A New Breed of Infostealer
A newly discovered .NET-based infostealer, Chihuahua Stealer, combines common malware techniques with advanced features. The infection begins with an obfuscated PowerShell script shared via Google Drive, initiating a multi-stage payload chain. Persistence is achieved through scheduled tasks, and the main payload targets browser data and crypto wallet extensions. Stolen data is compressed, encrypted using AES-GCM via Windows CNG APIs, and exfiltrated over HTTPS. The malware employs stealth techniques, including multi-stage execution, Base64 encoding, hex-string obfuscation, and scheduled jobs. It targets browser data, crypto wallets, and uses unique identifiers for each infected machine. The stealer's sophistication is evident in its use of Windows Cryptography API for encryption and its thorough cleanup process.
Pulse ID: 682345233e3c2b7479bfdf61
Pulse Link: https://otx.alienvault.com/pulse/682345233e3c2b7479bfdf61
Pulse Author: AlienVault
Created: 2025-05-13 13:12:03
Be advised, this data is unverified and should be considered preliminary. Always do further verification.