A new strain of infostealer blending standard malware techniques with unusually advanced features has been detected.
First flagged by a Reddit user in April 2025, the malware, known as Chihuahua Stealer, was analyzed by G Data CyberDefense, which shared its findings in a May 13 report.
While appearing unsophisticated on the surface, this .NET infostealer employs advanced methods, including stealthy loading, scheduled task persistence and a multi-staged payload.
Multi-Stage PowerShell Script Infection
On April 9, a user on the r/antivirus subreddit shared how they were tricked into executing an obfuscated PowerShell script from a Google Drive document.
Upon investigation, G Data CyberDefense discovered that the PowerShell-based loader triggers a complex, multi-stage execution chain that leverages Base64 encoding, hex-string obfuscation and scheduled jobs to maintain persistence.
The loader is designed to be modular and stealthy, retrieving additional payloads from fallback command-and-control (C2) domains as needed.
The multi-stage chain involves the following steps:
- A lightweight launcher executes a Base64-encoded PowerShell string via iex, bypassing execution policies and hiding the payload from static analysis and signature-based detection
- The launcher decodes and reconstructs a heavily obfuscated hex payload by removing delimiters and converting hex to ASCII, dynamically assembling the next-stage script to evade static and sandbox analysis
- The script establishes persistence by scheduling a job that scans for infection markers (“*.normaldaki” files) and, if present, contacts a primary (and fallback) C2 server to retrieve and execute additional payloads based on received commands
- The persistent job obtains a .NET assembly from a remote domain, loads a Base64-obfuscated payload (the Chihuahua Stealer) from OneDrive and executes it in-memory via reflection before cleaning up visible traces (console and clipboard)
Chihuahua Stealer’s Execution, Encryption and Data Exfiltration
The stealer initiates execution with the DedMaxim() function, which prints transliterated Russian rap lyrics to the console with short pauses between each line. The G Data researchers believe this to be a signature, albeit serving no functional purpose.
After displaying the lyrics, the stealer executes its main logic in the PopilLina() function, where it gathers the machine name and disk serial number via Windows Management Instrumentation (WMI), then obfuscates and hashes them to generate a unique identifier for the infected system. This identifier is used to name the archive and folder that will store the exfiltrated data.
After generating a unique victim ID and preparing a staging directory, the malware begins extracting data by searching for browser and crypto wallet files in user directories.
It utilizes a function to scan dynamic paths (with %USERPROFILE% placeholders) for installed browsers, and then another function to systematically extract credentials, cookies, autofill data, browsing history, sessions, and payment information from each detected browser.
Additionally, it targets crypto wallet extensions by identifying and copying data from folders associated with known wallet extension IDs.
After extracting browser data and crypto wallet extension files, the malware gets the stolen information ready for encryption and exfiltration. It creates a plaintext file named Brutan.txt in the working directory, then compresses all stolen data into a “.chihuahua” archive. Immediately afterward, the archive is encrypted using AES-GCM.
Once the stolen data has been zipped and encrypted into a “.VZ” file, the malware attempts to exfiltrate it to an external server using a retry loop.
The actual exfiltration happens in VseLegalno(). The function creates a WebClient instance and sets headers to mimic a binary file upload, then uploads the “.VZ” encrypted file to hxxps://flowers[.]hold-me-finger[.]xyz/index2[.]php.
Finally, the stealer wipes all evidence of its activity from the disk by using standard file and directory deletion commands.
G Data’s Mitigation Recommendations
G Data CyberDefense provided a list of recommendations to mitigate the Chihuahua Stealer threat:
- Alert on frequent scheduled PowerShell jobs with suspicious or obfuscated commands
- Hunt for unusual file extensions or marker files in directories like Recent or Temp
- Detect Base64 decoding combined with .NET reflection (e.g., Assembly::Load()) in PowerShell logs
- Flag uncommon AES-GCM usage via Windows CNG APIs, especially when tied to outbound HTTPS traffic