it calls a shared, low-level synchronization\r\nfunction. This synchronization routine uses atomic operations and OS wait primitives\r\n( WaitOnAddress / WakeByAddressAll ) to ensure only one thread executes the actual initialization logic, which is invoked\r\nindirectly via a function pointer in the vtable of a dyn Trait object.\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 4 of 20\n\nDecryption routine abstracted through dyn Trait object and lazy init of shared resource\r\nExample Trait object vtable\r\nAPI Obfuscation\r\nEDDIESTEALER utilizes a custom WinAPI lookup mechanism for most API calls. It begins by decrypting the names of the\r\ntarget module and function. Before attempting resolution, it checks a locally maintained hashtable to see if the function\r\nname and address have already been resolved. If not found, it dynamically loads the required module using a custom\r\nLoadLibrary wrapper, into the process’s address space, and invokes a well-known implementation of GetProcAddress to\r\nretrieve the address of the exported function. The API name and address are then inserted into the hashtable, optimizing\r\nfuture lookups.\r\nCore functions handling dynamic imports and API resolutions\r\nCustom GetProcAddress implementation\r\nMutex Creation\r\nEDDIESTEALER begins by creating a mutex to ensure that only one instance of the malware runs at any given time. The\r\nmutex name is a decrypted UUID string 431e2e0e-c87b-45ac-9fdb-26b7e24f0d39 (unique per sample), which is later\r\nreferenced once more during its initial contact with the C2 server.\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 5 of 20\n\nRetrieve the UUID and create a mutex with it\r\nSandbox Detection\r\nEDDIESTEALER performs a quick check to assess whether the total amount of physical memory is above ~4.0 GB as a\r\nweak sandbox detection mechanism. If the check fails, it deletes itself from disk.\r\nMemory check\r\nSelf-Deletion\r\nBased on a similar self-deletion technique observed in LATRODECTUS, EDDIESTEALER is capable of deleting itself\r\nthrough NTFS Alternate Data Streams renaming, to bypass file locks.\r\nThe malware uses GetModuleFileName to obtain the full path of its executable and CreateFileW (wrapped in\r\njy::ds::OpenHandle ) to open a handle to its executable file with the appropriate access rights. Then, a FILE_RENAME_INFO\r\nstructure with a new stream name is passed into SetFileInformationByHandle to rename the default stream $DATA to\r\n:metadata . The file handle is closed and reopened, this time using SetFileInformationByHandle on the handle with the\r\nFILE_DISPOSITION_INFO.DeleteFile flag set to TRUE to enable a \"delete on close handle\" flag.\r\nSelf-deletion through ADS renaming\r\nAdditional Configuration Request\r\nThe initial configuration data is stored as encrypted strings within the binary. Once decrypted, this data is used to construct a\r\nrequest following the URI pattern: \u003cC2_ip_or_domain\u003e/\u003cresource_path\u003e/\u003cUUID\u003e . The resource_path is specified as\r\napi/handler . The UUID , utilized earlier to create a mutex, is used as a unique identifier for build tracking.\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 6 of 20\n\nEDDIESTEALER then communicates with its C2 server by sending an HTTP GET request with the constructed URI to\r\nretrieve a second-stage configuration containing a list of tasks for the malware to execute.\r\nDecrypt strings required to build URI for C2 comms\r\nHTTP request wrapper\r\nThe second-stage configuration data is AES CBC encrypted and Base64 encoded. The Base64-encoded IV is prepended in\r\nthe message before the colon ( : ).\r\nBase64(IV):Base64(AESEncrypt(data))\r\nEncrypted data received from C2\r\nThe AES key for decrypting the server-to-client message is stored unencrypted in UTF-8 encoding, in the .rdata section.\r\nIt is retrieved through a getter function.\r\nHardcoded AES key\r\nCore wrapper functions for config decryption\r\nThe decrypted configuration for this sample contains the following in JSON format:\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 7 of 20\n\nSession ID\r\nList of tasks (data to target)\r\nAES key for client-to-server message encryption\r\nSelf-delete flag\r\n{\r\n \"session\": \"\u003cunique_session_id\u003e\",\r\n \"tasks\": [\r\n {\r\n \"id\": \"\u003cunique_task_id\u003e\",\r\n \"prepare\": [],\r\n \"pattern\": {\r\n \"path\": \"\u003cfile_system_path\u003e\",\r\n \"recursive\": \u003ctrue/false\u003e,\r\n \"filters\": [\r\n {\r\n \"path_filter\": \u003cnull/string\u003e,\r\n \"name\": \"\u003cfile_or_directory_name_pattern\u003e\",\r\n \"entry_type\": \"\u003cFILE/DIR\u003e\"\r\n },\r\n ...\r\n ]\r\n },\r\n \"additional\": [\r\n {\r\n \"command\": \"\u003coptional_command\u003e\",\r\n \"payload\": {\r\n \"\u003ccommand_specific_config\u003e\": \u003cvalue\u003e\r\n }\r\n },\r\n ...\r\n ]\r\n },\r\n ...\r\n ],\r\n \"network\": {\r\n \"encryption_key\": \"\u003cAES_encryption_key\u003e\"\r\n },\r\n \"self_delete\": \u003ctrue/false\u003e\r\n}\r\nFor this particular sample and based on the tasks received from the server during our analysis, here are the list of filesystem-based exfiltration targets:\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 8 of 20\n\nCrypto wallets\r\nBrowsers\r\nPassword managers\r\nFTP clients\r\nMessaging applications\r\nCrypto Wallet Target Path Filter\r\nArmory %appdata%\\\\Armory\\\\*.wallet\r\nBitcoin %appdata%\\\\Bitcoin\\\\wallets\\\\*\r\nWalletWasabi %appdata%\\\\WalletWasabi\\\\Client\\\\Wallets\\\\*\r\nDaedalus Mainnet %appdata%\\\\Daedalus Mainnet\\\\wallets\\\\*\r\nCoinomi %localappdata%\\\\Coinomi\\\\Coinomi\\\\wallets\\\\*\r\nElectrum %appdata%\\\\Electrum\\\\wallets\\\\*\r\nExodus %appdata%\\\\Exodus\\\\exodus.wallet\\\\*\r\nDashCore %appdata%\\\\DashCore\\\\wallets\\\\*\r\nElectronCash %appdata%\\\\ElectronCash\\\\wallets\\\\*\r\nElectrum-DASH %appdata%\\\\Electrum-DASH\\\\wallets\\\\*\r\nGuarda %appdata%\\\\Guarda\\\\IndexedDB\r\nAtomic %appdata%\\\\atomic\\\\Local Storage\r\nBrowser Target Path Filter\r\nMicrosoft\r\nEdge\r\n%localappdata%\\\\Microsoft\\\\Edge\\\\User Data\\\\\r\n[Web Data,History,Bookmarks,Local Extension Settings\\\\...]\r\nBrave\r\n%localappdata%\\\\BraveSoftware\\\\Brave-Browser\\\\User Data\\\\\r\n[Web Data,History,Bookmarks,Local Extension Settings\\\\...]\r\nGoogle\r\nChrome\r\n%localappdata%\\\\Google\\\\Chrome\\\\User Data\\\\\r\n[Web Data,History,Bookmarks,Local Extension Settings\\\\...]\r\nMozilla\r\nFirefox\r\n%appdata%\\\\Mozilla\\\\Firefox\\\\Profiles\\\\\r\n[key4.db,places.sqlite,logins.json,cookies.sqlite,formhistory.sqlite,webappsstore.sqlite,*+++*]\r\nPassword Manager Target Path Filter\r\nBitwarden %appdata%\\\\Bitwarden\\\\data.json\r\n1Password\r\n%localappdata%\\\\1Password\\\\\r\n[1password.sqlite,1password_resources.sqlite]\r\nKeePass %userprofile%\\\\Documents\\\\*.kdbx\r\nFTP Client Target Path Filter\r\nFileZilla %appdata%\\\\FileZilla\\\\recentservers.xml\r\nFTP Manager Lite %localappdata%\\\\DeskShare Data\\\\FTP Manager Lite\\\\2.0\\\\FTPManagerLiteSettings.db\r\nFTPbox %appdata%\\\\FTPbox\\\\profiles.conf\r\nFTP Commander Deluxe %ProgramFiles(x86)%\\\\FTP Commander Deluxe\\\\FTPLIST.TXT\r\nAuto FTP Manager %localappdata%\\\\DeskShare Data\\\\Auto FTP Manager\\\\AutoFTPManagerSettings.db\r\n3D-FTP %programdata%\\\\SiteDesigner\\\\3D-FTP\\\\sites.ini\r\nFTPGetter %appdata%\\\\FTPGetter\\\\servers.xml\r\nTotal Commander %appdata%\\\\GHISLER\\\\wcx_ftp.ini\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 9 of 20\n\nMessaging App Target Path Filter\r\nTelegram Desktop %appdata%\\\\Telegram Desktop\\\\tdata\\\\*\r\nA list of targeted browser extensions can be found here.\r\nThese targets are subject to change as they are configurable by the C2 operator.\r\nEDDIESTEALER then reads the targeted files using standard kernel32.dll functions like CreateFileW ,\r\nGetFileSizeEx , ReadFile , and CloseHandle .\r\nAPIs for reading files specified in the task list\r\nSubsequent C2 Traffic\r\nAfter successfully retrieving the tasks, EDDIESTEALER performs system profiling to gather some information about the\r\ninfected system:\r\nLocation of the executable ( GetModuleFileNameW )\r\nLocale ID ( GetUserDefaultLangID )\r\nUsername ( GetUserNameW )\r\nTotal amount of physical memory ( GlobalMemoryStatusEx )\r\nOS version ( RtlGetVersion )\r\nFollowing the same data format ( Base64(IV):Base64(AESEncrypt(data)) ) for client-to-server messages, initial host\r\ninformation is AES-encrypted using the key retrieved from the additional configuration and sent via an HTTP POST request\r\nto \u003cC2_ip_or_domain\u003e/\u003cresource_path\u003e/info/\u003csession_id\u003e . Subsequently, for each completed task, the collected data is\r\nalso encrypted and transmitted in separate POST requests to \u003cC2_ip_or_domain\u003e/\u003cresource_path\u003e\r\n\u003csession_id\u003e/\u003ctask_id\u003e , right after each task is completed. This methodology generates a distinct C2 traffic pattern\r\ncharacterized by multiple, task-specific POST requests. This pattern is particularly easy to identify because this malware\r\nfamily primarily relies on HTTP instead of HTTPS for its C2 communication.\r\nC2 traffic log\r\nOur analysis uncovered encrypted strings that decrypt to panic metadata strings, disclosing internal Rust source file paths\r\nsuch as:\r\napps\\bin\\src\\services\\chromium_hound.rs\r\napps\\bin\\src\\services\\system.rs\r\napps\\bin\\src\\structs\\search_pattern.rs\r\napps\\bin\\src\\structs\\search_entry.rs\r\nWe discovered that error messages sent to the C2 server contain these strings, including the exact source file, line number,\r\nand column number where the error originated, allowing the malware developer to have built-in debugging feedback.\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 10 of 20\n\nExample error message\nChromium-specific Capabilities\nSince the introduction of Application-bound encryption, malware developers have adapted to alternative methods to bypass\nthis protection and gain access to unencrypted sensitive data, such as cookies. ChromeKatz is one of the more well-received\nopen source solutions that we have seen malware implement. EDDIESTEALER is no exception—the malware developers\nreimplemented it in Rust.\nBelow is a snippet of the browser version checking logic similar to COOKIEKATZ, after retrieving version information\nfrom %localappdata%\\\\\\User Data\\\\Last Version .\nBrowser version check\nCOOKIEKATZ signature pattern for detecting COOKIEMONSTER instances:\nhttps://www.elastic.co/security-labs/eddiestealer\nPage 11 of 20\n\nCOOKIEKATZ signature pattern\r\nCredentialKatz signature pattern for detecting CookieMonster instances:\r\nCHROMEKATZ signature pattern\r\nHere is an example of the exact copy-pasted logic of COOKIEKATZ’s FindPattern , where PatchBaseAddress is inlined.\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 12 of 20\n\nCOOKIEKATZ FindPattern logic\r\nThe developers introduced a modification to handle cases where the targeted Chromium browser is not running. If inactive,\r\nEDDIESTEALER spawns a new browser instance using the command-line arguments --window-position=-3000,-3000\r\nhttps://google.com . This effectively positions the new window far off-screen, rendering it invisible to the user. The\r\nobjective is to ensure the malware can still read the memory ( ReadProcessMemory ) of the necessary child process - the\r\nnetwork service process identified by the --utility-sub-type=network.mojom.NetworkService flag. For a more detailed\r\nexplanation of this browser process interaction, refer to our previous research on MaaS infostealers.\r\nDifferences with variants\r\nAfter analysis, more recent samples were identified with additional capabilities.\r\nInformation gathered on victim machines now include:\r\nRunning processes\r\nGPU information\r\nNumber of CPU cores\r\nCPU name\r\nCPU vendor\r\nExample system data collected\r\nThe C2 communication pattern has been altered slightly. The malware now preemptively sends host system information to\r\nthe server before requesting its decrypted configuration. In a few instances where the victim machine was able to reach out\r\nto the C2 server but received an empty task list, the adjustment suggests an evasion tactic: developers have likely introduced\r\nserver-side checks to profile the client environment and withhold the main configuration if a sandbox or analysis system is\r\ndetected.\r\nPossible sandbox/anti-analysis technique on C2 server-side\r\nThe encryption key for client-to-server communication is no longer received dynamically from the C2 server; instead, it is\r\nnow hardcoded in the binary. The key used by the client to decrypt server-to-client messages also remains hardcoded.\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 13 of 20\n\nExample Hardcoded AES keys\r\nNewer compiled samples exhibit extensive use of function inline expansion, where many functions - both user-defined and\r\nfrom standard libraries and crates - have been inlined directly into their callers more often, resulting in larger functions and\r\nmaking it difficult to isolate user code. This behavior is likely the result of using LLVM’s inliner. While some functions\r\nremain un-inlined, the widespread inlining further complicates analysis.\r\nOld vs new: control flow graph for the HTTP request function\r\nIn order to get all entries of Chrome’s Password Manager, EDDIESTEALER begins its credential theft routine by spawning\r\na new Chrome process with the --remote-debugging-port=\u003cport_num\u003e flag, enabling Chrome’s DevTools Protocol over a\r\nlocal WebSocket interface. This allows the malware to interact with the browser in a headless fashion, without requiring any\r\nvisible user interaction.\r\nSetting up Chrome process with remote debugging\r\nAfter launching Chrome, the malware queries http://localhost:\u003cport\u003e/json/version to retrieve the\r\nwebSocketDebuggerUrl , which provides the endpoint for interacting with the browser instance over WebSocket.\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 14 of 20\n\nSending request to retrieve webSocketDebuggerUrl\r\nUsing this connection, it issues a Target.createTarget command with the parameter chrome://password-manager/passwords , instructing Chrome to open its internal password manager in a new tab. Although this internal page\r\ndoes not expose its contents to the DOM or to DevTools directly, opening it causes Chrome to decrypt and load stored\r\ncredentials into memory. This behavior is exploited by EDDIESTEALER in subsequent steps through CredentialKatz\r\nlookalike code, where it scans the Chrome process memory to extract plaintext credentials after they have been loaded by\r\nthe browser.\r\nDecrypted strings referenced when accessing Chrome’s password manager\r\nBased on decrypted strings os_crypt , encrypted_key , CryptUnprotectData , local_state_pattern , and\r\nlogin_data_pattern , EDDIESTEALER variants appear to be backward compatible, supporting Chrome versions that still\r\nutilize DPAPI encryption.\r\nWe have identified 15 additional samples of EDDIESTEALER through code and infrastructure similarities on VirusTotal.\r\nThe observations table will include the discovered samples, associated C2 IP addresses/domains, and a list of infrastructure\r\nhosting EDDIESTEALER.\r\nA Few Analysis Tips\r\nTracing\r\nTo better understand the control flow and pinpoint the exact destinations of indirect jumps or calls in large code blocks, we\r\ncan leverage binary tracing techniques. Tools like TinyTracer can capture an API trace and generate a .tag file, which\r\nmaps any selected API calls to be recorded to the executing line in assembly. Rust's standard library functions call into\r\nWinAPIs under the hood, and this also captures any code that calls WinAPI functions directly, bypassing the standard\r\nlibrary's abstraction. The tag file can then be imported into decompiler tools to automatically mark up the code blocks using\r\nplugins like IFL .\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 15 of 20\n\nExample comment markup after importing .tag file\r\nPanic Metadata for Code Segmentation\r\nPanic metadata - the embedded source file paths (.rs files), line numbers, and column numbers associated with panic\r\nlocations - offers valuable clues for segmenting and understanding different parts of the binary. This, however, is only the\r\ncase if such metadata has not been stripped from the binary. Paths like apps\\bin\\src\\services\\chromium.rs ,\r\napps\\bin\\src\\structs\\additional_task.rs or any path that looks like part of a custom project typically points to the\r\napplication’s unique logic. Paths beginning with library\u003ccore/alloc/std\u003e\\src\\ indicates code from the Rust standard\r\nlibrary. Paths containing crate name and version such as hashbrown-0.15.2\\src\\raw\\mod.rs point to external libraries.\r\nIf the malware project has a somewhat organized codebase, the file paths in panic strings can directly map to logical\r\nmodules. For instance, the decrypted string apps\\bin\\src\\utils\\json.rs:48:39 is referenced in sub_140011b4c .\r\nPanic string containing “json.rs” referenced in function sub_140011b4c\r\nBy examining the call tree for incoming calls to the function, many of them trace back to sub_14002699d . This function\r\n( sub_14002699d ) is called within a known C2 communication routine ( jy::C2::RetrieveAndDecryptConfig ), right after\r\ndecrypting additional configuration data known to be JSON formatted.\r\nCall tree of function sub_140011b4c\r\nBased on the json.rs path and its calling context, an educated guess would be that sub_14002699d is responsible for\r\nparsing JSON data. We can verify it by stepping over the function call. Sure enough, by inspecting the stack struct that is\r\npassed as reference to the function call, it now points to a heap address populated with parsed configuration fields.\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 16 of 20\n\nFunction sub_14002699d successfully parsing configuration fields\r\nFor standard library and open-source third-party crates, the file path, line number, and (if available) the rustc commit hash or\r\ncrate version allow you to look up the exact source code online.\r\nStack Slot Reuse\r\nOne of the optimization features involves reusing stack slots for variables/stack structs that don’t have overlapping\r\ntimelines. Variables that aren’t “live” at the same time can share the same stack memory location, reducing the overall stack\r\nframe size. Essentially, a variable is live from the moment it is assigned a value until the last point where that value could be\r\naccessed. This makes the decompiled output confusing as the same memory offset may hold different types or values at\r\ndifferent points.\r\nTo handle this, we can define unions encompassing all possible types sharing the same memory offset within the function.\r\nStack slot reuse, resorting to UNION approach\r\nRust Error Handling and Enums\r\nRust enums are tagged unions that define types with multiple variants, each optionally holding data, ideal for modeling\r\nstates like success or failure. Variants are identified by a discriminant (tag).\r\nError-handling code can be seen throughout the binary, making up a significant portion of the decompiled code. Rust's\r\nprimary mechanism for error handling is the Result\u003cT, E\u003e generic enum. It has two variants: Ok(T) , indicating success\r\nand containing a value of type T , and Err(E) , indicating failure and containing an error value of type E .\r\nIn the example snippet below, a discriminant value of 0x8000000000000000 is used to differentiate outcomes of resolving\r\nthe CreateFileW API. If CreateFileW is successfully resolved, the reuse variable type contains the API function\r\npointer, and the else branch executes. Otherwise, the if branch executes, assigning an error information string from\r\nreuse to arg1 .\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 17 of 20\n\nError handling example\r\nFor more information on how other common Rust types might look in memory, check out this cheatsheet and this amazing\r\ntalk by Cindy Xiao!\r\nMalware and MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that threats use\r\nagainst enterprise networks.\r\nTactics\r\nInitial Access\r\nExecution\r\nDefense Evasion\r\nExfiltration\r\nCredential Access\r\nDiscovery\r\nCollection\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nPhishing\r\nContent Injection\r\nCommand and Scripting Interpreter\r\nCredentials from Password Stores\r\nUser Execution\r\nObfuscated Files or Information\r\nExfiltration Over C2 Channel\r\nVirtualization/Sandbox Evasion\r\nDetections\r\nYARA\r\nElastic Security has created the following YARA rules related to this research:\r\nWindows.Infostealer.EddieStealer\r\nBehavioral prevention rules\r\nSuspicious PowerShell Execution\r\nIngress Tool Transfer via PowerShell\r\nPotential Browser Information Discovery\r\nPotential Self Deletion of a Running Executable\r\nObservations\r\nThe following observables were discussed in this research.\r\nObservable Type Name\r\n47409e09afa05fcc9c9eff2c08baca3084d923c8d82159005dbae2029e1959d0\r\nSHA-256\r\nMvUlUwagHeZd.exe\r\n162a8521f6156070b9a97b488ee902ac0c395714aba970a688d54305cb3e163f\r\nSHA-256\r\n:metadata (copy)\r\nf8b4e2ca107c4a91e180a17a845e1d7daac388bd1bb4708c222cda0eff793e7a\r\nSHA-256\r\nAegZs85U6COc.exe\r\n53f803179304e4fa957146507c9f936b38da21c2a3af4f9ea002a7f35f5bc23d\r\nSHA-256\r\n:metadata (copy)\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 18 of 20\n\nObservable Type Name\r\n20eeae4222ff11e306fded294bebea7d3e5c5c2d8c5724792abf56997f30aaf9\r\nSHA-256\r\nPETt3Wz4DXEL.exe\r\n1bdc2455f32d740502e001fce51dbf2494c00f4dcadd772ea551ed231c35b9a2\r\nSHA-256\r\nTk7n1al5m9Qc.exe\r\nd905ceb30816788de5ad6fa4fe108a202182dd579075c6c95b0fb26ed5520daa\r\nSHA-256\r\nYykbZ173Ysnd.exe\r\nb8b379ba5aff7e4ef2838517930bf20d83a1cfec5f7b284f9ee783518cb989a7\r\nSHA-256\r\n2025-04-\r\n03_20745dc4d048f67e0b62aca33be80283_akira_cobalt-strike_satacom\r\nf6536045ab63849c57859bbff9e6615180055c268b89c613dfed2db1f1a370f2\r\nSHA-256\r\n2025-03-\r\n23_6cc654225172ef70a189788746cbb445_akira_cobalt-strike\r\nd318a70d7f4158e3fe5f38f23a241787359c55d352cb4b26a4bd007fd44d5b80\r\nSHA-256\r\n2025-03-\r\n22_c8c3e658881593d798da07a1b80f250c_akira_cobalt-strike\r\n73b9259fecc2a4d0eeb0afef4f542642c26af46aa8f0ce2552241ee5507ec37f\r\nSHA-256\r\n2025-03-\r\n22_4776ff459c881a5b876da396f7324c64_akira_cobalt-strike\r\n2bef71355b37c4d9cd976e0c6450bfed5f62d8ab2cf096a4f3b77f6c0cb77a3b\r\nSHA-256\r\nTWO[1].file\r\n218ec38e8d749ae7a6d53e0d4d58e3acf459687c7a34f5697908aec6a2d7274d\r\nSHA-256\r\n5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42\r\nSHA-256\r\nverifcheck.exe\r\nacae8a4d92d24b7e7cb20c0c13fd07c8ab6ed8c5f9969504a905287df1af179b\r\nSHA-256\r\n3zeG4jGjFkOy.exe\r\n0f5717b98e2b44964c4a5dfec4126fc35f5504f7f8dec386c0e0b0229e3482e7\r\nSHA-256\r\nverification.exe\r\ne8942805238f1ead8304cfdcf3d6076fa0cdf57533a5fae36380074a90d642e4\r\nSHA-256\r\ng_verify.js\r\n7930d6469461af84d3c47c8e40b3d6d33f169283df42d2f58206f43d42d4c9f4\r\nSHA-256\r\nverif.js\r\n45.144.53[.]145\r\nipv4-\r\naddr\r\n84.200.154[.]47\r\nipv4-\r\naddr\r\nshiglimugli[.]xyz\r\ndomain-name\r\nxxxivi[.]com\r\ndomain-name\r\nllll[.]fit\r\ndomain-name\r\nplasetplastik[.]com\r\ndomain-name\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 19 of 20\n\nObservable Type Name\r\nmilitrex[.]wiki\r\ndomain-name\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://github.com/N0fix/rustbinsign\r\nhttps://github.com/Meckazin/ChromeKatz\r\nhttps://github.com/hasherezade/tiny_tracer\r\nhttps://docs.binary.ninja/dev/uidf.html\r\nhttps://www.unicorn-engine.org/\r\nhttps://github.com/LloydLabs/delete-self-poc/tree/main\r\nhttps://cheats.rs/#memory-layout\r\nhttps://www.youtube.com/watch?v=SGLX7g2a-gw\u0026t=749s\r\nhttps://cxiao.net/posts/2023-12-08-rust-reversing-panic-metadata/\r\nSource: https://www.elastic.co/security-labs/eddiestealer\r\nhttps://www.elastic.co/security-labs/eddiestealer\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.elastic.co/security-labs/eddiestealer" ], "report_names": [ "eddiestealer" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434882, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cf3d6517be71019c1e554a714d40672ffccae3d6.pdf", "text": "https://archive.orkl.eu/cf3d6517be71019c1e554a714d40672ffccae3d6.txt", "img": "https://archive.orkl.eu/cf3d6517be71019c1e554a714d40672ffccae3d6.jpg" } }