A new high-end malware known as “EDDIESTEALER” has been discovered, bypassing Google Chrome’s appSSH bound encryption and hijacks sensitive user data. The Rust-based data stealer is being distributed through dodgy CAPTCHA verification pages that dupe users into running poisonous PowerShell commands.
Security researchers have pointed out how EDDIESTEALER can bypass a security feature in Chromium, which ties the encryption of sensitive data (such as cookies) to the Chrome application. EDDIESTEALER achieves the same by making use of a Rust version of ChromeKatz, which is a tool available in open-source that can pull cookies and credentials from memory of the victims who use browsers based on chromium.
I should also mention that the Rust port of ChromeKatz implemented on EDDIESTEALER makes use of modifications in order to support scenarios when the targeted Chrome browser is not present. In these cases, malware can spawn a new hidden chrome instance for data scraping.
The attack chain generally starts with obfuscated JavaScript that is served from a compromised site. This chain of redirects also presents macOS users with a prompt to run a shell script in Terminal which downloads a stealer malware that is detected by Sophos as Atomic macOS.
For Windows, when users land on the fake CAPTCHA pages they are instructed to run a command via the Windows Run dialog, which will trigger a PowerShell script to retrieve and implement EDDIESTEALER.
Once in action, EDDIESTEALER is able to collect a multitude of data, such as system metadata, browser data (cookies, history, passwords), cryptocurrency wallets details, password manager data, FTP client data and messaging application contents. It connects to a command-and-control (C2) server, in order to fetch tasks and send the stolen data.
Security researchers say that these types are indicative of the increasingly clever ways in which information-stealing malware is developed. Bearing this out is the fact that cybercriminals continue to be able to bypass encryption techniques at a time when security defenses are already struggling to fend off malware threats.
It is recommended that users be mindful when visiting CAPTCHA verification pages, particularly those which request the use of unusual commands, and to keep their systems and security tools current.
Other families like Katz Stealer and ZeroCrumb have also been seen using other tactics to circumvent the Chrome app-bound encryption, suggesting a recent spike in attackers focusing on the technique. Katz Stealer makes a DLL injection, and ZeroCrumb impersonates a Chrome instance to decrypt the app-bound key.
EDDIESTEALER’s arrival serves as a reminder to stay on the lookout for social engineering schemes and to have strong security measures in place to safeguard sensitive personal information that is increasingly coming under threat from more complex cyber attacks.
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
