Close Menu
Subscribe

New ‘Chihuahua Stealer’ Targets Browser Data and Crypto Wallets

New ‘Chihuahua Stealer' Targets Browser Data and Crypto Wallets

A new tribe from Infontaler combination combination of standard malwarette techniques with unusually advanced functions has been detected.

For the first time marked by a Reddit user in April 2025, the malware, known as Chihuahua Stealer, analyzed by G Data Cyberdefense, who shared his findings in a report of 13 May.

While it does not seem to look like the surface, this .NET infetter uses advanced methods, including stealthy charge, planned task persistence and a multi-stage payload.

Multi-phase Powershell script infection

On April 9, a user of the R/Antivirus Subreddit shared how they were misled to perform a darkened Powershell script from a Google Drive document.

After research, G Data Cyberdefense discovered that the PowerShell-based charger causes a complex, multi-phase implementation chain that uses Base64 coding, hex-string obfuscation and planned tracks to maintain persistence.

The charger is designed to be modular and stealthy and to pick up extra payloads from Fallback Command-and-Control (C2) domains if necessary.

The multi-phase necklace includes the following steps:

  1. A lightweight launcher performs a BASE64-Coded Powershell string via IEX, bypassing the implementation policy and hiding the payload for static analysis and signature-based detection
  2. De Launcher decodes and reconstructs a heavily darkened hex load by removing delimiters and convert HEX to ASCII, dynamically putting together the next phase script to avoid static and sandbox analysis
  3. The script determines persistence by planning a task that scans on infection markers (“. Normaldaki” files) and, if present, contact a primary (and fallback) C2 server to pick up extra payloads and carry out on the basis of assignments received
  4. The persistent task obtains a .Net assembly of an external domain, loads a basic 64-Obfusced payload (the chihuahua stealer) from OneDrive and performs it in the memory via reflection before visible traces (console and clamping board) are rolled up (console and clamping board)
See also  Over $1bn in Cryptocurrency Lost to Web3 Cyber Incidents in 2024

Chihuahua Stealer’s Version, Coding and Data Exextration

The stealer initiates the performance with the Dedmaxim () function, which translated Russian rap texts to the console prints with short breaks between each line. The G data researchers believe that this is a signature, although they do not serve a functional purpose.

After displaying the texts, the stealer carries out the most important logic in the Popillina () function, where it collects the Machinam and the serial number of the disk via Windows Management Instrumentation ((WMI), covered up and then has them to generate a unique identification for the infected system. This identification is used to name the archive and the folder that stores the extracted data.

After generating a unique victim -ID and drawing up a staging folder, the malware starts to extract data by searching for browser and crypto wallet files in user folders.

It uses a function to scan dynamic paths (with % user -professional % placeholders) for installed browsers, and then another function to extract references, cookies, car data, browsing history, sessions and payment information from each detected browser.

In addition, it focuses on crypto wallet extensions by identifying data and copying from folders that are linked to well -known wallet extension -IDs.

After extracting browser data and crypto wallet -extension files, the malware prepares the stolen information for coding and exfiltration. It makes a flat text file with the name Brutan.txt in the workbook and then compresses all stolen data in an archive of “.chiuahua”. Immediately afterwards the archive is coded using AES-GCM.

As soon as the stolen data is flipped and coded in a “.vz” file, the malware tries to exfiltrate it to an external server using a Retry loop.

See also  Ethereum’s $4,300 Test: Can the ‘Microsoft of Crypto’ Lead XRP and Dogecoin Higher?

The actual exfiltration takes place in Vselegalno (). The function makes a web client agency and sets headers to simulate a binary file upload and then uploads the “.vz” us -code file to hxxps: // flowers[.]hold-me-finger[.]XYZ/Index2[.]php.

Finally, the stealer wipes all evidence of his activity from the disc using standard file and directory removal assignments.

G Data’s mitigation recommendations

G Data Cyberdefense gave a list of recommendations to reduce the threat of Chihuahua Stealer:

  • Alert on frequent planned Powershell -jobs with suspect or darkened commands
  • Hunt unusual file extensions or markers in folders such as such as Recently or Temperature
  • Detect Base64 Decoding combined with .Net reflection (e.g. Montage :: Load ()) in Powershell logbooks
  • Flag unusual AES-GCM use via Windows CNG APIs, especially when it is connected to outgoing HTTPS traffic
Share.

Related Posts

Add A Comment
Leave A Reply