Emerging ‘Chihuahua Stealer’ Malware Compromises Browser Data and Cryptocurrency Wallets

A new infostealer, identified as “Chihuahua Stealer,” combines traditional malware tactics with advanced functionalities, raising concerns within the cybersecurity community. The malware was initially reported by a Reddit user in April 2025 and has since undergone analysis by cybersecurity firm G Data CyberDefense, which detailed its findings in a report published on May 13.

At first glance, the Chihuahua Stealer may appear simplistic; however, it incorporates sophisticated mechanisms such as stealthy loading, scheduled task persistence, and a multi-staged payload delivery system.

Multi-Stage PowerShell Script Infection

The infection process begins when an unsuspecting user is tricked into executing an obfuscated PowerShell script from a Google Drive document. G Data CyberDefense’s investigation revealed that the PowerShell loader initiates a complex execution chain employing Base64 encoding, hex-string obfuscation, and scheduled tasks to maintain persistence.

The multi-stage execution chain is executed as follows:

1. A lightweight launcher executes a Base64-encoded PowerShell command using iex, effectively bypassing execution policies and concealing the payload from static analysis.
2. The launcher decodes and reconstructs a heavily obfuscated hex payload, dynamically assembling the next-step script to evade detection.
3. The script establishes persistence by scheduling a task to scan for infection markers (files with the extension “*.normaldaki”). If these markers are found, it contacts primary and fallback command-and-control (C2) servers to retrieve and execute additional payloads.
4. The persistent task downloads a .NET assembly from a remote domain. The Chihuahua Stealer is subsequently loaded in-memory via reflection while cleaning up any visible traces.

Chihuahua Stealer's Execution, Encryption, and Data Exfiltration

Upon initiation, the malware employs a function called DedMaxim(), which outputs transliterated Russian rap lyrics to the console. This particular feature appears to serve as a signature, having no discernible functional purpose.

Following the display of lyrics, the malware engages its main operational logic through the PopilLina() function. It collects the machine name and disk serial number via Windows Management Instrumentation (WMI), obfuscating and hashing these identifiers to create a unique identifier for the compromised system. This unique identifier is then used to name the archive and directory for the stolen data.

Once the staging area is prepared, the malware systematically extracts information from web browsers and cryptocurrency wallet files located within user directories. It identifies installed browsers and retrieves credentials, cookies, autofill information, browsing history, sessions, and financial data.

Additionally, the malware targets cryptocurrency wallet extensions by locating and siphoning data from folders linked to known wallet extension identifiers.

After completing the data extraction, the malware assembles the stolen information. It creates a plaintext file, Brutan.txt, within the working directory, compresses the stolen data into a “.chihuahua” archive, and encrypts this archive using AES-GCM encryption.

The exfiltration of the assembled and encrypted data occurs through a retry loop in the VseLegalno() function. The malware uploads the encrypted file to an external server, specifically targeting a URL structured as hxxps://flowers[.]hold-me-finger[.]xyz/index2[.]php.

To remove evidence of its activities, the malware executes standard file and directory deletion commands.

Mitigation Recommendations

G Data CyberDefense has offered several recommendations to help mitigate the risks posed by the Chihuahua Stealer:

– Monitor for frequent scheduled PowerShell tasks with suspicious or obfuscated commands.
– Inspect for unusual file extensions or marker files within directories such as Recent or Temp.
– Identify Base64 decoding activities along with .NET reflection in PowerShell logs.
– Be vigilant for uncommon usage of AES-GCM encryption through Windows CNG APIs, particularly in association with outbound HTTPS traffic.

By understanding and implementing these recommendations, organizations can strengthen their defenses against this emerging threat.