Introduction
Chihuahua Stealer is a newly identified infostealer malware that targets Windows systems. It combines standard and advanced techniques to achieve stealth and data theft. First detected in April 2025 by G Data CyberDefense [1] [5], this malware operates in-memory and is delivered through obfuscated PowerShell scripts executed from malicious Google Drive documents.
Description
A newly discovered infostealer known as Chihuahua Stealer is a lightweight malware targeting Windows systems, combining standard techniques with advanced features for stealth and data theft. Detected in April 2025 and analyzed by G Data CyberDefense [1] [5], this .NET assembly operates in-memory and is delivered through an obfuscated PowerShell script executed from malicious Google Drive documents. The infection chain begins with a small launcher that runs a Base64-encoded string via PowerShell [3], circumventing script execution policies and stealthily injecting runtime logic into the encoded payload [3]. The second-stage script decodes a heavily obfuscated payload [3], removing custom delimiters and converting hexadecimal ASCII characters to reconstruct a third-stage script designed to evade static analysis and sandbox detection [3].
The infection process consists of five stages [2], starting with the DedMaxim() function [1], which outputs transliterated Russian rap lyrics [1] [2] [5] [6], believed to reflect the developer’s cultural background [2]. Once deobfuscated [2] [3] [4], the script schedules a task to check the “Recent Places” folder every minute for infection markers [3], specifically files with the .normaldaki extension [3]. If such files are found, it connects to a command-and-control (C2) server for further instructions [3].
Chihuahua Stealer performs machine fingerprinting by gathering the machine name and disk serial number through Windows Management Instrumentation (WMI). This information is obfuscated and hashed to create a unique identifier for the infected system [1], which is then used to name the archive and folder for exfiltrated data [1] [5]. The malware targets sensitive information from browsers, including login credentials, cookies [1] [2] [5], autofill data [1] [2] [5], browsing history [1] [5], sessions [1] [5], and payment information [1] [5]. It also scans user directories for cryptocurrency wallet extensions, extracting data from folders associated with known wallet extension IDs [1].
After data extraction [1] [5], the malware prepares the stolen information for encryption and exfiltration by creating a plaintext file named Brutan.txt and packaging the collected data into a custom “.chihuahua” archive [1] [5]. This archive is encrypted using AES-GCM via the Windows Cryptography API: Next Generation (CNG) and exfiltrated over HTTPS to a command-and-control server at hxxps://flowers[.]hold-me-finger[.]xyz/index2[.]php through the VseLegalno() function, which mimics binary file uploads [5] [6].
To erase its tracks [2], Chihuahua Stealer meticulously deletes all evidence of its activity, including scheduled tasks [1] [2] [5], temporary files [2] [3] [6], and console output [3], demonstrating its stealth capabilities [4]. Key evasion strategies include creating frequent scheduled PowerShell jobs with obfuscated commands [2], using unusual file extensions in directories like Recent or Temp [4], and employing uncommon AES-GCM usage for outbound HTTPS communications [2]. Monitoring for these behaviors can enhance detection and help identify this threat. The file hash for the PowerShell script and payload is SHA: c9bc4fdc899e4d82da9dd1f7a08b57ac62fc104f93f2597615b626725e12cae8 [6].
Conclusion
Chihuahua Stealer represents a sophisticated threat to Windows systems, utilizing advanced techniques for stealth and data exfiltration [2]. Its ability to evade detection and erase traces of its activity poses significant challenges for cybersecurity defenses. To mitigate the impact of such threats, organizations should enhance monitoring for unusual behaviors, such as frequent scheduled PowerShell jobs and uncommon file extensions. Future implications include the potential for more advanced iterations of this malware, necessitating continuous updates to security measures and threat intelligence.
References
[1] https://www.infosecurity-magazine.com/news/chihuahua-stealer-browser-crypto/
[2] https://securityonline.info/chihuahua-stealer-unleashed-obfuscated-powershell-and-aes-gcm-encryption-fuel-this-advanced-data-theft-campaign/
[3] https://www.anti-malware.ru/news/2025-05-14-114534/46038
[4] https://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer
[5] https://ciso2ciso.com/new-chihuahua-infostealer-targets-browser-data-and-crypto-wallet-extensions-source-www-infosecurity-magazine-com/
[6] https://www.hendryadrian.com/chihuahua-stealer-uncovered-a-stealthy-net-infostealer-targeting-browsers-and-crypto-wallets/
