{
	"id": "e0e091b7-cce8-443a-92b2-0011095d7ef2",
	"created_at": "2026-04-06T00:10:46.330872Z",
	"updated_at": "2026-04-10T03:21:45.04569Z",
	"deleted_at": null,
	"sha1_hash": "b44406a3b590eb4a86abecb605318f282a1e0813",
	"title": "Chihuahua Stealer: A new Breed of Infostealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 222302,
	"plain_text": "Chihuahua Stealer: A new Breed of Infostealer\r\nBy G DATA Security Center\r\nPublished: 2025-05-13 · Archived: 2026-04-05 23:22:04 UTC\r\n05/13/2025\r\nSit, Fetch, Steal - Chihuahua Stealer: A new Breed of Infostealer\r\nReading time: 5 min (1302 words)\r\nAnalysis by Lovely Antonio and Chloe de Leon\r\nChihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually\r\nadvanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated\r\nPowerShell script, they were tricked into executing via a Google Drive document. If this sounds vaguely familiar: You are\r\nnot wrong - we have seen similar things in a fake recruiting campaign, and we also wrote about this. The script uses multi-stage payloads, achieving persistence through scheduled tasks and leading to the execution of the main stealer payload. This\r\nblog article breaks down each stage of the attack chain, beginning with the initial delivery method and ending in encrypted\r\ndata exfiltration.  \r\nKey Takeaways (tl;dr)\r\nThe infection begins with an obfuscated PowerShell script shared through a malicious Google Drive document,\r\nlaunching a multi-stage payload chain. \r\nPersistence is achieved through a scheduled job that checks for custom marker files and dynamically fetches\r\nadditional payloads from multiple fallback domains. \r\nThe main payload, written in .NET, targets browser data and crypto wallet extensions. \r\nStolen data is compressed into an archive with the file extension “.chihuahua” and encrypted using AES-GCM via\r\nWindows CNG APIs. \r\nThe encrypted archive is exfiltrated over HTTPS, and all local traces are wiped, demonstrating its stealth techniques. \r\nPowerShell Script Behavior\r\nOur colleague found an interesting post in reddit on April 9, where a user shared a PowerShell script that had tricked them\r\ninto running it via a Google Drive document. Upon further examination, it turns out that the PowerShell-based loader\r\ninitiates a multi-stage execution chain that uses Base64 encoding, hex-string obfuscation, and scheduled jobs to establish\r\npersistence. It will retrieve additional payloads from fallback C2 domains — indicating a modular and stealth-focused\r\ndesign.\r\nThe initial stage is a short launcher that executes a Base64-encoded string via PowerShell’s iex, bypassing execution policy\r\nchecks and running silently. This allows the attacker to embed the actual logic in an encoded payload, delaying analysis and\r\nsignature detection.\r\nPowerShell Loader with Embedded Base64 Payload\r\nhttps://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer\r\nPage 1 of 7\n\nAfter decoding, the second-stage script reconstructs a large, obfuscated hex payload. It strips custom delimiters (i.e. “~”),\r\nconverts the hex into ASCII characters, and dynamically builds the third-stage script. This runtime reconstruction technique\r\nevades static detection and sandbox analysis.\r\nThe deobfuscated script creates a scheduled job with job name “f90g30g82” that runs every minute, persistently calling a\r\nlogic block. It checks the user’s Recent folder for files with the “.normaldaki” extension, used as infection markers. If a file\r\nis found, it queries a C2 server (cdn[.]findfakesnake[.]xyz) for further instructions. If the response contains a “Comm”\r\ntrigger, the payload is decoded and executed. If the primary server is unreachable, the script falls back to a second domain\r\n(cat-watches-site[.]xyz).\r\nScheduled Job Setup and Marker-based Payload Execution\r\nhttps://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer\r\nPage 2 of 7\n\nFallback Payload Retrieval and In-memory Execution\r\nThe final stage sets the scheduled job’s trigger and retrieves a .NET assembly from flowers[.]hold-me-finger[.]xyz, followed\r\nby another Base64-encoded payload from a OneDrive-based URL. This payload, the Chihuahua Stealer, is decoded and\r\nloaded directly into memory using reflection, then executed via its Main methods. Finally, the script clears the console and\r\nwipes the contents of the clipboard.\r\nInitial Execution\r\nThe stealer begins execution with DedMaxim() function, which prints transliterated Russian rap lyrics to the console with\r\nshort pauses between each line. While these strings serve no functional purpose, their presence may offer a cultural or\r\npersonal signature. It’s possible the malware author included these as a reference to a favorite artist or scene, similar to other\r\nthemed malware that embed music, memes, or personal trademarks into their payloads.\r\nMain Program\r\nBrowser and Wallet Targeting\r\nOnce the stealer finishes printing the lyrics, it moves to the core logic inside. The function PopilLina() is where the malware\r\nsets up its internal operations. The malware queries the machine name and disk serial number using WMI and combines\r\nthem into a single string. The string is passed through two obfuscated helper functions that transform it into a hashed unique\r\nidentifier for that specific machine. This ID is used to label the archive and folder containing stolen data.\r\nQuery for Machine Name and Disk Serial Name\r\nhttps://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer\r\nPage 3 of 7\n\nList of Known Browser Directories to check if exists in the system\r\nAfter generating the victim ID and setting up the staging directory, the malware transitions to data extraction. It scrapes\r\nsensitive files from known browser locations and crypto wallet extensions. The function Sosalnya.Metodichka() receives an\r\narray of browser data directories and verifies which ones exist in the system.\r\n%PRIKUPILIXULI% is a string replacement placeholder for %USERPROFILE%, so at runtime, the malware dynamically\r\nchecks for these folders to identify which browsers are installed. Once the list of valid directories is determined,\r\nArmyanec01() iterates through each one and steals login data, cookies, autofill info, and web data including browsing\r\nhistory, saved sessions, and payment info.\r\nIt also targets browser extensions, specifically crypto wallets by matching against known extension IDs and dumping data\r\nfrom folders corresponding to wallets.\r\nList of Known Crypto Wallets Extension IDs\r\nStaging and Compression\r\nAfter stealing browser data and wallet-related extension files, the malware prepares the loot for encryption and possible\r\nexfiltration. PawPawers() writes a plaintext file called Brutan.txt to the working directory. Once the folder is populated, the\r\nstealer compresses the entire folder into a .zip archive with the extension “.chihuahua.”\r\nEncryption\r\nAfter the malware compresses the stolen data into a “.chihuahua” archive, it immediately encrypts it using AES-GCM. The\r\nencrypted output is written to \u003cvictimID\u003eVZ. \r\nThe actual encryption is done using native Windows Cryptography API: Next Generation (CNG) functions. It provides\r\nauthenticated encryption (GCM), making decryption nearly impossible without the key.\r\nMost commodity stealers either skip encryption entirely or use basic methods such as XOR, Base64, or .NET’s built-in\r\ncryptographic libraries. In contrast, this sample applies AES-GCM via Windows CNG APIs. While this provides\r\nauthenticated encryption, it’s important to note that the symmetric key is embedded in the binary, making it recoverable\r\nthrough analysis. This use of CNG is relatively uncommon among stealers but does not necessarily indicate sophistication.\r\nhttps://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer\r\nPage 4 of 7\n\nEncryption using Windows Cryptography API: Next Generation (CNG)\r\nExfiltration\r\nOnce the stolen data has been zipped and encrypted into a “.VZ” file, the malware attempts to exfiltrate it to an external\r\nserver using a retry loop.\r\nThe actual exfiltration happens in VseLegalno(). The function creates a WebClient instance and sets headers to mimic a\r\nbinary file upload, then uploads the “.VZ” encrypted file to hxxps://flowers[.]hold-me-finger[.]xyz/index2[.]php.\r\nUploading of Stolen Data\r\nCleanup\r\nUpon finishing its task, the stealer wipes all evidence of its activity from the disk. This is done using standard file and\r\ndirectory deletion commands.\r\nConclusion\r\nChihuahua stealer appears lightweight on the surface, but its use of stealthy loading, scheduled task persistence, and multi-staged payload delivery shows a deliberate effort to evade detection.\r\nTo improve detection coverage, monitoring for the following should be considered:\r\nhttps://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer\r\nPage 5 of 7\n\nAlert on frequent scheduled PowerShell jobs with suspicious or obfuscated commands.\r\nHunt for unusual file extensions or marker files in directories like Recent or Temp.\r\nDetect Base64 decoding combined with .NET reflection (e.g., Assembly::Load()) in PowerShell logs.\r\nFlag uncommon AES-GCM usage via Windows CNG APIs, especially when tied to outbound HTTPS traffic.\r\nMITRE\r\nCommand and Scripting Interpreter: PowerShell: T1059.001\r\nWindows Management Instrumentation: T1047\r\nCredentials from Password Stores: Credentials from Web Browsers: T1555.003\r\nExfiltration Over C2 Channel: T1041\r\nIOC\r\nIPs/URLs:\r\nhxxps://onedrive[.]office-note[.]com/res?a=c\u0026b=\u0026c=8f2669e5-01c0-4539-8d87-\r\n110513256828\u0026s=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4YTJlNmI1MDQ4M2E5MWYyODkz\r\nNTQ4Y2M1MDUwMdg1NyIsInN1YiI6IjEzN2JkZG0zYjZhOTYiQ.vXOOM_cWpG2OmzSx5t2l9A6ecnMKFzunS4LWccgf\r\nhxxps[:]//flowers[.]hold-me-finger[.]xyz/index2[.]php\r\nhxxps[:]//cat-watches-site[.]xyz/\r\nhxxps[:]//cdn.findfakesnake.xyz/\r\nPowerShell Script:\r\nSHA:\r\nafa819c9427731d716d4516f2943555f24ef13207f75134986ae0b67a0471b84\r\nDetection: PowerShell.Trojan-Downloader.Agent.IE1KHF\r\nPayload:\r\nSHA:\r\nc9bc4fdc899e4d82da9dd1f7a08b57ac62fc104f93f2597615b626725e12cae8\r\nDetection:\r\nWin32.Trojan-Stealer.Chihuahua. 8W7FOE\r\nRelated articles:\r\n Content\r\nKey Takeaways (tl;dr)\r\nPowerShell Script Behavior\r\nChihuahua Stealer\r\nhttps://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer\r\nPage 6 of 7\n\nBrowser and Wallet Targeting\r\nStaging and Compression\r\nEncryption\r\nCleanup\r\nConclusion\r\nMITRE\r\nIOC\r\nRelated articles\r\nSource: https://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer\r\nhttps://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer"
	],
	"report_names": [
		"38199-chihuahua-infostealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434246,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b44406a3b590eb4a86abecb605318f282a1e0813.pdf",
		"text": "https://archive.orkl.eu/b44406a3b590eb4a86abecb605318f282a1e0813.txt",
		"img": "https://archive.orkl.eu/b44406a3b590eb4a86abecb605318f282a1e0813.jpg"
	}
}