SHUYAL: New Stealthy Infostealer Plunders Browser Credentials, System Data, & Screenshots to Telegram
Ddos 
In a deep-dive technical investigation, Hybrid Analysis has uncovered a powerful new information stealer dubbed SHUYAL, a previously undocumented malware family that blends broad credential harvesting with system reconnaissance and stealthy exfiltration.
With SHUYAL, cybercriminals now have access to a tool that weaponizes stolen browser credentials, system metadata, screenshots, and even clipboard content—all exfiltrated through Telegram, evading traditional detection mechanisms.
Named after a unique identifier in its PDB path, SHUYAL is a credential-harvesting stealer equipped with spyware-grade behavior. Hybrid Analysis researchers observed the stealer targeting 19 browsers, including mainstream options like Chrome, Edge, and Firefox, as well as privacy-oriented ones like Tor and Falkon.
“The stealer tries to access login credentials from a list of browsers, including Google Chrome, Opera and Microsoft Edge,” the analysis states.
Before launching its core data-stealing operations, SHUYAL performs a suite of reconnaissance actions:
- Disk drive serials and models using wmic diskdrive
- Keyboard and mouse details via Win32_Keyboard and Win32_PointingDevice
- Display configuration and wallpaper path
- Clipboard contents, grabbed using OpenClipboard and GetClipboardData
“Spawning multiple processes… SHUYAL retrieves the model and serial number of the available disk drives, information about the keyboard and mouse… and details about the monitor,” the analysis explains.
To maintain persistence and avoid detection:
- SHUYAL disables Windows Task Manager by modifying DisableTaskMgr in the registry.
- It kills Task Manager processes and creates a stealthy copy of itself in the Startup folder using SHGetSpecialFolderPathA.
- It self-deletes via a batch file (util.bat) once its payload is complete.
“The malware is very stealthy because it deletes the newly created files from the browsers’ databases and all files from the ‘runtime’ directory that were previously exfiltrated,” the analysis notes.
SHUYAL targets a wide range of Chromium-based and other browsers. It locates and copies their “Login Data” files and decrypts stored passwords using DPAPI. The decrypted credentials are stored in saved_passwords.txt, while browser history is logged in history.txt.
“The decryption works by extracting the Master key from the ‘Local State’ file… and then decrypt it using the DPAPI CryptUnprotectData.”
In addition to passwords, SHUYAL steals:
- Discord tokens from regular, Canary, and PTB versions
- Clipboard content to clipboard.txt
- Screenshots saved as ss.png
After compiling stolen data into a runtime directory, SHUYAL uses PowerShell to compress the directory into a runtime.zip archive. It then exfiltrates the archive via a Telegram bot, bypassing traditional C2 detection mechanisms.
Finally, SHUYAL wipes its traces. It creates and runs a batch file that deletes the malware and all associated data, leaving little forensic evidence behind.
Related Posts:
- Blackout Mode: Microsoft Teams to Block Screenshots in Meetings
- Hacker group Anonymous controls over 400 Russian cameras
- Anonymous Italy hacked and deleted the entire 39.4 gigabytes speed camera database
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
