A novel .NET-based infostealer dubbed Chihuahua has been discovered with advanced features and has been spotted targeting browser data and crypto wallet extensions. The infostealer tricks victims into running a hidden PowerShell script via a Google Drive document, steals their data, and then erases all local traces of its activity.

The infostealer was first called out in an April 9 post on the r/antivirus subreddit, where a user shared how they were tricked into running an obfuscated PowerShell script via Google Drive. Cybersec firm G Data CyberDefense investigated the script and found that it was a loader that triggers a multi-stage payload chain that infects the target’s PC.

Chihuahua also achieves persistence on the target system through a scheduled job. G Data CyberDefense’s report adds that also checks for custom marker files and “dynamically fetches additional payloads from multiple fallback domains.”

Once executed on the target system, the infostealer starts off by printing Russian rap lyrics to the terminal. These strings don’t have any functional purpose, and the cybersec firm thinks their presence “may offer a cultural or personal signature. It’s possible the malware author included these as a reference to a favorite artist or scene, similar to other themed malware that embed music, memes, or personal trademarks into their payloads.”

Once it’s done rapping, the info stealer generates a victim ID and starts extracting data. It scrapes sensitive files from known browser installation paths and crypto wallet extensions. Based on the source code shared by G Data CyberDefense, the info stealer seems to target Chrome, Opera, Brave, Edge, and other Chromium-based browsers.

The stolen data is then compressed into an archive with the file extension .chihuahua and encrypted using AES-GCM. Once it’s ready for transfer, the archive is sent back to the hackers over an HTTPS connection, and all local traces are wiped.

In the News: Malware targets 6 countries using fake invoice emails