Russian Unit 26165 Targets Western Logistics and Technology Companies

May 28, 2025, 1:16 p.m.

Description

Chihuahua Infostealer is a sophisticated .NET-based malware discovered in April 2025, targeting browser credentials and cryptocurrency wallet data. It employs multi-stage delivery through obfuscated PowerShell scripts, often using trusted platforms like Google Drive for initial distribution. The malware establishes persistence via scheduled tasks, performs hardware fingerprinting, and extensively harvests data from various browsers and crypto wallet extensions. It uses encryption for data exfiltration and employs cleanup routines to evade detection. The malware's origin is unclear, but Russian influences are suggested by embedded transliterated rap lyrics. Its advanced evasion techniques and targeted data theft capabilities make it a significant threat to personal and financial information.

External References

https://www.picussecurity.com/resource/blog/chihuahua-stealer-malware-targets-browser-and-wallet-data
https://otx.alienvault.com/pulse/683651c90fd2313d5a105355
Tags
obfuscation
powershell
infostealer
persistence
data-exfiltration
2025-05-27
crypto-wallet-theft
chihuahua infostealer
browser-data-theft
.net-malware

Date

  • Created: May 27, 2025, 11:59 p.m.
  • Published: May 27, 2025, 11:59 p.m.
  • Modified: May 28, 2025, 1:16 p.m.

Indicators

  • c9bc4fdc899e4d82da9dd1f7a08b57ac62fc104f93f2597615b626725e12cae8
  • afa819c9427731d716d4516f2943555f24ef13207f75134986ae0b67a0471b84
  • https://onedrive.office-note.com/res?a=cb-&c=8f2669e5-01c0-4539-8d87-110513256828&s=eyJhbG...
  • https://flowers.hold-me-finger.xyz/index2.php
  • https://flowers.hold-me-finger.xyz/api/arhbr49b
  • https://cat-watches-site.xyz/api/
  • http://flowers.hold-me-finger.xyz/api/arhbr49b
  • flowers.hold-me-finger.xyz
  • cdn.findfakesnake.xyz
  • cat-watches-site.xyz
Download all indicators here!

Attack Patterns

  • Chihuahua Infostealer

Additional Informations

  • Technology
  • Finance