Chihuahua Stealer Unleashed: Obfuscated PowerShell and AES-GCM Encryption Fuel This Advanced Data Theft Campaign

In the ever-expanding ecosystem of information stealers, a new and unusually sophisticated malware has entered the scene: Chihuahua Stealer. Despite its seemingly innocuous name, this newly discovered .NET-based infostealer blends stealth techniques with advanced encryption, multi-stage execution, and a modular design that challenges conventional detection.

“Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features,” reports G DATA Security Lab.

Chihuahua Stealer first surfaced on April 9, when a Reddit user posted that they had been tricked into executing an obfuscated PowerShell script via a Google Drive document. This led G DATA analysts to trace the infection chain, revealing a complex, multi-layered operation engineered for persistence, stealth, and effective data theft.

“The infection begins with an obfuscated PowerShell script… launching a multi-stage payload chain,” the report explains.

The infection chain includes 5 stages:

1. Initial Delivery: A Base64-encoded PowerShell launcher bypasses execution policy checks.
2. Second Stage: Obfuscated hex payload reconstructs the next stage using runtime logic.
3. Persistence: A scheduled job, named f90g30g82, runs every minute and checks for infection markers (files ending in .normaldaki).
4. C2 Communication: If a marker is found, the script queries domains like cdn.findfakesnake.xyz and cat-watches-site.xyz for further instructions.
5. Final Payload: The actual stealer is loaded directly into memory from URLs like flowers.hold-me-finger.xyz using reflection, never touching the disk.

Curiously, the malware begins with a function named DedMaxim() that prints transliterated Russian rap lyrics to the console—a likely nod to the developer’s cultural background or personal signature.

“While these strings serve no functional purpose, their presence may offer a cultural or personal signature,” G DATA notes.

After the lyrical prelude, the malware transitions into full operation mode:

• Machine Fingerprinting: Uses WMI to gather machine name and disk serial number.
• Browser & Wallet Theft: Targets sensitive data from browsers (login data, cookies, autofill) and crypto wallet extensions using known IDs.
• Data Compression: Collected data is zipped into an archive with a custom .chihuahua extension.

Unlike many commodity stealers, Chihuahua encrypts the archive using AES-GCM via Windows CNG APIs, which adds a layer of authenticated encryption.

“This use of CNG is relatively uncommon among stealers but does not necessarily indicate sophistication,” G DATA clarifies.

The encrypted archive (<victimID>VZ) is then uploaded to a command-and-control endpoint at flowers.hold-me-finger.xyz/index2.php.

Once its job is complete, Chihuahua wipes its tracks. The scheduled task, temporary files, and console output are all erased. Key evasion strategies include:

• .NET Reflection for in-memory execution
• Scheduled Task Execution using custom markers
• Base64 + Hex Obfuscation
• AES-GCM encryption uncommon among typical stealers

To defend against malware like Chihuahua Stealer, security teams should monitor for:

• Repeated PowerShell job creation with obfuscated commands
• Unusual extensions like .chihuahua or .normaldaki in Recent or Temp
• In-memory .NET assembly loading via Assembly::Load()
• Uncommon AES-GCM usage tied to outbound HTTPS

“Chihuahua stealer appears lightweight on the surface, but its use of stealthy loading, scheduled task persistence, and multi-staged payload delivery shows a deliberate effort to evade detection,” G DATA concludes.

Related Posts:

• Researcher Details Windows CNG Key Isolation Bug and PoC Exploit
• Lumma Stealer: Unpacking Its Evasive Tactics and Complex Infection Chains
• Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
• Malware Hiding in PDFs: What You Need to Know