A New Breed of Infostealer

SUMMARY :

A newly discovered .NET-based infostealer, Chihuahua Stealer, combines common malware techniques with advanced features. The infection begins with an obfuscated PowerShell script shared via Google Drive, initiating a multi-stage payload chain. Persistence is achieved through scheduled tasks, and the main payload targets browser data and crypto wallet extensions. Stolen data is compressed, encrypted using AES-GCM via Windows CNG APIs, and exfiltrated over HTTPS. The malware employs stealth techniques, including multi-stage execution, Base64 encoding, hex-string obfuscation, and scheduled jobs. It targets browser data, crypto wallets, and uses unique identifiers for each infected machine. The stealer's sophistication is evident in its use of Windows Cryptography API for encryption and its thorough cleanup process.

OPENCTI LABELS :

powershell,infostealer,multi-stage,exfiltration,encryption,persistence,.net,browser-data,chihuahua stealer,crypto-wallets


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


A New Breed of Infostealer