A New Breed of Infostealer
Essential information
- Published
- 13/05/2025 13:12
- Modified
- 21/05/2025 19:33
- Tags
- .net 2025-05-13 browser data chihuahua stealer crypto wallets encryption exfiltration infostealer multi-stage persistence powershell
- Related entities
- 8 observables, 4 techniques (mitre), 1 malware
Description
A newly discovered .NET-based infostealer, Chihuahua Stealer, combines common malware techniques with advanced features. The infection begins with an obfuscated PowerShell script shared via Google Drive, initiating a multi-stage payload chain. Persistence is achieved through scheduled tasks, and the main payload targets browser data and crypto wallet extensions. Stolen data is compressed, encrypted using AES-GCM via Windows CNG APIs, and exfiltrated over HTTPS. The malware employs stealth techniques, including multi-stage execution, Base64 encoding, hex-string obfuscation, and scheduled jobs. It targets browser data, crypto wallets, and uses unique identifiers for each infected machine. The stealer's sophistication is evident in its use of Windows Cryptography API for encryption and its thorough cleanup process.
External references
- https://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer
- https://feeds.feedblitz.com/~/918192962/0/gdatasecurityblog-en~Sit-Fetch-Steal-Chihuahua-Stealer-A-new-Breed-of-Infostealer
- https://www.gdatasoftware.com/fileadmin/_processed_/f/b/G_DATA_Blog_ChihuahuaStealer_Title_999cabe2bc.jpg
- https://otx.alienvault.com/pulse/682345233e3c2b7479bfdf61