Fake CAPTCHA prompts are now doing more than testing if you're human—they're installing malware. EDDIESTEALER, a new Rust-based infostealer, spreads through deceptive CAPTCHA pages that trigger malicious PowerShell scripts. The malware downloads obfuscated JavaScript and executable payloads designed to harvest credentials, browser data, and cryptocurrency wallets.

A quiet but relentless campaign has been unfolding across multiple industries. The Chinese group Earth Lamia is targeting finance, government, logistics, and more by exploiting known web app vulnerabilities, including flaws in Apache Struts, GitLab, and WordPress. After gaining access, they deploy webshells, create admin accounts, and move laterally using a plethora of tools.

Even Google's trusted ecosystem isn’t off-limits anymore. Attackers are misusing Google Apps Script to host phishing pages that convincingly imitate real login portals. The method allows them to slip through email filters by operating under Google's domain, tricking victims into handing over credentials before redirecting them to legitimate sites to avoid suspicion.

Top Malware Reported in the Last 24 Hours

New EDDIESTEALER malware exploits fake CAPTCHAs

A new Rust-based infostealer called EDDIESTEALER has been identified, spreading through fake CAPTCHA verification pages to deceive users into executing malicious PowerShell scripts. The malware uses advanced Rust features, such as memory safety and compiler optimizations, to evade detection and enhance stealth. EDDIESTEALER’s attack chain involves downloading malicious JavaScript and executable files via fake CAPTCHA prompts, targeting sensitive data like credentials, browser information, and cryptocurrency wallets. The malware employs sophisticated obfuscation techniques, including XOR-encrypted strings, custom WinAPI resolution, and self-deletion mechanisms to avoid analysis and detection.

Spear-phishing campaign drops NetBird

Trellix discovered a highly targeted spear-phishing operation aimed at CFOs and finance executives in banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. The attackers abused NetBird, an open-source remote-access tool, without exploiting any flaws in the software itself. The phishing emails impersonated Rothschild & Co recruiters, offering fake financial leadership opportunities to lure victims. The phishing link redirects victims to a Firebase-hosted webpage with a custom CAPTCHA, which decrypts a secondary link upon solving the puzzle. The second-stage VBS script installs NetBird and OpenSSH silently, sets up persistence, and removes visible traces of compromise. 

PureHVNC RAT: Job offer malware campaign

The PureHVNC RAT is being distributed through a complex multi-layer infection chain that uses fake high-level job offers from fashion and beauty brands as lures. The attack begins with a malicious LNK file disguised as a PDF, executing PowerShell commands to deliver the malware. Techniques such as obfuscation, base64 encoding, and Process Hollowing are employed to evade detection. The final payload, a .NET-based PureHVNC RAT, provides attackers with full system access. Multiple C2 addresses and campaign IDs are utilized to manage infections, indicating a sophisticated and targeted approach.

Supply chain attack on PyPI packages

Socket discovered a supply chain attack on PyPI involving the malicious package "semantic-types" and five related packages (e.g., solana-keypair, solana-publickey). The malware uses transitive dependencies to execute hidden payloads, even if "semantic-types" is not directly imported. The attack monkey-patches Solana key-generation methods, capturing private keys and encrypting them with a hardcoded RSA-2048 public key. Exfiltrated keys are sent via Solana Devnet memo transactions, bypassing traditional detection mechanisms. The malicious packages were downloaded over 25,900 times, exposing thousands of developer environments to wallet theft.

Top Vulnerabilities Reported in the Last 24 Hours

Mozilla releases Firefox update

Mozilla released Firefox 139.0.1 to fix graphical artifacts caused by the DirectComposition implementation in version 139. The issue affected PCs with NVIDIA GPUs, particularly in multi-monitor setups with mixed refresh rates. The problem arose from a removed blocklist that previously prevented clashes with NVIDIA drivers. Mozilla's update restored the blocklist, fixing the corruption and flickering issues.

Earth Lamia abuses multiple bugs

The Chinese hacking group Earth Lamia has been active since at least 2023, targeting sectors such as finance, government, IT, logistics, retail, and education. They exploit known vulnerabilities in web applications, primarily SQL injection flaws, including CVE-2017-9805 (Apache Struts), CVE-2021-22205 (GitLab), CVE-2024-9047 (WordPress), CVE-2024-27198/27199 (TeamCity), CVE-2024-51378/51567 (CyberPanel), CVE-2024-56145 (Craft CMS), and CVE-2025-31324 (SAP NetWeaver). Post-compromise actions include deploying webshells, escalating privileges, creating admin accounts, and stealing data. The group uses tools like BypassBoss, open-source utilities, and a modular .NET backdoor called Pulsepack to execute attacks.

Top Scams Reported in the Last 24 Hours

Phishing attacks abuse Google Apps Script

Threat actors are exploiting Google Apps Script to host phishing pages that mimic legitimate login screens, thereby stealing user credentials. These attacks involve emails disguised as invoices, linking to malicious pages within Google's trusted environment, which bypasses many security filters. Once victims enter their credentials, they are redirected to the actual service to reduce suspicion. The ability to publish scripts as public web apps under a Google domain allows attackers to easily share links without triggering warnings, making the method efficient and adaptable.