A new malware campaign is on the loose, and this time it brings with it EddieStealer, a fairly advanced information stealer written in Rust. What’s alarming is that it’s taking advantage of an old social engineering tactic making a strong comeback: ClickFix, now disguised within fake CAPTCHA verification pages.
According to Jia Yu Chan, a researcher at Elastic Security Labs, the attack begins when the user lands on a seemingly legitimate page that asks them to complete a CAPTCHA. But instead of protecting you, that page tricks you into executing a malicious PowerShell command. The result? Your personal information (passwords, browser data, and even details from your cryptocurrency wallets) ends up in the wrong hands.
How do they do it? First, attackers compromise legitimate websites and inject them with malicious JavaScript. That code loads a fake CAPTCHA page asking you to “prove you’re not a robot” by following three simple steps. This is where ClickFix comes into play: you're prompted to open the Windows Run dialog, paste a command (which is already automatically copied), and press Enter.
That command launches a hidden PowerShell script that downloads a second payload from a remote server (such as “llll[.]fit”). This file, named gverify.js, is saved to your Downloads folder and executed in the background using cscript.
The purpose of that script is to download and execute the true star of the attack: EddieStealer. The file is saved with a random name and is also executed silently.
So what exactly does EddieStealer do? Quite a lot. This malware is capable of collecting system metadata, communicating with a command-and-control (C2) server, and stealing valuable information: browser data, cryptocurrency wallets, password managers, FTP clients, and messaging apps. The worst part is that these targets can easily change based on commands received from the attacker’s server.
Elastic explained that EddieStealer accesses its target files using standard Windows operating system functions such as CreateFileW, GetFileSizeEx, ReadFile, and CloseHandle, all through the kernel32.dll library. It does so in such a discreet manner that it can easily go unnoticed.
Read more: Ransomware Gangs Increasingly Use Skitnet Malware
How Does EddieStealer Work? Advanced Techniques to Steal Without Being Seen
Once EddieStealer gathers information from your system, it encrypts the data and sends it to the attacker’s server (the infamous C2) using an HTTP POST request for each completed task. Everything is neatly organized, leaving behind no easy-to-trace evidence.
But that’s just the beginning. This malware comes loaded with tricks. For starters, it uses its own mechanism to locate and execute Windows functions (WinAPI) instead of relying on standard methods. Why? To make detection much harder. It also creates a "mutex"—essentially a digital lock—that prevents multiple copies of the malware from running simultaneously on the same system.
If it detects that it’s running in a testing or sandboxed environment (like an analysis virtual machine), it simply deletes itself from the disk and vanishes without a trace. Not bad for a piece of malicious software, right?
This behavior is notably similar to another piece of malware called Latrodectus, as EddieStealer can also self-delete in clever ways. How? By renaming certain components of the Windows file system—specifically NTFS alternate data streams—which allows it to bypass file locks and erase itself cleanly.
One of the Most Dangerous Features
One of EddieStealer’s most dangerous capabilities is its ability to bypass the encryption protections of Chromium-based browsers like Chrome and Edge. This allows it to access sensitive data—such as cookies and login credentials—without needing to decrypt them. It achieves this using a tool called ChromeKatz, rewritten in Rust, which extracts that information directly from the browser’s memory.
And as if that weren’t enough, if EddieStealer detects that the browser isn't currently open, it launches a new Chrome window itself using a command-line trick. The window opens at the position --window-position=-3000,-3000, which means it appears off-screen, so the user has no idea the browser has even been opened.
New Versions of EddieStealer: Smarter, Stealthier, and Cross-Platform
When EddieStealer launches the browser, it has a specific goal: to read directly from Chrome's network process memory. How does it do this? It identifies a process running with the parameter -utility-sub-type=network.mojom.NetworkService, which is part of Chrome’s network subsystem. From there, it attempts to extract sensitive credentials directly from memory—without the victim noticing a thing.
And that’s just the beginning. The latest versions of this malware are equipped with even more advanced capabilities. It can now collect highly detailed system information, such as running processes, GPU details, processor core count, and even the CPU’s name and manufacturer.
Evolving Behavior
Previously, the malware would lie in wait for instructions from its remote server. Today, it immediately sends device information upon installation, without needing any commands. This allows attackers to be instantly notified of new infected machines.
Another key point: the encryption key used for communication with the C2 server is hardcoded into the malware itself. This gives it an edge by enabling secure communication from the outset, without requiring additional handshakes or external configuration.
DevTools Exploitation via Remote Debugging
As if that weren’t enough, EddieStealer can now launch a new Chrome instance with remote debugging enabled via the --remote-debugging-port=<number> flag. Why? Because it allows the malware to use the DevTools protocol to interact with the browser as if it were a real user—covertly. All of this happens in the background via a local WebSocket interface, entirely autonomously.
These kinds of techniques highlight how malware developers are increasingly adopting modern, powerful programming languages like Rust. These languages offer greater stability, fewer bugs, and make it much harder for traditional detection systems to catch malicious activity. In short, they’re raising the bar.
Expanding to Other Platforms
Meanwhile, other threat actors are using similar tactics across multiple platforms. For example, a recent ClickFix campaign targets not only Windows but also macOS, Android, and iOS. The trick remains the same: visual deception, browser redirections, and automatic downloads designed to trap users.
On macOS, the attack starts when the victim visits a compromised website. They are redirected to a page displaying detailed instructions to open the Terminal and execute a script. The result? The infamous AMOS (Atomic macOS Stealer) malware is downloaded.
If the same page is visited from an Android phone, iPhone, or a Windows PC, the behavior changes: another trojan malware is downloaded automatically—no user interaction required. The process is so automated that just opening the site puts your device at risk.
Read more: AVcheck dismantled: Site Used by Hacker to Scan Malware
New Malware Variants: Katz Stealer and AppleProcessHub Enter the Scene
These revelations come just as new families of “stealer”-type malware are emerging—namely, Katz Stealer and AppleProcessHub Stealer—targeting Windows and macOS systems respectively. According to recent reports, both are capable of collecting a wide range of sensitive information from infected devices.
In the case of Katz Stealer, it operates similarly to EddieStealer in that it also attempts to bypass Chrome’s data encryption. However, it employs a different method: instead of accessing browser memory, it injects a DLL (Dynamic Link Library) to steal the encryption key—without requiring administrator privileges. Once it has that key, it can decrypt cookies, passwords, and other data stored in Chromium-based browsers, all without the user noticing a thing.
A New Wave of Attacks: JavaScript in Gzip Files and Cross-Platform Threats
In this new wave of cyberattacks, cybercriminals are hiding malicious JavaScript inside gzip-compressed files. When someone opens one of these files, a PowerShell script is automatically triggered, according to Nextron. This script then downloads a payload developed in .NET, which injects the malware directly into a legitimate system process. Once the stealer is active, it begins sending stolen data to the attackers’ server—without the user noticing a thing.
AppleProcessHub Stealer: Targeting macOS Users
On the macOS front, AppleProcessHub Stealer has emerged as a platform-specific threat designed to steal user files. It targets various sensitive data, including bash and zsh command histories, GitHub configuration files, SSH data, and even access to the iCloud keychain, where passwords and other critical credentials are stored.
Here’s how the attack unfolds: a Mach-O binary (the standard executable format for macOS) connects to a server named appleprocesshub[.]com to download and execute a second script. All collected information is then sent to the attacker's command-and-control server. This malware was discovered and reported by MalwareHunterTeam on May 15, 2025.
Together, these new threats illustrate the growing sophistication and cross-platform scope of modern malware, reinforcing the need for constant vigilance and updated defense strategies.
