New 'Chihuahua Stealer' Targets Browser Data and Crypto Wallets

May 21, 2025, 7:56 p.m.

Description

A novel infostealer named Chihuahua Stealer has been detected, blending standard malware techniques with advanced features. This .NET-based malware employs a multi-stage PowerShell script infection process, utilizing Base64 encoding, hex-string obfuscation, and scheduled tasks for persistence. It targets browser data and cryptocurrency wallet extensions, extracting credentials, cookies, autofill data, browsing history, and payment information. The stolen data is compressed, encrypted using AES-GCM, and exfiltrated to an external server. The malware's sophisticated execution chain includes stealthy loading and a multi-staged payload, making it challenging to detect and analyze.

External References

https://www.infosecurity-magazine.com/news/chihuahua-stealer-browser-crypto
https://otx.alienvault.com/pulse/6824a0fe7bd740a9edd5ae96
Tags
powershell
infostealer
.net
multi-stage infection
crypto wallets
browser data
2025-05-14
chihuahua stealer
aes-gcm

Date

  • Created: May 14, 2025, 1:56 p.m.
  • Published: May 14, 2025, 1:56 p.m.
  • Modified: May 21, 2025, 7:56 p.m.

Indicators

  • https://flowers.hold-me-finger.xyz/index2.php.
  • flowers.hold-me-finger.xyz
Download all indicators here!

Attack Patterns

  • Chihuahua Stealer