Skip to Content

Chihuahua Stealer: A New Breed of Info-stealer

May 14, 2025 by
Chihuahua Stealer: A New Breed of Info-stealer
Lighthouse IT Solutions, Griffin Ball

As an IT company, Lighthouse is committed to keeping our clients informed about the latest cybersecurity threats. Recently, a sophisticated info-stealer dubbed "Chihuahua Stealer" was discovered by cybersecurity researchers, highlighting the malicious potential of seemingly routine online interactions.

What is Chihuahua Stealer?

Chihuahua Stealer is a .NET-based piece of malware that employs a multi-stage attack to infiltrate systems, making it particularly challenging to detect and counter. It was initially identified when a user on Reddit was tricked into executing an obfuscated PowerShell script embedded in a Google Drive document. This script kicks off a series of processes that ultimately lead to data theft.

Key Features and Attack Chain:

  1. Initial Delivery: The attack begins with an obfuscated PowerShell script inside something like a Google Drive document, which deceives users into execution.
  2. Multi-Stage Payload: The script launches a series of payloads designed to maintain persistence through scheduled tasks and executes the main malware.
  3. Data Target: Once operational, the main payload targets browser data and crypto wallet extensions, exfiltrating sensitive information like login data and autofill information.
  4. Data Encryption and Exfiltration: Stolen data is compressed into a ".chihuahua" archive and encrypted using AES-GCM via Windows CNG APIs before being exfiltrated over HTTPS.
  5. Stealth Capabilities: The malware employs techniques such as dynamic payload retrieval from multiple domains and comprehensive trace wiping to avoid detection.

Prevention and Detection Strategies:

  • Be wary of unexpected emails or documents from unknown sources, especially those hosted on platforms like Google Drive or OneDrive.
  • Regularly monitor system logs for unusual activities, such as the creation of scheduled PowerShell tasks or obfuscated command executions.
  • Implement network monitoring to detect unusual outbound traffic, particularly involving uncommon encryption methods like AES-GCM.
  • Maintain up-to-date antivirus and endpoint detection solutions to identify and quarantine malicious activities.

For organizations that suspect an infection or want to bolster their defenses, it is crucial to seek professional cybersecurity assessments and deploy advanced monitoring solutions. By understanding and addressing threats like the Chihuahua Stealer, businesses can protect their sensitive data and maintain the integrity of their operations in an ever-evolving threat landscape. Stay vigilant and proactive in your cybersecurity measures to safeguard your digital assets!


This blog post was written largely after reading G DATA CyberDefense's article with analysis by Lovely Antonio and Chloe de Leon.
Please read more of that article here: https://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer